Social media banking is the latest offerings by banks in India. But, given the apprehensive nature of banking customers, how safe and secure is the social media banking? Read on to know more…
Imagine this – you are in a restaurant inside a shopping mall and your other group of friends are at a 3 star restaurant and both of you exchange some pictures and messages about the restaurant’s food, service and ambience across your facebook’s timeline using your smart-phones. However, you get a message from your friends saying that they do not have sufficient money to pay the bill. So what? You are always ready to pay the bill using your Facebook or Twitter which is linked to your bank account. The money would be transferred to your friends account instantly without any hassles of adding your friend’s account as a beneficiary or details such as bank account number and branch’s Indian Financial System Code (IFSC). Sounds like a futuristic banking! But this concept of using social media such as Facebook and Twitter is already operational all over the world including India.
So let’s understand the significance and concept of Social media Banking or ‘S-Banking’ that uses social media services for banking transaction.
Significance of S-Banking
Most of the e-banking is done on Internet through PC & Smart-phone and feature phones. But that was almost some years back, now it’s a different story. Social media is the new banking service, well on its way to becoming a core component of any banking business strategy and it’s the relatively early adopters in the global financial services Industry who stand to benefit the most.
Almost all sectors in the global IT Industry have realized the relevance of social networking sites and its utility in the cyber world. However, the banking sector is the latest one to understand the pulse of young and tech-savvy customers for whom Facebook and Twitter has been a lifeline. Prominent banks around the world have already responded to this trend of using social media and have embraced it for their business prospects. Globally, banks have adopted social media banking since the launch of social media sites like Facebook and Twitter to find new avenues to connect with its customers. Thus starts the advent of ‘S-Banking’ or Social media Banking.
While the social banking has taken off very early in countries such as United States and Canada, India banks has been late in adopting the benefits of social sites in consumer retail businesses. In western countries, most major banks in addition to launching Facebook profiles, have also adopted Twitter as a new marketing and customer service avenue. But in India, banks are traditionally non-social and given the highly-regulated environment, banks are understandably sensitive to the reputational risk inherent in social media. But now this has changed in India because of the transformation of banks adopting social media for consumer banking in order to reach more potential customers.
S-Banking in India
As of now, two prominent banks – ICICI bank and Kotak Mahindra bank in India provide the services of social banking for their customers in India. In the following sections, let’s understand the various social media banking services introduced by banks in India and its security and privacy aspects.
Kotak Mahindra Bank’s Kaypay
Kotak Mahindra Bank’s Kaypay service using Facebook was launched last year in October 2014. To avail the service of Kotak Mahindra Bank’s Kaypay, one has to register on the kaypay.com website, through your Facebook account. Usually the registration of your bank account is done by filling in details like your bank’s name (choose from the options provided in the drop-down), account number, email address and mobile number. Once you register in your bank, you will get the Mobile Money IDentifier (MMID) from your bank on your registered mobile number, which you have to again enter, too. MMID is a seven-digit code issued by the bank to customers who have registered for mobile banking to avail of the IMmediate Payment Service (IMPS) mode of service. To get the MMID, you can send an SMS to the bank. If you are a Kotak Mahindra bank customer, you do not need to provide the MMID. Instead, you can give the customer relationship number.
After this process of providing the MMID, your Kotak Mahindra bank account is linked to Kaypay and Facebook. Now select a friend from your Facebook list, enter the amount you want to send, select your bank account, generate and enter a One Time Password (OTP) and then send the money. One has to be careful about the OTP because, the OTP will expire within one hour. After this process, your friend will be notified via a Facebook alert. If your friend has already registered with Kaypay, then your friend will receive the money instantly. Otherwise, your friend has two days to register. If not, the money will be deposited back to your account. A Kaypay sender can send up to ₹ 2,500 daily and up to ₹ 25,000 a month through Kaypay. A receiver can get up to ₹ 25,000 on a daily and monthly basis.
Highlights of Kotak Mahindra Bank’s Kaypay
• Kotak Mahindra Bank allows cash transactions through Facebook.
• Post Cash through Facebook.
• No need to wait 24 hours to add receiver as beneficiary.
• Details required are bank’s name, receiver’s name, email id, mobile number, MMID and OTP.
• Technology used is IMPS, which is instant.
Kotak Mahindra’s Jifi Saver
In January 2015, Kotak Mahindra Bank launched a new savings account product targeted at tech-savvy people. The product known as Jifi Saver can be managed via a customer’s Twitter and Facebook pages. The bank account is tied to the customer’s Twitter handle and the customer don’t have to enter their bank account number or card details to conduct certain limited banking transactions. The product also allows customers to recharge their mobile phones and DTH connections via Twitter.
Safety Aspects of Kaypay
As with all banking vendors, every bank comes up with their own safety and security aspects of banking to assure their customers. Likewise, in this case — Kotak Mahindra has come with a host of safety and security features of using kaypay. Kotak Mahindra has said that they have implemented sufficient security measures to remove any threat of security and safety for the bank account holders
The following are some of the safety and security features of kaypay from Kotak Mahindra
• The transaction will only process when the one time password is matched, after the user logs in via Facebook account. Hence, there is a two level security process here.
• All authentications and verifications would take place at Kotak Mahindra’s servers.
• The app used for money transfer will not post any message/update on your Facebook account, without your permission.
• No bank account details would be shared with Facebook.
• KayPay offers a safe and secure platform to transact on the social networking site through a two-level authentication by using Facebook user id. and password and a One Time Password (OTP). Further, both sender and receiver immediately receive notifications via SMS and on Facebook about the transfer.
ICICI Banking Through Twitter
Earlier in 2013, ICICI Bank had launched a Facebook application called Pockets which allows people to conduct banking transactions without leaving the Facebook site. It is said that as of now about 30,000 people using this Facebook application.
In January 2015, ICICI Bank introduced a number of banking transactions on Twitter in India. The service known as ICICIBankPay, allows its customers to transfer money, recharge prepaid mobiles, check account balances and the last three bank transactions over direct messages (DM) on Twitter.
In other words, customers of ICICI bank can now transfer the money to any of their friends and relatives only by tweeting their twitter handle. ICICI account holders who have opted for this service can check their account balance by sending a 4 letter twitter message or recharge mobile phone simply by sending a twitter message. ICICI account holders can also check your latest transaction or can transfer fund to any ICICI or Non-ICICI bank account holder.
ICICI Banking Transaction Process through Twitter
ICICI Bank has prescribed a format for each type of transaction on Twitter. To avail the facility of Twitter Banking, you must follow the transaction codes. In the Twitter Banking every input you give would be in the tweet format. You must write preset characters with the hash to give your input. Each of your tweets should be a direct message. A word of caution here, Twitter Banking should be done only through the direct message – do not ever tweet it publicly or your privacy and security would be at stake.
MICICI Bank Twitter Banking Registration Process: Customers of ICICI Bank who wants to register for the service need to follow ICICI bank’s Twitter handle, @ICICIBank, and send a direct message(DM) to the handle with the a hash tag #reg along with the registered mobile phone number in the bank records. As an added safety measure, customers will receive an OTP which in turn needs to be sent back as a direct message to the bank’s twitter handle with the hashtag #regotp to complete registration.
The beneficiary will receive a tweet from the bank with a link of its website. Beneficiaries will have to click on the link which will take them to a secure page on ICICI Bank’s website. The beneficiary will be required to verify their Twitter account and provide their name, account number, IFSC code (only for non-ICICI Bank customers) and the pass code they received to complete the transaction.
Check Account Balance and Transactions: Customers can also check their account balance with the hash tag #ibal. To view recent transactions, send a DM with the hash tag #itran to view the last three transactions.
Cancelling Payment: In-case, if the customers want to cancel the fund transfer, they are entitled to this option also. In the ICICI fund transfer through Twitter Banking money is not immediately transferred. It is transferred only after the beneficiary enters their account number at ICICIBank portal. So you can cancel the payment till that point. To cancel a twitter payment you have to send a Direct Message to @icicibank in the given format
#Cancel <Coupon Code>
De-linking Account From Twitter Banking: ICICI customers can also discontinue their Twitter Banking. To cancel the registration process, the customer has to unfollow the @icicibank Twitter handle.
Safety Aspects of ICICI Twitter Banking
As a safety measure, ICICI has limited the transaction amount for Twitter banking. ICICI’s Twitter banking is limited to small transactions whereby one can transfer a maximum amount of ₹ 5,000 through one Twitter banking transaction and you cannot transfer more than ₹ 10,000 in a day.
Therefore, in-case of loss of smart-phone, one has to report it to the police and block your mobile number and bank account. Otherwise, one can lose ₹ 70,000 in a week!
Security Risks of Social Banking
Social media services are always exposed to security risks because it is reported that 90% of passwords used on social networking sites are vulnerable to hacking. Another cause of concern is that everyday around 600,000 fraudsters try to hack into Facebook accounts. Registering your bank account with social media service exposes your personal information such as birthday, home town, news feed to external elements who could monitor your messages for any extra information.
In general, various social media services like Facebook and Twitter has some inherent flaws in terms of security and privacy. So, there are chances that banking through the social media services many exposes your bank transactions to online frauds. Also chances are that some highly professional hackers could read your social media messages containing banking transactions from hacking into your social media accounts online or by remotely hacking your smart-phone. An unsecured smart-phone with open Twitter page could also prove to be disastrous. Hence you will have the extra efforts to secure your smart-phone along with social media accounts. Losing your smart-phone without any security protection in it could also prove to be fatal.
Security vulnerabilities in social media apps in the smart-phone are a huge risk as some customers do not update their apps regularly.
Another crucial challenge is that the social media companies are not based in India. This means that your banking data may be getting transmitted to servers placed outside India. Chances are that those social media companies may find it hard to comply with Indian laws. Also, those social media companies may not take extra care to secure global banking transactions through their social media platform.
Simple Steps to Mitigate S-Banking Risks
As far as social media services like Facebook and Twitter are concerned, you don’t have control on some situations. Since you might be operating social media services through your smart-phones, care must be taken not to lose your phone because the owner of unsecured smart-phone may have full access to its crucial data and apps. Hence, it is best to secure your smart-phone by a screen lock password or pattern lock or numerical lock and also care should be taken to secure your SIM card by a 4 digit SIM PIN pass-code. This is essential because even if you misplace or lose your smart-phone, any malicious person may find it hard to access your smart-phone or SIM-card.
It is also best to secure all your phone crucial data like messages and apps through secure app-locking apps which are found from app-store like Google Play and other mobile phone platforms. These secure app-locking protects your apps in your smart-phones from strangers and other persons from accessing your banking apps and messages.
By following the above process, you can be assured that your banking apps are secured to a certain level of intrusion.
The Road Ahead
S-Banking or Social media banking in India is certainly a useful banking service for the tech savvy people who are conversant with the various online social media services like Facebook and Twitter. As we move into global standardized banking, we ought to see many more banks offering banking through social media.
With every new banking service there are undoubtedly some apprehensions among the masses. However, as we do not have any security and privacy incidents using social media banking, we have to wait and watch how secure this service is from the aspect of secure banking. Especially, we need to see how banks in India handle automated systems of high number of transactions and implement processes in place for mistakes, lost transactions, unclaimed money, hacks and scams.
However, given the volatile nature of social media and online world — it is always safe to follow the privacy and security guidelines prescribed by the Reserve Bank of India (RBI) and its associated banks.
Are you a security expert? Do you know more about the security flaws of social media banking? Do you have a strong opinion about this topic? Do you think this article is informative? Please comment and add your insights!
Author’s Info.
R. Manoj
The author is a Senior Editor at Bitstream Mediaworks.
He has an active interest in IT Security.
The post How Safe is S-Banking? appeared first on INFOSECURITY LIVE: Strategic Insights for CISOs and Information Security Leaders.