32 lakh ATM cards hacked: Why can’t we have OTP-controlled withdrawals?

S Murlidharan
S MurlidharanOct 21, 2016 | 13:12

32 lakh ATM cards hacked: Why can’t we have OTP-controlled withdrawals?

The auditing world discovered eons ago that an internal check was the best counter to frauds and mistakes. No one employee should be allowed to carry the entire transaction through, was the mantra. For example, if the cashier is also entrusted with maintaining the cash book, he might be tantalised into committing a fraud. Likewise, a cheque must at least go through two hands before it is honoured. These are time-tested precautions.


Sophistication and advancement don’t render the pristine principles redundant or obsolete. Rather they only call for suitable tweaking. And tweak the banks did when it came to internet banking. The techno-savvy among them divided the internet banking authorisation responsibility between two devices/software - the login name ideally morphed into a nickname with password weren’t considered good enough.

Therefore, the additional safeguard in the form of one-time password (OTP) sent to another device or cellphone was thought of. It is unlikely that a hacker would be successful in penetrating both devices simultaneously, just as in an auditing situation it is difficult to expect both officers examining a cheque to be lax.

The lessons imbibed on the net banking front curiously were lost when it came to ATM banking. There was no reason why the OTP precaution couldn’t have been extended to ATM withdrawal. Indeed, banking regulator RBI has been remiss in this regard. 

Of course the withdrawal process would be slowed down in the ATMs, thus making tempers run high especially in crowded ones. But then this is a small price to pay for heightened safety just as it would be for those who send their close relatives and friends to ATMs on their behalf due to sickness or laziness - apart from disclosing the PIN number to them, they must also be armed with the account holder’s cellphone because the OTP is sent to the registered mobile number by the system.

Of course, the withdrawal process would be slowed down at ATMs but that's a small price to pay. (Photo credit: India Today) 

The beauty of OTP-controlled ATM withdrawals is that those replicating the cards and divining the PIN number, as it were, would be stumped. An OTP after all is not sent to the ATM machine but to an independent device - a cellphone, to which the fraudster has no access.

A seemingly more robust and foolproof security feature could be biometric cards whose use is presently confined by and large to rural folks. It can be used universally but adds tremendously to the cost of the ATM machine.

But then biometric cards rule out bedridden people withdrawing through their relatives and friends besides being unduly fussy - experts aver that fingerprints often change especially for those who do manual work or suffer from illness, like the ones going through dialysis that peels of skin from the finger and palm. 

All said, the OTP emerges as a better alternative vis-a-vis biometric cards, both in terms of user friendliness and cost. It is widely known that even those who were unaffected by banking habit were enamoured by cellphones when they made their advent in India. 

In the event, OTP imposes no additional costs on account holders. In case of delay in getting the OTP due to telephone lines being congested, there is an immediate remedy - calling the designated number which immediately recognises the calling number and the purpose of the call and gives out the OTP.


The RBI must step in and mandate OTP for all ATM withdrawals except where the card is biometric. The transition would not pose any serious trouble to either account-holder or banks. The banks may have to invest a small amount on beefing up software with an additional safety feature but it would worth it. 

We Indians react only when a crisis blows on our face. The gargantuan amount of cards compromised necessitating replacement should make the regulator sit up, take notice and act.

Last updated: October 23, 2016 | 14:28
Please log in
I agree with DailyO's privacy policy