“Failure to activate the dynamic debit card passwords is tantamount to breach and lenders will be liable to compensate for any loss incurred on customers”, says the directive published by IRNA.
The warning comes after lenders ignored previous deadlines to activate one-time passwords service on their customers’ debit cards.
The CBI called on banks last September to put into operation the OTP plan within a month. However, after many banks failed to create the necessary platform, the regulator was compelled to extend the deadline up until May, according to Financial Tribune.
The CBI at that time warned lenders that they would be responsible for any loss to the people if they fail to offer OTP services from May 22.
The one-time password is a code valid for a single login or online transaction on any digital device and will be discarded after 60 seconds.
This means that a potential intruder who manages to record an OTP will not be able to abuse it simply because it will no longer be valid.
However, according to Nasser Hakimi, a CBI deputy, the validity of OTP is not necessarily 60 seconds and the one time period could be extended if and when the need arises.
An OTP is more secure than a static password, especially a user-created password, since it can be weak or used across multiple accounts.
Curbing Crime
OTP services are offered as part of plans to curb cybercrime via debit card fraud and increase the security of online banking.
According to the CBI, the services are free. The regulator says OTP is needed for transactions above 5 million rials ($43) and allows clients to use their current static passwords for transactions below that amount.
Bank customers are also not required to use OTP for transactions whose beneficiary is a public body and all other transactions pertaining to utility bills, cell phone recharges and the likes.