Password reset gets grid-based treatment at ICICIdirect.com

By Dhwani Pandya, Principal Correspondent 06 Nov 2009 | SearchSecurity.in

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

A part of the leading Indian equity house ICICI Securities Ltd, ICICIdirect.com is an Indian online platform which facilitates investments in equities, mutual funds, and other financial products for its customers. Since all trading account holders do not trade actively, ICICIdirect.com has to constantly focus on a streamlined trading process for its users.

After the SEBI policy's implementation, ICICIdirect.com frequently receives several customer trading account password reset requests. Due to the password changes performed every 14 days, ICICIdirect.com customers are expected to come up with innovative and complex passwords, as well as remember the new password. "When a customer forgets his new password, he is not able to trade. As a result, we lose revenues," Dutta explains.

Earlier, when an ICICIdirect.com customer forgot his password, he had to make a password reset request. This new password was sent to the customer using physical mail. ICICIdirect.com was expected to generate the password in a secure carbon envelope and mail it to the customer's address. This process used to take almost seven days, which equated to a business loss for seven days.

"To address this issue, we decided to adopt a grid-based model to set up online trading passwords," says Dutta. The new ICICI Bank debit cards (issued in 2008) have a grid on the back side which is used by ICICI bank as a second factor for authentication during fund transfers. ICICIdirect.com decided to implement a grid-based password reset facility for its customers on similar lines.

With this facility, the ICICIdirect.com customer is given an option to set up a grid-based password when he logs into a trading account. If the customer opts for it, then a computer generated grid is sent to his email ID. In cases where the customer forgets his password, he can use this grid to set up a new password. A freshly generated grid is sent to the customer every six months for additional security.

"It helps customers to reset their password on a real-time basis. They don't have to call customer service or place any requests," says Dutta. Apart from saving time for customers and reducing related revenue losses, it helps ICICIdirect.com to save on printing costs.

Apart from saving time for customers and reducing related revenue losses, grid-based password resets help ICICIdirect.com to save on printing costs.

Why not two factor authentication?

Currently, ICICIdirect.com does not use two factor authentication mechanisms for its online trading platform logins. Explaining the rationale behind this, Dutta says that a second factor of authentication is not necessary since the entire trading activity happens in a closed loop. All the three accounts (bank, trading and demat accounts) are linked together, so it is difficult to exercise any forms of illegitimate fund transfer using an online trading account.

"You require two factor authentication in situations where you see severe threats like siphoning of money, which is difficult to exercise in the case of trading accounts. Also, considering the number of security incidents and on analysing causes of the same, we did not feel the need to implement two factor authentication for the trading portal," says Dutta. However, ICICIdirect.com did evaluate hardware token based authentication in the past.

ICICIdirect.com currently has nearly 2 million customers. Though the cost per token has been steadily coming down, it is still an expense to the customer (if he is charged for the same). Instead if ICICIdirect.com bears this cost, it is a significant cost considering the number of customers. "In any case, deploying a physical authentication mechanism is a challenge — especially since our customers are spread across India, including small towns and districts. Though it is an additional cost and a logistical challenge in terms of deployment, we would have implemented two factor authentication — if we felt that it was necessary to make ICICIdirect.com more secure for our customers," says Dutta.

Tags: Enterprise risk management strategies,  Application and Web threat defenses,  Identity management, authentication and access control solutions,  Hacking countermeasures,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise risk management strategies PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet Application and Web threat defenses Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Protecting enterprise networks from new mobile application downloads Microsoft issues advisory on Internet Explorer zero-day Identity management, authentication and access control solutions PCI tokenization push promising but premature, experts say How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Security awareness is the key... cultivate employee loyalty Preventing password fatigue with single sign-on (SSO) authentication How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads Two factor authentication thwarts identity theft at Bank of India Maintaining security after a cloud computing implementation

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary