Every other day, customers receive emails and SMS from banks about not sharing passwords, login details and one time passcode (OTP) with anyone else. This really is a good practice to follow. However, when it comes to following digital hygiene, bankers themselves are found to be ignoring their own advice - often at a huge cost to the bank. That bankers treat passwords so causally and have been repeatedly punished and pulled up for it, raises important questions about entrusting them with customer identity details (especially the biometric based Aadhaar) for access to bank accounts, credit and debit cards and net banking.
Highlighting several instances where bankers were found to be careless with passwords, Corporation Bank Officers' Organisation (CBOO) in its monthly magazine, ‘Officers' Voice’, says, the important responsibility of keeping maker's ID and checker's ID secure appears to have discharged by officers in exceptions rather than as a mandatory rule resulting in frequent incidents of misuse of passwords, consequent disciplinary actions and recently, a few warranted and unwarranted suspensions.
"Password compromise is an avoidable irresponsibility. But the awareness has not been digested properly into the CBS environment at most of the Branches," the Officer's Organisation says.
Here is what according to CBOO takes place in banking sector...
• In a large number of Branches, the password of all employees and officers is known to each other. In the guise of expediency, quick customer service and speedy accomplishment of routine work, entry and authorisation passwords of any one are used by anyone at any time.
• A few Branch Managers and/or second line officers are maintaining notepads of passwords of colleagues (in writing), like a key register, so that they do not forget or mix-up nor need to ask a colleague frequently.
• A few or more Branch Managers are coercing the probationers and junior officers and clerks into yielding their passwords for some urgent work (?). The hapless officers/clerks simply submit without resistance like a lamb before the tiger.
• In single officer Branches, Branch Heads have no hesitation to give the password to the award staff to enable them complete the transactions when he is out for business review meetings, recovery work or for canvassing business.
• A few senior Branch Managers, who are averse to operate the system to carry out their managerial duties in computers, want other staff to assist, not only to open the system, but also to operate transactions. Their subordinates know the password, which the BMs neither remember, nor use!
• In a very good number of Branches, single officer is opening all systems in the morning; everybody operates the entire day on it - since days and months – an undisputable trust with potent suicidal implications.
• In one Branch, all the staff operate on a same password – a novel idea not to strain the brain, drained of care and prudence.
• Even when branch manager or officer/s and employees are on leave, transactions take place in their IDs out of helpless conditions or for convenience!
CBOO says these are only a few samples of how the passwords are guarded by employees and officers at Branches. "Password sharing is fraught with serious risks as the honesty and integrity of humans is mostly factors of presumptions and assumptions; circumstances tend to brutishly strangulate honesty and integrity at the cost of those who take honesty and integrity for granted. Despite exhorting on the need to protect the secrecy of the passwords, many appear not to be serious on the matter, still. Such employees and officers are exposing themselves, their service to possible misery, their families into peril and the Bank to pecuniary loss, as the management is totally intolerant (rightly) to such instances," it added.
The Officer's Organisation feels that cases of compromise of password needs to be take very seriously by all participants. Employee education is a must and they need to frequently informed about risks of compromise to the knowledge of workforce. However, CBOO says management cannot absolve their responsibility simply by suspending Tom, Dick and Harry in their zeal to send message to the workforce and must analyse the causes leading to these happenings.
According to CBOO, single officer branches (SOBs) are future risk centres where maintaining password secrecy strictly is next to impossible. It says, "The Management is fully aware of the risk of compromise of password while opening single officer branches and must take sole responsibility of compromises here due to their failure to provide sufficient staff at these branches. Even the Board decided compliment of two officers, wherever the Branch business crosses Rs5 crore is not complied with. Similarly, the Board direction to depute a second officer in SOBs before sanction or disbursement of loans is compiled more in breach. No punitive action will be initiated for this non-compliance as the non-compliance of Board directions is not by officers in Scale I, II, III or IV and V."
All this raises worrying questions about the security of our money at a time when entire Information Technology systems are more vulnerable to attack and the power of artificial intelligence (AI) to impersonate humans is increasing significantly. Former Union Minister and Member of Parliament Milind Deora alluded to this in an article in The Economic Times. He correctly says that the challenge in India is "rendered complicated given its demographics. As we open more bank accounts linked to Aadhaar, it is not matched with the pace of digital awareness". Many, he says, are not even aware of issues like privacy and data rights. “There is a massive state-sponsored push towards generating more sovereign data and mandatory requirements to put people’s personal data online through Aadhaar, bank accounts the like. In that sense, India is a ticking bomb”, says Mr Deora.
Coming back to the concerns raised by CBOU, it terms shortage of manpower as the major cause of employee related frauds and irregularities, the Officer's Organisation regrets that top management is determined not to be convinced by this. "Branch managers (BMs) moving out on Bank work have no option but to share their password with others in the branch to enable them to complete the day’s work. Absence of second and third officer in the Branches complicates the smooth running of the process resulting in password sharing to ensure conduct of Branch work and end of the day (EOD). There is no accountability for faulty manpower assessment," it says.
Corporation Bank uses Finacle software from Infosys Ltd for its core banking systems. However, CBOO feels that there is a need to review mandatory requirement for two supervisory authorisations in several transactions. "Finacle or Infosys cannot change the banking norms to suit their product," CBOO says.
The Officer's Organisation feels that there is a need for employees to prepare a daily report for all transactions entered and authorised by them. It says, "Bank must explore the possibility of mandating all employees to generate and scrutinise a report on the transactions entered and authorised by them on a daily basis like an exceptional transaction report and incorporate system confirmation either before the EOD or after the process of login as a first exercise, the next day.
"Passing on the password is a peril. Security of service and safety of Bank’s money lies only in securing our passwords at all costs and circumstances. Habit of frequently changing the password before the system mandating it, must be inculcated. Safest place of our password is our brain and not another person’s, nor in any notebook or notice board. Password is for protection. Do not pass it on," the CBOO concludes in its editorial.