New ask Hacker News story: Banking security in Indian banks is a joke

Banking security in Indian banks is a joke
3 by itissid | 1 comments on Hacker News.
Public mentions of Sim Swapping attacks[1][2][3] on indian retail banking customers is not very new news in India(indeed there is a whole netflix series on it). Now I don't know about you, but these specific attacks don't seem so pedestrian in say the US as compared to India[3]?(although there are scams of identity all the time in the US). Regardless of what's going on I wanted to put out there what I think is the root of the problem. Consider this a PSA. What is really odd is that Establishing Identity(of Device, and the Person), is really at the core of the problem and no one seems to get it in the indian banking industry but it is not so complex a problem to solve[6]. The irony is that Cell phone lines in india now requires you link to a National Identification number(aka aadhar)[4] if not you have to provide extensive documentation. Opening/Doing changes to your bank accounts is also backed up by extensive KYC norms[5](check out the mentions of V-CIP in [5]). But there is no guidance on the very real problem, which are these attacks after you establish the identity the first time. Banks I have worked with like ICICI, Kotak, Yebank have poor identity practices in general leading to such attacks becoming common place. Sadly there is nothing on the horizon of establishing identity using modern methods(Zero Trust tech like Duo[6] etc, which I assumed is industrial standard now in many major US banks). You don't necessarily need an expensive Yubikey, most smart phones can do the job. Here is the idiocy of identity establishment process for a typical indian bank: Anytime I have to open an account, add a joint account holder, change my address or, less commonly, my cell number there is a request to send clear text sensitive documents over email to establish identity and(if you are an indian overseas) an expensive physical document pick up from your location as well to establish identity. This would be fine for the first time you open an account, but makes no sense for later operations. Meanwhile the remaining, sensitive, day to day operations like bank transfers are wide open to aforementioned attacks. To me, Zero Trust tech like Duo[6] would solve a lot of your identity issues and these attacks for a vast majority of the indian population(india has the youngest population in the world which makes it more tech savvy). Meanwhile grow eyes at the back of your head if you have a bank account in india, cause indian banking system does not seem to have any robust solution to this problem or maybe even care. [1] https://ift.tt/TMj6zH3 [2]https://ift.tt/qd279iK [3] https://ift.tt/FD73qQC by the Times of India and The Deccan Herald) [4]https://ift.tt/QM5bF2I [5]https://ift.tt/DrYHJbU [6] https://duo.com/product