The Central Bank of Iran published a note on its website to clarify ambiguities about the one-time password that will soon be offered by banks.
It covers a range of issues pertaining to the single-use passwords, addressing clients concerns over the fact that the new measure may disrupt their card payment transactions.
CBI says OTP is needed for transactions above 5 million rials ($33) and allows clients to use their current static passwords for transactions below that amount.
Bank customers are also not required to use OTP for transactions whose beneficiary is a public body and all other transactions pertaining to utility bills, cell phone recharges, etc.
In a move to curb cybercrime via debit card fraud and increase the security of online banking, the CBI has obliged banks to provide OTP services by May 21.
In a talk with the state TV, The CBI deputy for innovative technologies Nasser Hakimi recommended card holders not to be concerned about the dateline, saying the May 21 deadline is for the banks to create the technical infrastructure.
However, the regulator said it holds lenders accountable for any loss incurred on clients due to security bugs in online payment services after the end of the deadline.
“Banks will be responsible for any loss to the people if they fail to offer OTP services from May 22 onward,” Hakimi stressed.
The one-time password is a pass code valid for a single login or online transaction on a computer system or other digital devices and be discarded after 60 seconds.
However, Hakimi said the validity of OTP is not necessarily 60 seconds and the one time period could be extended if the need arises.
An OTP is more secure than a static password, especially a user-created password, which can be weak or reused across multiple accounts.
CBI says OTP services are offered as part of plans to improve the security of transactions in the banking system and the banks should not impose fees on card holders for these services.
However, it allows banks to use alternative methods instead of OTP if they guarantee a robust identity certification is in place. Any such substitute methods nust be approved by the regulator.
To address the issue that some clients don’t have smart phones to run the application or simply cannot use the application, the regulator said the OTP services should not be confined to these applications.
Apart from the said applications, it is mandatory for banks to provide the service on regular text messages (SMS) and authorized domestic messaging services.
 
          

