tag:blogger.com,1999:blog-38136534.post933696653430522397..comments2024-01-25T07:09:39.896-08:00Comments on Mobile Banking: Indian Central Bank guidelinesHannes@Homehttp://www.blogger.com/profile/05855107176790028364noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-38136534.post-75818432685582386602009-04-05T06:01:00.000-07:002009-04-05T06:01:00.000-07:00In case the MI Factor authentication system is bet...In case the MI Factor authentication system is better than the two factor, the committee on standardisation would be in a better position toadopt innovative solutions in a open manner passing a regulation favoring the MI Factor Authentication system.<BR/><BR/>please visit the site for the relevant details on MI Factor authentication system <BR/><BR/>http://www.ictsecurity.com.au/index.php?option=com_content&task=view&id=28&Itemid=69sudhakar reddyhttps://www.blogger.com/profile/13147630288909418843noreply@blogger.comtag:blogger.com,1999:blog-38136534.post-5651301264664481052008-10-24T04:16:00.000-07:002008-10-24T04:16:00.000-07:00Based on some research this morning, I found that ...Based on some research this morning, I found that the MI-token authentication system can be leveraged using USSD. From the limited knowledge I have on this topic, I hear that the MI-token authentication system is more secure than the two factor dual authentication system. An out of band authentication system is used to generate the one time password. The out of band authentication system, is generated using tightly bound transaction data. Transaction details such as the account number is used to generate the OTP. If any part of the transaction is changed before the transaction takes place, the token causes the transaction to fail thus thwarting man in the middle attacks. <BR/><BR/>Is this better for a country like India where piracy/hacking could be a huge issue? Could you throw some light on this security system in one of your posts? If in case the MI Factor authentication system is better than the two factor, would the RBI be better off passing a regulation favoring the MI Factor Authentication system?Anonymoushttps://www.blogger.com/profile/06018589485292456192noreply@blogger.comtag:blogger.com,1999:blog-38136534.post-34298357739297638482008-10-23T21:23:00.000-07:002008-10-23T21:23:00.000-07:00Hannes,You hit the spot. I completely agree that a...Hannes,<BR/><BR/>You hit the spot. I completely agree that agents need a seperate set of daily limits that needs to be significantly higher than the limits of the customer. <BR/><BR/>Thanks a lot and your blog is really interesting. I get most of my mobile knowledge from it.<BR/><BR/>regards,<BR/>ShumitAnonymoushttps://www.blogger.com/profile/06018589485292456192noreply@blogger.comtag:blogger.com,1999:blog-38136534.post-3181092741999612532008-10-23T07:03:00.000-07:002008-10-23T07:03:00.000-07:00Hi ShumitI enjoyed your comment. Allow me to comme...Hi Shumit<BR/>I enjoyed your comment. Allow me to comment on your comment:<BR/>1. I concur fully with your interpretation of Regulation one<BR/>2. Your suggested SMS-based dual authentication solution is totally accurate. However, it is extremely difficult to deploy such solutions on an ordinary handset. I am not aware of any Indian installation that have successfully deploy such a solution. You would also agree with me that USSD applications does not provide dual authentication solutions.<BR/>3. I agree with your assessment, except that this limit certain key participants in the mobile payment eco-system. For instance, should these limits also apply to agents (some-one with a mobile phone offering services to subscribers like cash-in and cash-out)?Hannes@Homehttps://www.blogger.com/profile/05855107176790028364noreply@blogger.comtag:blogger.com,1999:blog-38136534.post-45682987693138826462008-10-23T03:40:00.000-07:002008-10-23T03:40:00.000-07:00Dear sir,I tried to disect the regulations based o...Dear sir,<BR/><BR/>I tried to disect the regulations based on my knowledge of rural India. Do let me know what you think.<BR/><BR/>Regulation 1: The RBI guidelines, by implication, say that only banks can offer mobile transaction services. The guidelines say this service can be offered only to customers of banks and/or holders of debit/credit cards. Document-based registration is called for, with the mandatory physical presence of the customer, before mobile services are offered. The banks are responsible for ensuring Know Your Customer norms, and must have core banking systems in place.<BR/><BR/>Several MFIs today act as a business correspondent (BC) (agents who work on behalf of banks) for commercial banks to reach areas where opening a bank branch is not viable. Usually at the business correspondent’s office, a bank representative is present who oversees the enrolment of clients and ensures that the KYC requirements are complied with. The bank through a BC can enroll clients, the clients can be served by the bank using mobile banking thus fulfilling the objective and the spirit of financial inclusion<BR/><BR/>Regulation 2: The RBI’s guidelines call for a two-factor authentication for validation of a customer. The industry has reacted to this by interpreting that two-factor authentication can be supported only by GPRS and not through SMS. Media has also criticized RBI by saying that the new mobile banking regulations such as the two factor authentication do not facilitate financial inclusion since basic mobile phones owned by majority of people in rural India do not support GPRS.<BR/><BR/>Secure transactions can happen even via SMS. SMS’es are of two types – Normal and Encrypted SMS. Normal SMS is what we use for day-to-day communication and is not secure. The SMS is not encrypted when it passes through the pipe it can be accessed. On the other hand, an encrypted SMS is converted into non-readable text using a RSA / AES (security) algorithm. The text that can be encrypted are numbers from 1-9, capital letters from A-Z and small letters from a-z. Special characters cannot be encrypted. When the bank client sends a sms from his phone to the server, a sms along with an encrypted key is sent to the server. If the encryption algorithm is strong enough, it is not possible to read the SMS. The server then decrypts (opens) the encrypted key using a RSA encryption algorithm. This technology is perfectly secure and GPRS is not mandatory. Not many phone users in India subscribe to GPRS and even fewer have phones that can support GPRS. Around 60 percent of the 306 million handsets or mobile connections in India are without GPRS and WAP. Due to lack of GPRS connectivity, Smart Trust applications, securea SMS based applications will be the prominent atleast in the initial years of mobile banking.<BR/><BR/>Regulation 3: The RBI has capped daily mobile transaction limits at Rs 5,000 for transfer of funds and Rs 10,000 for purchase of goods or services.<BR/><BR/>This regulation, at least in the early stages of mobile banking, does not affect customers who will be vary of performing high value transactions. It will surely not affect rural customers who rarely receive more than Rs.5000 per day through remittances. It is also unlikely that the rural customer will pay more than Rs.10,000 for paying his utility bills or other services. <BR/><BR/>regards,<BR/>Shumit Vatsal<BR/>0-900-8244-596Anonymoushttps://www.blogger.com/profile/06018589485292456192noreply@blogger.comtag:blogger.com,1999:blog-38136534.post-41928021498116213642008-10-01T18:40:00.000-07:002008-10-01T18:40:00.000-07:00Hi there,I tried contacting you a while ago but ne...Hi there,<BR/><BR/>I tried contacting you a while ago but never received a response, can you please email me at chris.hamilton @ boomerang.com.au so we can discuss my proposal?<BR/><BR/>ThanksChris Hamiltonhttps://www.blogger.com/profile/01367062199905361600noreply@blogger.com