Warning: This post is off-topic and not related to Personal Finance and Investment. Its contains my personal opinion, not facts.
I was reading this wikipedia article: War on Terrorism
If you go to India section of this article, it lists down the terrorist attacks that have happened in India after 9/11. I am reproducing the list here:
* The 2001 Indian Parliament attack.
* Akshardham Temple attack.
* 29 October 2005 Delhi bombings.
* 2005 Ram Janmabhoomi attack in Ayodhya.
* 2005 Jaunpur train bombing.
* 11 July 2006 Mumbai train bombings.
* 2006 Varanasi bombings.
* The 2007 Samjhauta Express bombings.
* Hyderabad bombings.
* Jaipur bombings.
* Bangalore bombings.
* 2008 Ahemdabad bombings.
* 13 September 2008 Delhi bombings.
* 2008 Assam bombings.
* And the 2008 Mumbai attacks.
If you happen you visit the USA section of this article, one line is sufficient to describe what happened in USA after 9/11
"To date, no attacks by Islamic terrorists on the US homeland have been successful since September 11, 2001."
Okay, I'm not discussing the moral or political aspects of this issue, but in my opinion USA has achieved what it had set out to do very effectively.
Meanwhile for us here in India the clock is ticking. The last attack was on Mumbai and we can't do anything but wait for the next one.
Tuesday, July 28, 2009
Monday, July 27, 2009
Are they really safe? - Verified by Visa and MasterCard Secure Code.
I have previously blogged about them.
An anonymous reader has commented and raised concerns about these added layer of security for online credit and debit card transactions (collectively known as 3-D secure protocol ).
As you can read on its Wikipedia page, 3-D secure has a long list of criticisms most of them related to its ability to secure online transactions.
I will try to address all of the reader's concern below:
- RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
In my article also I did not say that RBI has specified VbyV or Secure Code must be used. RBI article only says that additional info ( apart from what is already present on the card ) is required for online transaction. Since most ( say 95 % ) of the card holders in India have either Visa or Master Card they will have to use either of these two services hence I explained their features from an end-user perspective. For American Express cards they ask for the billing address for verification.
- The anonymous reader has pointed out some security vulnerabilities in 3-D Secure giving some examples like inline frame and activation during shopping.
Although I can't vouch for all banks in India, but I deal with HDFC Bank which does not use inline frame during 3-D secure authorization and it also has PAM ( Personal Assurance Message ).
It does have Activation during shopping but that too:
- is on hdfcbank.com domain with a proper SSL certificate ( no inline frame )
- requires your ATM password for authentication ( I don't know if the number of attempts is unlimited ). This I feel is secure enough.
But, I also know of cases where card issuing companies don't use their own domain during 3-D secure authorization like:
- SBI Card ( uses arcot.com )
- ICICI Bank ( uses payseal.com )
So our anon reader does have a valid point here. These systems are not 100% safe because of some inherent weakness in the Internet protocols.
- Then he raises a concern that the password can be easily phished and used by fraudsters. The transactions can never be disputed by the cardholder.
On this I don't agree with him. If there was no 3-D secure anyone who had physical access to the card even for a minute ( think of the last time you gave it for payment in the restaurant ) could have misused it ( by noting down the card details ). But introduction of 3-D secure had made life more difficult for fraudsters.
If transactions could be disputed without 3-D secure, they can still be disputed with 3-D secure activated as well. 3-D secure is not going to change that.
- A concern about fraudsters misusing this feature to cheat banks
This is a matter between the fraudsters between the banks and the fraudsters and I'm really not too much concerned about it. One thing I would like to point out here is that the act of issuing a card is not a completely online thing ( atleast in India ). There are id and address checks. Credit report is also verified. So if the bank has a diligent process in place before it issues a card, the chances of such cheating are lessened. However if the bank has lax procedures it obviously has to suffer ( that's in its Karma! )
- Be wary of mandated systems. A good security system never needs to be mandated.
If it is not mandated, the banks won't implement any safety feature. Only very few who actually care about customer concerns would be willing to do it on their own, since setting up an IT infrastructure for such a feature costs money and the management of banks is busy improving their profit margins cutting costs wherever they can.
An anonymous reader has commented and raised concerns about these added layer of security for online credit and debit card transactions (collectively known as 3-D secure protocol ).
As you can read on its Wikipedia page, 3-D secure has a long list of criticisms most of them related to its ability to secure online transactions.
I will try to address all of the reader's concern below:
- RBI never sponsored or stated specific systems such as Verified by Visa or Mastercard UCAF/SPA in its directive.
In my article also I did not say that RBI has specified VbyV or Secure Code must be used. RBI article only says that additional info ( apart from what is already present on the card ) is required for online transaction. Since most ( say 95 % ) of the card holders in India have either Visa or Master Card they will have to use either of these two services hence I explained their features from an end-user perspective. For American Express cards they ask for the billing address for verification.
- The anonymous reader has pointed out some security vulnerabilities in 3-D Secure giving some examples like inline frame and activation during shopping.
Although I can't vouch for all banks in India, but I deal with HDFC Bank which does not use inline frame during 3-D secure authorization and it also has PAM ( Personal Assurance Message ).
It does have Activation during shopping but that too:
- is on hdfcbank.com domain with a proper SSL certificate ( no inline frame )
- requires your ATM password for authentication ( I don't know if the number of attempts is unlimited ). This I feel is secure enough.
But, I also know of cases where card issuing companies don't use their own domain during 3-D secure authorization like:
- SBI Card ( uses arcot.com )
- ICICI Bank ( uses payseal.com )
So our anon reader does have a valid point here. These systems are not 100% safe because of some inherent weakness in the Internet protocols.
- Then he raises a concern that the password can be easily phished and used by fraudsters. The transactions can never be disputed by the cardholder.
On this I don't agree with him. If there was no 3-D secure anyone who had physical access to the card even for a minute ( think of the last time you gave it for payment in the restaurant ) could have misused it ( by noting down the card details ). But introduction of 3-D secure had made life more difficult for fraudsters.
If transactions could be disputed without 3-D secure, they can still be disputed with 3-D secure activated as well. 3-D secure is not going to change that.
- A concern about fraudsters misusing this feature to cheat banks
This is a matter between the fraudsters between the banks and the fraudsters and I'm really not too much concerned about it. One thing I would like to point out here is that the act of issuing a card is not a completely online thing ( atleast in India ). There are id and address checks. Credit report is also verified. So if the bank has a diligent process in place before it issues a card, the chances of such cheating are lessened. However if the bank has lax procedures it obviously has to suffer ( that's in its Karma! )
- Be wary of mandated systems. A good security system never needs to be mandated.
If it is not mandated, the banks won't implement any safety feature. Only very few who actually care about customer concerns would be willing to do it on their own, since setting up an IT infrastructure for such a feature costs money and the management of banks is busy improving their profit margins cutting costs wherever they can.
IRDA circular on ULIPs - good enough?
IRDA has issued circular number 20/IRDA/Actl/ULIP/09-10 placing a cap on ULIP charges.
In brief, the circular specifies the following:
- For policies with tenor less than or equal to 10 years the difference between gross and net yield cannot exceed 3 %
- For policies with tenor greater than 10 years the difference between gross and net yield cannot exceed 2.25 %
- At the time of maturity, the insurer must issue a certificate showing charges deducted, fund value and final payment made to the policyholder. The certificate must also contain the gross and net yield.
This does look like a good thing for the investor. But this does leave some unanswered questions :
1. Can this circular mean the death knell for the ignominious Fund Allocation charges, which could go as high as 80% in the first year?
2. Does this circular apply to ULIP retirement plans also?
3. As stated by Dhirendra Kumar in this article:
"It is strange that the most significant improvement in the disclosure has only been done to the statement that the policyholder will receive at maturity. So if your fifteen-year policy starts now, you have to wait only till 2024 to know the full details of what the insurer did with your money in 2009."
4. In the recently introduced "ICICI Prudential LifeStage Assure Pension" the first year premium is not invested in funds (i.e. fund allocation charge of 100% in the first year ). As per the IRDA circular existing schemes have to be modified to comply to these rules by December 31st, 2009. How can this scheme be modified to comply with IRDA regulations? Does that mean it will be wound up? ( I'm have not invested in LifeStage Assure Pension, I'm just curious to know its fate )
We have to wait for ULIPs which comply with these regulations in order to understand the extent to which it would benefit the investors.
One thing I can predict for sure, after this circular comes into effect after after October 1st, 2009, there will be more ULIPs launched with tenor less than 10 years since the insurance companies can charge you 0.75% more than for policies greater than 10 years policy. Also riders to the insurance policy will be pushed aggressively by the Insurance companies since the cost for riders benefits is not included in the calculation of net yield. Something similar was observed in Mutual Funds when SEBI banned NFO expenses for open-ended mutual funds. Large number of closed-ended mutual funds were launched since NFO expenses upto 6% could be recovered from the investor. SEBI ultimately plugged this loophole by banning NFO expenses for closed-ended funds as well.
In brief, the circular specifies the following:
- For policies with tenor less than or equal to 10 years the difference between gross and net yield cannot exceed 3 %
- For policies with tenor greater than 10 years the difference between gross and net yield cannot exceed 2.25 %
- At the time of maturity, the insurer must issue a certificate showing charges deducted, fund value and final payment made to the policyholder. The certificate must also contain the gross and net yield.
This does look like a good thing for the investor. But this does leave some unanswered questions :
1. Can this circular mean the death knell for the ignominious Fund Allocation charges, which could go as high as 80% in the first year?
2. Does this circular apply to ULIP retirement plans also?
3. As stated by Dhirendra Kumar in this article:
"It is strange that the most significant improvement in the disclosure has only been done to the statement that the policyholder will receive at maturity. So if your fifteen-year policy starts now, you have to wait only till 2024 to know the full details of what the insurer did with your money in 2009."
4. In the recently introduced "ICICI Prudential LifeStage Assure Pension" the first year premium is not invested in funds (i.e. fund allocation charge of 100% in the first year ). As per the IRDA circular existing schemes have to be modified to comply to these rules by December 31st, 2009. How can this scheme be modified to comply with IRDA regulations? Does that mean it will be wound up? ( I'm have not invested in LifeStage Assure Pension, I'm just curious to know its fate )
We have to wait for ULIPs which comply with these regulations in order to understand the extent to which it would benefit the investors.
One thing I can predict for sure, after this circular comes into effect after after October 1st, 2009, there will be more ULIPs launched with tenor less than 10 years since the insurance companies can charge you 0.75% more than for policies greater than 10 years policy. Also riders to the insurance policy will be pushed aggressively by the Insurance companies since the cost for riders benefits is not included in the calculation of net yield. Something similar was observed in Mutual Funds when SEBI banned NFO expenses for open-ended mutual funds. Large number of closed-ended mutual funds were launched since NFO expenses upto 6% could be recovered from the investor. SEBI ultimately plugged this loophole by banning NFO expenses for closed-ended funds as well.
ICICI can deduct money from your salary - WITHOUT your consent
ICICI Bank has modified the credit card agreement wherein they can deduct credit card dues from your salary directly ( by asking your employer to do so ). Any sort of agreement between your employer and you cannot prevent this deduction from your salary.
Although I don't hold any ICICI credit card, this may start a dangerous trend in the Indian credit card industry which will soon be followed by others also.
Just imagine the following scenario:
- You notice a fraudulent transaction on your card. You dispute it with the Credit card company.
- The Credit card company ( i.e. ICICI Bank ) does not agree with you and decides to charge you.
- They instruct your employer to deduct the money from your salary. You CAN'T stop it.
Or a second scenario:
- Usually private credit card companies delay cheque payments by 4-5 days so that they can charge you for late payments.
- Nowadays you can get these charges reversed after some negotiation with the customer care.
- But after this rule is implemented, the bank can directly deduct such fees ( like late fees ) from your salary. The Bank does not have to negotiate with you.
Remember this clause in the card member agreement has been inserted by a Bank which had introduced a rule in the year 2003 stating that more than 3 cash transactions at the home-branch will be charged. They of course had to take back such restrictions on RBI directions.
If I held an ICICI card, I would have immediately cancelled it citing this change in agreement as the reason. If ICICI card holders cancel their cards in sufficient numbers, other credit card companies won't dare to make such changes to the card agreement. Also, if money is deducted from your salary for wrong reasons by the credit card company, I will suggest you first approach the RBI Ombudsman and then Consumer Courts. Lets see if this rule can stand in a court of law.
Although I don't hold any ICICI credit card, this may start a dangerous trend in the Indian credit card industry which will soon be followed by others also.
Just imagine the following scenario:
- You notice a fraudulent transaction on your card. You dispute it with the Credit card company.
- The Credit card company ( i.e. ICICI Bank ) does not agree with you and decides to charge you.
- They instruct your employer to deduct the money from your salary. You CAN'T stop it.
Or a second scenario:
- Usually private credit card companies delay cheque payments by 4-5 days so that they can charge you for late payments.
- Nowadays you can get these charges reversed after some negotiation with the customer care.
- But after this rule is implemented, the bank can directly deduct such fees ( like late fees ) from your salary. The Bank does not have to negotiate with you.
Remember this clause in the card member agreement has been inserted by a Bank which had introduced a rule in the year 2003 stating that more than 3 cash transactions at the home-branch will be charged. They of course had to take back such restrictions on RBI directions.
If I held an ICICI card, I would have immediately cancelled it citing this change in agreement as the reason. If ICICI card holders cancel their cards in sufficient numbers, other credit card companies won't dare to make such changes to the card agreement. Also, if money is deducted from your salary for wrong reasons by the credit card company, I will suggest you first approach the RBI Ombudsman and then Consumer Courts. Lets see if this rule can stand in a court of law.
Subscribe to:
Posts (Atom)
