Banks. A place for keeping wealth and savings of masses. Where you give money to access your own funds. No matter who’s the Branch Manager, whoever is cash officer, people walk in, handover their money, take a paper receipt and blindly believe that money is in safe hands.
Now starts the 2nd round. You want to keep your transaction orderly and recorded, you want 24X7 and 365 access to your funds without any delay. In every need and urgency, one believes in a plastic card/paper Cheque book more than treasure of Mammon. Even in daily life, a common man believes that Bankers understand and know financial matters and transactions far better than anyone. They also trust banker given advice and suggestions as far as financial matters are concerned. This is the state of banking industry and bankers in our society.
People believe bankers are trustworthy and their money is in safe hands
Here comes the brutal reality: people at the technology backbone and top positions in business of banks aren’t doing enough research, aren’t studying international developments nor innovations in financial industry around the globe while making business plans / implementing technological solutions for banking channels.
In bigger banks, even senior most management doesn’t understand the basics of Digitization of financial systems and they still consider getting public money in deposits and producing float incomes as their core “KPI” and “live in it” thing. They introduce their innovation/digital people to folks by saying, “they look after internet of our bank”.
Banks and their managements are still stuck in the pre-digital era & rely on copy paste innovation
So by keeping their value and importance in mind, gentlemen always look after their internet really well, and try not to put anything heavy on the senior most management’s softer and lighter mind and thoughts. Copy and paste unfortunately is a norm across the board, if one bank announces a product/service, that’s mandatory for others to follow on ASAP basis, just to tell the “senior most management” of the bank that we also made that possible.
SBP as regulator always tries hard to push banks for research and innovation by providing maximum facilitation and innovations to end users. Obviously wherever alternate banking channel comes in, security and vulnerability is the next thing ahead. So SBP always try to secure end user in terms of liabilities and responsibilities. In recent past, SBP came up with the idea of 2 factors authentication, where it says; any alternate delivery channel transaction should have 2 out of 3 authentication mechanics i.e.;
- Something you are
- Something you know
- Something you have
Now while defining these scenarios and mechanism, SBP gave an example of something you know as your login PIN/Password and something you have as OTP (one time login). So without going into details and deep analysis of OTP or worldwide implementations of 2 factors authentications, banks thought the best way of compliance to the regulation as implementing the OTP on all transactions. Surprisingly, no one from bank’s business team, technology team, compliance team or even their FnF (friends and family) said that hold on guys, OTP isn’t secure at all!
One Time Pin is a ridiculously unsafe approach to security and is widely used in banking industry
Let’s try to understand the mechanism of an SMS delivery via typical GSM service. When sender (end user through direct GSM SMSC or by a company through a technology vendor SMS server) sends the SMS, it goes into SMSC/SMS server (in end user scenario to GSM SMSC and in company scenario to vendor SMS server and then GSM SMSC) from end user device to SMSC/SMS Server or from vendor’s SMS server to GSM SMSC. SMS always travels naked and without any kind of encryption.
So, if I am a technical person working in an SMS Server or in an SMSC, I can actually see content of an SMS on the system and also have rights to cancel delivery on some specific number or to even route it to some other number or to also send a copy to some other number/device.
That means any OTP sent via banking system isn’t secure at all and has the same kinds of vulnerability as one factor authentication mechanism could have. So, here fails the so called transactional security layer and fool proof mechanism to make sure transactions aren’t possible without the genuineness of the true end user of a bank account/product.
Much of the faith that the population puts in bankers and banks is ill placed
Question here is, why banks aren’t doing much in terms of innovation and out of the box thinking?
Answer is within in the 1st paragraph of the article: bank’s management still haven’t figured out that the world has changed and now it’s no more about “going the same old beaten path” and end users will keep money there, where he/she will feel comfortable and uninterrupted as well as have fool proof access to their funds.
When someone makes a financial transaction other than conventional means, they believe bank’s system and processes will make sure my transaction and money is secure and I am not going to lose anything out of it. So this lack of focus and vision on this area leads into putting below average and old rankers of the organization on top positions related to digital/innovation of banking.
One can easily count recognized and domain experts working on digital banking on fingers, and in same scenario it’s impossible to imagine that people with ZERO knowledge and expertise on digital side are securing their existence in organizations by either copy pasting proven models or by suggesting lesser innovation into the organization.
Experts in digital banking who know what they are doing are far and few in Pakistan
The bottom-line is always measured in terms of annual fee/transactional revenues and as far as banks are making money through these 2 models, there are no issues for these folks. Just imagine, end users have to pay even to know some transaction made against their bank account/card.. So these buggers keep management happy by just looting end users and showing the bottom-line in terms of money and pillage.
I personally believe, just like “gone the days…” revolutionized era starts and now banks/FIs will win based on the VAS (value added services), innovation, and out of the box thinking’s, rather than just brand name or years of doing business basis. This period is going to be very very tough and difficult for those typical bankers who spent their entire life in hardcore deposit collection, easy money, and following trends, and never tried to learn or knowing about digital innovation and latest changes in overall banking scenarios.
It’s time for banks to wake up to the new reality of doing business in the digital age
FIs will win, where top management of the bank would be making decisions on informal ways of communication i.e. WhatsApp, Skype, and Virtual conference, rather than meetnaping (combination of meeting+kidnapping, where someone sits in a meeting, where there’s no output or learning) their subordinates for hours just for nothing.
Smaller banks, startups and MFIs are going to put lots of pressure and competition for those who are still believe in hardcore cash handling and taking their Digital side lightly.
Writer has over 15 years of experience in Telecom, FMCG and Digital/Retail Banking industries.