ICICI and HDFC netbanking: Security Comparison Posted by Swapnil Pathare on Sep 3

The other day, Chirag directed me to this woik comparing the usability and features provided by ICICI bank and HDFC bank. Although I do not agree to the post in its entirety, my main choice for a savings account remains ICICI bank, primarily due to security reasons.

ICICI bank’s website ensures security in several significant areas, where HDFC bank’s portal lags behind with a simple username-password authentication which although necessary, is not sufficient in my opinion. To justify my stand, I’ll run you through some simple scenarios.

Login

We’ll start with a simple one: You are out of town/not on computer/far from any ATM or branch. You need your friend to check up your bank balance. Now, ICICI bank has got 2 passwords. One for logging in and checking the account status and the other for performing any transaction through the account. Thus you can conveniently provide the login credentials to your friend and get details from him without letting him make any mischief through your account.

The multi-password scenario also means that anyone wanting to get into your account and siphon your savings requires more than just the initial login-password combination. We’ll get back to that shortly.

Payments

So lets move on to payments. Assume you are making a funds transfer to someone’s account. Your friend is sitting right beside you the whole time, probably having an eye on the keyboard.

The ICICI funds transfer requires you to login, then provide the transaction-specific password (2nd level of security) and in addition, some digits on the back of your debit card. This “some digits” security feature is really good, because the position of numbers requested changes for every transaction.

The security explained above is known as Multifactor Authentication (in this case, two-factor authentication). This means that the transaction can be completed only if the user inputs something

  • He knows (passwords), and
  • He has (digits on rear side of debit card)

Although one may argue that all this information can be retrieved easily by holding the account owner at gunpoint, the security for transaction against “stolen” information is increased considerably.

Add Payee

Again, lets assume that someone has been able to sneak into your account, and probably believes that your account deserves a few lakh rupees less. The only way to transfer funds into another account in ICICI is by the following process

  1. Add a new “Payee”
  2. Receive a notification about the new payee on your cell phone along with a confirmation code
  3. Enter confirmation code on the website
  4. Confirm payee
  5. Transfer funds
  6. Enter password and digits behind debit card for transaction authentication

The fun part here is point #2. No one can confirm a payee without having direct access to your mobile phone. In case the attacker attempts to change the mobile number associated with the host’s account, no new payee can be confirmed for the next 36 hours through the new mobile number. To confirm the payee anyway, one needs to call the customer care and provide them with full details, answer their verification questions and only then have the payee confirmed.

In all the three scenarios mentioned above, ICICI strives for the security of user accounts while all that HDFC does is rely on the same old single user-password authentication.

System Security: Verdict

ICICI Bank : 4 / 5

HDFC Bank : 2 / 5 (well atleast the username-password is present ;-) )

Update: While creating this post, chat with a friend brought up some interesting points in favor of HDFC bank

  • Adding a beneficiary account through HDFC (equivalent to Payee account in ICICI) website takes 24 hours. You get an sms from HDFC Bank mentioning the “Add Beneficiary” action, in which case you can remove that account. This can be done with phone banking.
  • Even if someone wants to change your mobile number, you will get a confirmation sms in which case you can notify bank immediately. You probably need to fill a form to activate mobile service and it can’t be altered online.

Although the points do bring up the security rating of HDFC bank to 2.5/5, it still so happens that HDFC bank survives in many situations by being a semi-automated system wherein half the stuff is done by submitting applications to banks (mobile number change, enabling third-party transfer, etc). ICICI bank manages to host their complete system online, yet achieves a fine balance in terms of security.

Thanks to Nishi and Visky for info and tweaks to the post

Posted in security, tools | 4 Comments »

Next Entries »