An interesting survey conducted in three countries namely US,UK and Germany have indicated that 46% of the consumers donot trust websites which rely only on “Passwords” for authentication. (Refer findings here)
If the findings of this survey is extended to India, then it means that the Internet Banking system in India where passwords are being used as a means of authentication instead of the legally mandated “Digital Signature” is also not being trusted by the customers. Though from the research angle it may not be proper to extend the findings without appropriate correction, if we consider that “Frequent users of Internet Banking” can be equated with the profile of the website users referred to in the survey, the situation in India may be qualitatively similar.
The survey also reports that an additional factor of authentication is prefered by the users. But different customers prefer different types of additional factor of authentication such as the mobile based authentication or ID cards or biometrics. Thus the Two Factor authentication which is being pushed by RBI appears to provide some additional comfort to the customers.
The current generation intelligent malware has however grown beyond the security offered by th 2F authentication and we need to have a serious re thinking on the authentication systems that can secure Indian Banking systems.
The Digital Signature System is definitely a legally recommended choice which is the minimum compliance standard. But time is fast approaching for the industry to start looking beyond mere adoption of the digital signature system and to think of further hardening of the authentication methodologies which are legally compliant and also is technologically as good as possible.
At the same time, we need to keep in mind the factor of “Social Engineering” and “Lack of Security Awareness” as additional factors for considerations and not assume that what is technologically superior will necessarily be so in practice. We are aware how the Certifying authorities in India abuse the digital signature system and how the Controller of Certifying Authorities (CCA) is turning a blind eye to the irregularities.
Since our country has adopted the PKI system with a regulatory body controlled by the statute, the security of digital signature in usage is dependent on how effectively the system is monitored by the public authority such as the CCA.
Presently CCA would be happy just if digital signature is adopted. But this attitude needs to be quickly shifted to tightening the system so that the respect accorded to digital signatures in Indian law should not be eroded.