InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity Oct 2009

Tech Trend

Security Trends in Online Shopping

The recent directive from RBI to strictly abide by the additional PIN verification process by VISA and Master Card mandatory is a welcome step. But are we aware of the concept of this new security step to authenticate online transactions? This article helps the readers understand the new verification process and its implementation.

Want to buy movie tickets online? Looking to book train tickets online? Interested in gifting your friends some trendy gadgets? If you are, then you must be aware that you require a credit card to pay for these transactions. But now this is not enough. You also need another new PIN (Personal Identification Number) to secure your transaction, as per the Reserve Bank of India's (RBI) mandate that came in effect from August 1, 2009.

By now most of us would be aware of the recent directive from RBI which has made it mandatory to have an additional authentication PIN or passcode VBV (Verified by VISA) or MSC (Master Secure Code). This is in addition to the 3 digits secure code that is visible on the rear side of your credit card. As the security measure is in effect from August 1, 2009 onwards, it's time for us to get familiar with this new form of authentication. In this article, let's also understand what it entails for the banks, customers and e-commerce players.

Online Fraud Incidents

Recently, the Cyber Crime Cell of Mumbai Police arrested one Ajay Patel for randomly using 50 ICICI Bank credit cards to book tickets of Kingfisher Airlines online. He changed the last 2 digits of the card number and used a new code in lieu of the PIN for that card. His colleagues in Bangalore printed out the tickets and sold them to unsuspecting travelers at discounted rates. It was only when ICICI Bank kept a close watch on the online credit for the purchases made at the Kingfisher website and saw a strange pattern in usage of a particular credit card user that the fraud came to light. The particular user said he was totally unaware of the transaction, following which the bank lodged a complaint with the Cyber Crime Cell of Mumbai Police.

Similarly, a Citibank user found out that Rs. 1,00,500 was transferred from his account to another account and he lodged the complaint. This is just one of the many instances of online fraud involving credit card. It is with the aim of averting such type of frauds that RBI introduced a mandate making it mandatory to use PIN for all credit card transactions conducted online.

New Secure System

The online shopping users who have transacted from August 1, 2009 will have to enter this additional password given by the merchant. This means that if you want to book airline or railway tickets or hotel reservations or buy anything online, a credit card PIN is a must. This new credit card PIN is commonly known as VBV (Verified by Visa) and MSC (Mastercard SecureCode). The PIN information is in addition to the other information that your credit card already has, like your name, card number, expiry date and CVV (Card Verification Value) number.

The additional security PIN will be known only to the credit card holder so that in case if someone takes your card number, he/she will not be able to use it for online shopping for the want of PIN. For example, HDFC bank have already deployed a system called NetSafe in place which generates a code which can be used only one time, besides there is virtual key board that enhances the security if one is shopping online from public computer.

The RBI directive also mandates a system of online alerts to the card holder for all 'Card not Present' transactions if it exceeds the amount of Rs. 5,000. The circular adds that banks would be penalised for non-adherence to the directive under the Payment and Settlement Systems Act 2007 (Act 51 of '07). So the next question is how all this secure system would be implemented by the banks effectively?

Banks' Implementation Process

All banks have implemented a secure system in which once the card is activated after the verification by Visa / Master Secure service, your card number will be recognised whenever you make an online electronic payment. After you provide your credit card details online, you will be redirected to your issuer website and then required to specify your Verified by Visa / Master Secure authentication details. Your identity will be verified, and the transaction will be completed. Based on the authentication provided by your issuer, the transaction will be processed and you will get a confirmation.

According to HSBC Bank, any online purchase made with a registered merchant will be declined if you have not yet registered the card for HSBC's Secure Online Payment Service. HSBC, however, will exceptionally process the payment through a secure conditional authentication upon successful verification of customer's personal information. But the bank stresses that customers register with SecurePay to ensure the maximum protection against online credit card frauds.

SBI Cards already have a process in place and it only processes transactions that are verified by a separate password. Now SBI customers will be required to create a password that they would have to enter when transacting online. SBI went live with these new secured measures from July 1, 2009. However, customers have been given some leeway and can do up to three transactions without the new PIN password.

The RBI notification concerns cards issued within India only. If your card is issued outside India, your online transactions will go through even without this extra authentication step (unless your Card Issuer requires VBV / MSC authentication). Most foreign lenders including Citibank already require customers to have an I-PIN (Internet-PIN) before they can use their credit cards to transact online.

How to get your PIN?

Credit card users are required to register online with their card issuer (bank) by mentioning their personal and card details. Once that has been done, the bank/card issuer will give you a PIN, or a password, that you will need to supply when you buy anything online. This will add an extra security layer at the checkout point before completion of the online transaction.

For American Express (AMEX) cards the "extra level of authentication" will work slightly differently. On the payment step at the online shopping website, you will be asked to enter you billing address, which will be passed on to the bank. This will be checked against your billing address the bank has on its records. If the addresses don't match your payment will be rejected. This technology is called AVS (Address Verification System). You will need to check your credit card statement if you don't remember your exact billing address.

The RBI directive has led to many people flooding the banks with requests for the new PIN and online security steps. Some banks are letting their customers create passwords on their websites.

Now, every time you buy anything online, after entering your card details on the payment step, you will be redirected to your bank's website. You will need to enter your VBV / MSC password there after which you will be redirected back to the online shopping site for completion of the booking process.

Will Secure steps help reduce fraud?

Literally speaking, this is a million dollar question. Logically, though this security move is in the right direction, it will not eliminate frauds completely. One reason is that not many users are aware of the dangers lurking on the Internet.

This has been evident in the way in which they have given out their personal details online. They don't take steps to change their passwords frequently, and tend to give out their passwords to their friends and relatives. If the user's computer is infected with malicious code like keyloggers, they can transmit password and PIN to anti-social elements. All these elapses will still put the user's online privacy at risk.

Online Security Steps

Credit card fraud is a growing crime today. It is essential to take security precautions to prevent yourself from falling victim to the fraudsters. Besides, as an online user, you should take few more measures to make your shopping more enjoyable. This can be done by keeping your computer secure and also restrict access to it. Avoid sending credit card or account details by e-mail, reject any email that asks you to follow a link to website and input account details for verification even if the website looks authentic and make sure you log out of your online account when finished - especially at work place and net cafes. Most banks are offering this facility online.

Listed below are some common tips to prevent online credit cards frauds

  • Always buy from reputed online vendors. Choose reputed online stores over unknown ones.

  • Look out for the symbol of lock at the bottom of the page to indicate it is a secure site.

  • The website address must be https instead of http that denotes a secure website.

  • Keep your credit card and PIN separately.

  • Check your statements regularly and bring any suspicious transactions to the notice of the bank immediately.

  • Don't disclose your PIN and password to others.

  • Keep your computer security updated as certain programs can trap the keys you press on your keyboard and transmit it to the hackers.

Even though a few of us would be aware of the listed common tips, the reality is that there are quite a number of users who have only basic knowledge on online shopping. It is high time that online users are aware of the online risks and frauds and take security steps to prevent any incidents.

The Bottom Line

With the use of credit and debit cards rising in the country, it is obvious that online security remains a constant challenge for the industry. RBI which has been reviewing various options to enhance the security of online card transactions has come up with this decision in consultation with banks and card companies. The additional security blanket provided by RBI will certainly help in curbing online frauds to a certain extent.

The recent move though tedious for credit card customers who may find it a bit inconvenient will make it difficult for online fraudsters crawling the worldwide web in search of personal information which they use to defraud thousands of online credit card customers. Obviously, the new authentication system means extra security for customers, making online shopping safer. For banks, it is extra security blanket to curb misuse of credit cards issued by them while shopping online and additional work of issuing these PINs or passcodes. For e-commerce players, impacting business, owing to additional authentication steps with which customers will take a while to get acquainted.

While RBI's move is really appreciable, a lot more needs to be done to safeguard the online transactions. The most important factor is the knowledge of secure online transactions. As the statement, 'Knowledge is Power' is true here, educating the card users will certainly help eliminate majority of the online frauds.

By:R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Software Security. He has an active interest in designing security algorithms for securing softwares. He can reached at infosecurity@fanaticmedia.com


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media