By the time you will read this, the new Reserve Bank of India (RBI) norms that enforce (in my opinion, a dangerous) third-factor identification for all online credit/debit card transactions will be already applicable. As a cardholder, you will no longer be able to make online purchases or payments if you haven’t registered yourself for an additional security layer with your partner bank.

Till Friday, all one needed to do to make an unauthorized transaction from your card was to steal three security details that included card number, card expiry date and 3-digit or 4-digit card verification value (CVV) number. Though it’s much more tougher now to skim card, but if you think the new security system acts like a guarantee providing for cover against online frauds, then you are treading on wrong turf.


This is what bankers have to say on the subject:

“Verified by VISA or MasterCard SecureCode only provides an extra layer of security.

1.In case, wrong password is entered as part of this extra authentication, bank informs e-commerce merchant and if merchant still goes ahead with the transaction, it becomes merchant’s liability

2. On the other hand, if the password is correct even if customer disputes the transaction, it is still a customer’s liability.”

(Hmmm...interesting.  It appears that from now on, fraud is now either the merchants liability or the consumers.  Didn't see a scenario where it was the banks, did you?)  Stumped? To help you with all such concerns and questions, here’s a ready reckoner on what does the new security layer implies for you as a cardholder. Editor's Note: It's no accident they wrote: "Implies"... (vs. Provides)

“From the cardholders’ perspective, (Editor's Translation: "perception") another layer of protection gives a lot more comfort in terms of security for the online transactions using credit/debit cards . (reality: another layer of this type of non- protection simply provides another way for hackers to intercept financial data)

Though it will also mean you may have to go through another step to complete your transaction online (the extra step is only there to determine whether banks hold the merchant or consumer is liable for the fraud)  but doing that (from the banks perspective) is always better than having to deal with fraud and face the risk of losing your hard earned money,” says Basant Shroff, associate director, financial services — advisory services, Ernst & Young.

Editor's Note:  This is what I have to say on the subject.  This is such Bullcrap!  Adding another false layer of "bullcrap protection" will "only" provide a bullcrap "false sense of security" 
Then they add another bullcrap step which they say will get rid of the bullcrap fraud but it actually provides hackers with "ANOTHER OPPORTUNITY" to steal your money.  C'mon people!  Read between the lines on this one.  It's 100% BS..  Let me sift through the stink here. 

Consumers have fears about security, so they are cajoled, no scratch that, "fooled" into thinking online shopping is more secure because banks added another layer of "Emperor's Clothing." 

Here's the one that gets me going.  "If the password is correct, (even if stolen) it is still  the customer's liability."  So, they provided another step for hackers to steal passwords, but said it's safer, but covered their butt by stating that is password is correct, it doesn't matter if you dispute the transaction...you are liable.  Oh man...open the windows, turn on the fan and spray some air freshener. 

As per RBI figures, Indian banks lost out on almost Rs 37 crore in 12,959 credit card fraud cases reported last year.

(Editor's note:  and hence the introduction of a "third new layer" of authentication designed to shift bank  liability to merchants and consumers) 

According to the article, "Some banks, in fact, have gone a step ahead creating the security wall."   (Editor's Note:  Wait til you read this one.  Are you strapped to your chair?  Because I almost fell out of mine when I read the folowing. 

For instance, while generating 6-digit PIN as an additional security layer at ICICI Bank, you are also asked to type a message, known as personal assurance message. (PAM).

(Editor's Note: Add an S to be beginning of that word and you'll find out how the bad guys will phish your PAM silly) This PAM is known only to you.  (Editor's Note: Are they joking?  For how long?)


Editor's Note:  This is beyond Bull Crap. It's assinine.  Once again..."It's the typing stupid."  They are asking you to type, not once, but twice.  And what is "it" that takes me to the bank's website?  A hacker DNS Hijack? The web browser?  Hah!  I'd laugh at this if I wasn't in such a bull crap mood from reading this article.  This is the future of ecommerce? Help me.

You cannot type anything you want to keep safe,(like PAM) or card numbers into boxes on the web.  Why is that so hard to understand?  Here's just one example of why this won't work.

Suppose after you "type" your credit card number on the merchants website, you are "redirected" to a "cloned bank website?"  Hackers can do this in one of many ways.  And how would you know?  The cloned website looks authentic. You follow the bank instructions and you "type" in your PIN.  Guess what happens next?  did you say my bank account gets emptied.  Now what?  Well according to this article, and I quote: "if the password is correct and even if customer disputes the transaction, it is still a customer’s liability.” 



Oh...now I get it.  They just shifted the responsiblity of the loss onto the consumer.  So, I guess this post is directed at consumers: 

"If you want secure eCommerce transactions, you can't "type" anything into the browser.  It's really not that hard to understand.  Is it?  


Continue Reading

Related articles by Zemanta

• India's Mandate re: Stronger Authentication for Card Not Present Use (paymentsnews.com)