SBI Net Banking: 3 wrong passwords & you’re doomed
My ISP (TATA VSNL) provides the facility for online renewal of account. Most of the nationalized banks in India do have Internet Banking facilities. So has SBI (State Bank of India) – the bank that has more number of customers than the population of Australia. 
My ISP account was about to expire on 24th Oct. I wasn’t at my home that night. I was at my friend’s place. He also uses the same ISP, so I thought I would renew my account from there. So around 1 AM on 25th Oct I started the renewal process. The procedure went smoothly. I was redirected to the payment gateway and finally entered my username and password to finish the transaction. But to my bad, I had a strong password and my friends shift key wasn’t working properly. So? I ended up entering the wrong password 3 times and the next time I was amazed to see a weird notice in RED COLOR Fonts that ”Your account has been locked for 24 hours due to 3 wrong passwords”… That meant no more transactions for me for the whole next day 
What was more annoying was the fact that they mentioned that it was due to security reason. 
I said WTF was that. How the hell in the world you can lock an account for not entering correct password for merely 3 times? I looked all over the site and there was no way I would get my account unlocked before 24 hours. What I am trying to highlight here is the level of thinking of people who were involved in the project and would have agreed on such a STUPID solution.
It reminds me of the old Yahoo! Mail… they too had this kind of measure long ago (not anymore) where any no0b who possessed the username of any other user could lock that account by merely entering wrong password too many times. Same is the case here. If I get a hold of a username 
the person is at my mercy… I can lock his account for 24 hours. Don’t you think this is way too dangerous. SBI should take a note of this procedure and should rectify it ASAP.
There are many better alternatives, like
1. If you fear a bot is trying to brute force a password, you could consider having a captcha.
2. If you fear that another person is trying to access another account and has too many retries ask him to enter the answer to a security question.
3. If you don’t want to remove this procedure, simply reset the password and email it to the user.
Believe me these are only general alternatives, there are much more reliable and safe alternatives that are way better than the current measure.
So until SBI rectifies this my advice to the fellow SBI net banking users would be that do not put your username in public or you might be at the mercy of others.
What are your thoughts?
| Print article | This entry was posted by admin on October 26, 2009 at 14:52, and is filed under General. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 3 years ago
agreed. they should take note. use captcha or whatever – but this is dangerous
about 3 years ago
Agree with u.Because I m also one of the victim of SBI
about 2 years ago
Thank God, you’re not an IOB customer :d