RBI has now mandated that every credit card transaction must enforce the user to enter a secure PIN pre-registered with the banks. Of course I read it in the paper and thought I will register when I will be forced to do so.
Today when I logged into my bank account, the new flashing option on the site reminded me to register my two credit cards. I followed that and got my two cards registered.
But to my surprise I was able to login into the site for registration of secure PIN by just entering my credit card no.
It happened once and I re-registered the PIN and this time it asked me the PIN before I could login into the registration page.
Now that was serious, I registered my credit card for the secure PIN , restart my PC and I was still able to login entering the secure PIN....as I said it happened only once.... but if it can happen with my it can happen with other people also....
Actually that incident motivated me to write this blog....
But then I found a more serious problem.. "Forget 3D secure PIN"
Here is how someone can keep doing credit card fraud if your card is issued by ICICI bank (at least)
1. You loose your card which is already registered that ICICI for 3D secure PIN
2. Some one finds it and he plans to use to buy some stuff online. But he can not as he does not know our secure PIN
3. He goes to ICICI bank website and tries to login ...on login page, he selects "FORGET 3D SECURE PIN" (See snapshot)
4. He is then prompted to enter the card validity date , which is printed on the card ...so that was easy ..... He is also asked your date of birth. ... see the snapshot..
The whole security of the so called 3D secure PIN is based on how easy is it to get date of birth of a person .
I might go to google and just search for the name ....I can find 1000 results for this person, which sites he has been registered to and where can I find more information about him.
The most easy target will be to find it on the social networking sites where people just give out their date of birth without thinking that even an average mischievous person can use that information to mess up your financial and personal life.
I might find 10, 100 or 1000 people with same, but it will be easy to reduce this no. to very small based on some other parameters like city or region....
Wikimapia can even tell me how many person with the target name lives in the region and what is their exact location..wow!
Oh, may be I am reacting to this because of this RBI's official enforcement to all banks, but the whole user authentication system is flawed which is based on easily available personal information.
Did I tell you that Visa has another special security feature which they call as Personal Assurance Message (PAM), where they flash you a pre-registered message by you whenever you are about to do an online transaction. This way you can make sure you are really authenticating to the real bank website and not a fake website.
Surprising, they dont show you PAM when you go to ICICI bank website to change your Secure PIN. That means ICICI assumes that they dont need to prove their identity to you if you are visiting ICICI website.
Someone, rather than faking the merchant website can just simply fake the ICICI PIN registration page and then he will know most of the details he needs to know to use your card.
Conclusions:
1. Once you register your credit card secure PIN,make sure to test it on the bank website
2. Do not publish your personal information on sites which can be browsed by other online users...the sites make money using your information, you are just getting inviting people to mess up your life
3. Do not loose your credit cards. If you do, make sure to block them asap.
Read More...
Today when I logged into my bank account, the new flashing option on the site reminded me to register my two credit cards. I followed that and got my two cards registered.
But to my surprise I was able to login into the site for registration of secure PIN by just entering my credit card no.
It happened once and I re-registered the PIN and this time it asked me the PIN before I could login into the registration page.
Now that was serious, I registered my credit card for the secure PIN , restart my PC and I was still able to login entering the secure PIN....as I said it happened only once.... but if it can happen with my it can happen with other people also....
Actually that incident motivated me to write this blog....
But then I found a more serious problem.. "Forget 3D secure PIN"
Here is how someone can keep doing credit card fraud if your card is issued by ICICI bank (at least)
1. You loose your card which is already registered that ICICI for 3D secure PIN
2. Some one finds it and he plans to use to buy some stuff online. But he can not as he does not know our secure PIN
3. He goes to ICICI bank website and tries to login ...on login page, he selects "FORGET 3D SECURE PIN" (See snapshot)
4. He is then prompted to enter the card validity date , which is printed on the card ...so that was easy ..... He is also asked your date of birth. ... see the snapshot..
The whole security of the so called 3D secure PIN is based on how easy is it to get date of birth of a person .
I might go to google and just search for the name ....I can find 1000 results for this person, which sites he has been registered to and where can I find more information about him.
The most easy target will be to find it on the social networking sites where people just give out their date of birth without thinking that even an average mischievous person can use that information to mess up your financial and personal life.
I might find 10, 100 or 1000 people with same, but it will be easy to reduce this no. to very small based on some other parameters like city or region....
Wikimapia can even tell me how many person with the target name lives in the region and what is their exact location..wow!
Oh, may be I am reacting to this because of this RBI's official enforcement to all banks, but the whole user authentication system is flawed which is based on easily available personal information.
Did I tell you that Visa has another special security feature which they call as Personal Assurance Message (PAM), where they flash you a pre-registered message by you whenever you are about to do an online transaction. This way you can make sure you are really authenticating to the real bank website and not a fake website.
Surprising, they dont show you PAM when you go to ICICI bank website to change your Secure PIN. That means ICICI assumes that they dont need to prove their identity to you if you are visiting ICICI website.
Someone, rather than faking the merchant website can just simply fake the ICICI PIN registration page and then he will know most of the details he needs to know to use your card.
Conclusions:
1. Once you register your credit card secure PIN,make sure to test it on the bank website
2. Do not publish your personal information on sites which can be browsed by other online users...the sites make money using your information, you are just getting inviting people to mess up your life
3. Do not loose your credit cards. If you do, make sure to block them asap.
