Mumbai: Acknowledging challenges faced by banks in cyber era, a top RBI official has said the banks should ensure their transactions be hassle-free and customer-friendly so as to retain loyalty of the end-users.

For example, multi-layer security by way of log-in password, transaction password and confidential data confirmation make online transactions more secure.

But, there are issues like memorising multiple passwords, slogans, pictures, answers to questions etc and some transaction of urgent nature getting struck due to these problems, or even online access getting blocked some times.

This, coupled with the time taken for access re-activation, password generation etc, which is sometimes a lengthy time taking process, causes irritation and inconvenience to the customer," said RBI's Executive Director G Padmanabhan at the Annual Conference on Secure Banking 2011 organised by the Indian Banking Association (IBA) recently.

He said managing security was more challenging in online and phone banking as compared to other delivery channels.

Threats to ATMs also take the form of ATM skimming, eavesdropping, spoofing and service denial, he observed citing threats like password hacking, card cloning to data and identity theft at various levels of transaction, Padmanabhan added.

Observing that identity theft in electronic transactions is a growing cybercrime, Padmanabhan said innovative methods of hacking and stealing have come to the fore regularly and the industry has to take prompt action to safeguard business and customer interest.

Stressing that management of third party risks in transactions has becoming a daunting task, he said unlimited cyberspace exposes banks to internationally organised crimes.

"In mobile banking, the challenge is to decide the transaction value limits up to which un-encrypted data can be transmitted for payments and funds transfer. If limits are set too tight, there can be cost and efficiency implications while making it too lax, may invite the risk of information getting compromised. If we recognise that compromise of cards could happen, not only at ATMs but also at to over half-a-million and still growing point of sale (PoS) terminals, the task is indeed formidable," the RBI official said.

On modus operandi of fraudsters, he said as RBI introduced second factor authentication, their focus has shifted to ATM transactions.

In Chandigarh, card data including the PIN, was compromised at a few ATMs. The stolen information was used to clone ATM cards to withdraw cash from various locations across the country, he said. "Fraudsters are not only tech savvy, but have clear understanding of the systems and procedures obtained by banks.

There have reportedly been instances in Coimbatore where point of sale terminals were set up after due compliance with the 'know your customer' requirements and stolen cards were used to transact at these terminals by the fraudsters.

I believe that the fraudsters used stolen card details purchased through online e-payment schemes operating internationally to acquire such information," said Padmanabhan.

In Hyderabad, crooks posing as merchants, reportedly offered Baskin Robbins ice cream or mobile recharge voucher talk time worth Rs 250 against payment of a mere Rs 50 with a condition that only debit cards would be accepted.

The kiosk machine set up was configured to prompt for PIN and print a charge slip indicating approval of the transaction by the bank. The magnetic stripe card data and the PIN were captured from unsuspecting customers and later used to make counterfeit cards for withdrawal of cash, the executive director cautioned.

Citing example of how the customer data was compromised at Citi Account Online, Hyundai Capital and Sony, Padmanabhan said banks have to exercise control on activities like exporting sensitive files, information via email, file transfer protocol, or copying of data to portable media like USB sticks by their employees.