Simple Technology Intervention to Protect Customers
 

My wife recently forwarded me an email which contained a welcome letter from a leading private Indian bank. It was a welcome letter for a customer who had recently opened an account with the bank. The customer must have supplied the email address which belonged to my wife or perhaps the customer service agent fat-fingered the email address while typing. I have also received emails from another public sector bank in India, where I don’t have an account, the email contained statements of another customer. While speaking with a friend of mine, I learnt that it is not a problem unique to us but quite prevalent. Some of these emails include PDF attachments that are password encrypted, however these passwords are usually based on a predetermined pattern that uses a combination of digits from account numbers, identifiers and birth dates. With a bit of social engineering these can be cracked. One of my friend receives OTP and other sensitive information of another customer on his email, which is quite disconcerting.

I followed up with the bank to get the customer’s account corrected, so emails are not sent to unverified email addresses. However, in many cases, most people would ignore these emails. The email addresses and mobile numbers are linked with customers account and can be used as a channel to reset account passwords, validate transactions and intimate the customers of important changes to the account, consequently the linking of these communication channels must follow a verification process. The data protection thrust (a draft for data protection bill has been drafted under the chairmanship of Justice SriKrishna) in India would require protection of sensitive data. Financial data which provisionally have been classified as sensitive data (Financial information has been categorised as sensitive information in India since the formulation of SPDI Rules^[1]), would require due care in sending them to customer’s inbox.

India is rapidly going through digitalization phase and service design must recognize that there will be people with varying levels of digital literacy. It is possible that there may be customers who may yet not have an email address and perhaps no mobile number to receive SMS. Today around 67% of the India’s population lives in rural areas^[2] and around 12% people don’t have mobile phones^[3].  This demographic divide creates process design challenges and typically pushes the technology choice selection to a more broadly acceptable baseline approach (such as the pervasive use of SMS instead of device notification when push notification or cloud messaging is available, delivery of OTP over SMS when app based soft-token authenticators are available) compromising security in several of these cases. The design must be adaptive and must be cognizant of this digital divide to provide adaptive security features to the end customer so security and the usability experiences of all customers are not compromised because of a service baseline selection.

When accounts are being seeded with email address and mobile number of a customer, some verification step must be used by the banks. The following flow chart shows a normative implementation of this service design: