Password leaks can result in major losses, especially in the case of online trading accounts. To this end, the Indian securities market regulator Securities Exchange Board of India (SEBI) has put in place several security policy guidelines, which includes fortnightly password changes for online trading platform users. While this measure goes a long way in raising security levels, it poses challenges for online trading players. "Although the SEBI policy has to be adhered to for obvious security reasons, we often face situations where customers forget their passwords," says Joydeep Dutta, the chief technology officer of ICICI Securities. ICICIdirect.com has dealt with this challenge in a unique manner.
A part of the leading Indian equity house ICICI Securities Ltd, ICICIdirect.com is an Indian online platform which facilitates investments in equities, mutual funds, and other financial products for its customers. Since all trading account holders do not trade actively, ICICIdirect.com has to constantly focus on a streamlined trading process for its users.
After the SEBI policy's implementation, ICICIdirect.com frequently receives several customer trading account password reset requests. Due to the password changes performed every 14 days, ICICIdirect.com customers are expected to come up with innovative and complex passwords, as well as remember the new password. "When a customer forgets his new password, he is not able to trade. As a result, we lose revenues," Dutta explains.
Earlier, when an ICICIdirect.com customer forgot his password, he had to make a password reset request. This new password was sent to the customer using physical mail. ICICIdirect.com was expected to generate the password in a secure carbon envelope and mail it to the customer's address. This process used to take almost seven days, which equated to a business loss for seven days.
"To address this issue, we decided to adopt a grid-based model to set up online trading passwords," says Dutta. The new ICICI Bank debit cards (issued in 2008) have a grid on the back side which is used by ICICI bank as a second factor for authentication during fund transfers. ICICIdirect.com decided to implement a grid-based password reset facility for its customers on similar lines.
With this facility, the ICICIdirect.com customer is given an option to set up a grid-based password when he logs into a trading account. If the customer opts for it, then a computer generated grid is sent to his email ID. In cases where the customer forgets his password, he can use this grid to set up a new password. A freshly generated grid is sent to the customer every six months for additional security.
"It helps customers to reset their password on a real-time basis. They don't have to call customer service or place any requests," says Dutta. Apart from saving time for customers and reducing related revenue losses, it helps ICICIdirect.com to save on printing costs.
Why not two factor authentication?
Currently, ICICIdirect.com does not use two factor authentication mechanisms for its online trading platform logins. Explaining the rationale behind this, Dutta says that a second factor of authentication is not necessary since the entire trading activity happens in a closed loop. All the three accounts (bank, trading and demat accounts) are linked together, so it is difficult to exercise any forms of illegitimate fund transfer using an online trading account.
"You require two factor authentication in situations where you see severe threats like siphoning of money, which is difficult to exercise in the case of trading accounts. Also, considering the number of security incidents and on analysing causes of the same, we did not feel the need to implement two factor authentication for the trading portal," says Dutta. However, ICICIdirect.com did evaluate hardware token based authentication in the past.
ICICIdirect.com currently has nearly 2 million customers. Though the cost per token has been steadily coming down, it is still an expense to the customer (if he is charged for the same). Instead if ICICIdirect.com bears this cost, it is a significant cost considering the number of customers. "In any case, deploying a physical authentication mechanism is a challenge — especially since our customers are spread across India, including small towns and districts. Though it is an additional cost and a logistical challenge in terms of deployment, we would have implemented two factor authentication — if we felt that it was necessary to make ICICIdirect.com more secure for our customers," says Dutta.