According to a notice on CBI’s website, banks will put into effect limitations on static passwords on a gradual basis lasting a few days.
After the deadline, non-card payment will be possible only via the so-called one-time passwords. OTP is available on special applications developed by banks or sent to the debit card holders via short messaging service (SMS), according to Financial Tribune.
SMS services are offered to address a large group of customers who don’t access smart phones to install banking applications.
Basic Requirements
Bank customers are required to activate their OTP service in advance with the branch issuing their debit card(s) to be able to use the service. The service is free.
However, customers can use their static passwords for transactions amounting not more than one million rials in a day for each debit card.
The compulsory passwords are aimed at improving the safety of online transactions and prevent phishing that has become rampant in recent months with people increasingly complaining about thefts from their bank accounts.
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message or text message.
Officials say Illegal withdrawals account for 65% of cybercrime in Iran. Tehran cyber police registered 23,000 cases of phishing in the past nine months.
The one-time password, developed to address shortcomings of static passwords, is a code valid for a single login or online transaction on a computer system or other digital devices that gets discarded in 60 seconds.
This means that a potential intruder who manages to record an OTP that was already used to log into a service or make a transaction, will not be able to abuse it because it will no longer be valid.
The crucial role of OTPs is that unlike static passwords, they are not vulnerable to repeat attacks. An OTP is more secure than a static password, especially a user-created password, which may be weak or reused across multiple accounts.