In an Instagram post late Thursday, Abdolnaser Hemmati said more than 30 banks have started to offer OTP services to customers.
“However, due to the fact that many customers don’t have smart cellphones, it is not possible to make the service mandatory,” he wrote.
According to Hemmati, the CBI launched a centralized system for offering OTP via the short message service (SMS), but it take another two months for all banks to connect to the new system, Financial Tribune reported.
He again held the banks accountable for any loss incurred on customers as a result of their inability to activate OTP services.
In a bid to curb cybercrime via debit card fraud and increase security of online banking, the CBI obliged banks to provide OTP services by May 21. However, many banks failed to meet the deadline largely due to technical issues.
The one-time password, developed to address shortcomings of static passwords, is a code valid for a single login or online transaction on a computer system or other digital devices to be discarded after 60 seconds.
This means that a potential intruder who manages to record an OTP that was already used to log into a service or make a transaction will not be able to abuse it because it will no longer be valid.
Vulnerability Factor
The crucial role of OTPs is that, unlike static passwords, they are not vulnerable to replay attacks. An OTP is more secure than a static password, especially a user-created password, which can be weak or reused across multiple accounts.
The senior banker said both static and OTP passwords are available for customers, adding that the majority of customers prefer to use static passwords because it is convenient. He said lenders have started promoting the merits of the scheme.
Hemmati recommended lenders to consider customers concerns in their move to terminate the static passwords. “Static passwords should be deactivated in a way that doesn’t raise concerns about 10 million daily transactions [using static passwords]”.
CBI says OTP is needed for transactions above 5 million rials ($44) and clients can use their current static passwords for transactions below that amount.
Bank customers are also not required to use OTP for transactions whose beneficiary is a public body and other transactions for utility bills, cell phone recharges, etc.
Elaborating on the CBI measure to fend off phishing attacks, Hemmati said the regulator has blocked a large number of fake website in cooperation with the judiciary, cyber police and the Computer Emergency Response Coordination Center (MAHER), affiliated to the Telecoms Ministry,.
According to media reports, MAHER shut 875 phishing websites in the first half of the current fiscal year.