Starting with January 1st, 2011, Indian banks will require an additional security code in order to authorise phone banking transactions, according to regulatory guidelines issued by the Reserve Bank of India (RBI).
The Hacker News


Known as one-time passwords (OTP), these codes are part of what is known as two-factor authentication systems and provide an extra layer of security.
The RBI directive is mandatory for all banks that offer phone banking services, including those based on Interactive Voice Response (IVR) systems.

IVR refers to technology which offers customers to perform actions via their phone's keypad and get confirmation through pre-recorded audio messages.

As their name implies, OTPs can only be used once, meaning that a new code must be generated for each separate transaction.

This can be done by the bank and sent to the customer's mobile phone number or via an electronic device called a hardware token, which is supplied to the client in advance.

In both cases the customer needs to make a visit at the bank first, to either pick up their OTP generator or update their mobile phone number on record.

Then, when a transaction is initiated over the telephone, the bank will ask for the credit card number, expiration date, CVV2 code, mobile number and OTP.

According to the Business Standard, several banks, including Citibank and HDFC Bank, have already notified their customers about the new requirement, while others are currently in the process of doing so.

"Starting January 1, 2011 these (IVR) transactions need to be authenticated with an additional password. This is mandatory according to the RBI guideline," the HDFC Bank notification letter explains.

OTPs have already been introduced for online banking in 2008 and RBI regulations require signature verification and identity verification for card-present transactions.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.