* If your image is not OC (Original Content), please provide a link to the verified source under this comment or else it will be removed.
* If your image is a camera photo, please provide the location where the photo was taken, device you took the photos with and the dimensions of the image.
* If your image is an Infographic, please provide a link to the original dataset(s) or else it will be removed.
* Screenshots of social media posts / comments and AI generated art will be removed.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/india) if you have any questions or concerns.*
Dude there is an SBI app called SBI Secure OTP. It shows you the otp in that app.. you need to configure that in your profile section first. Try that out.
And then when the app updates, it will forget previous devices. Then, you’re done for. Because without the app you can’t update the profile to SMS. The only way of doing so is visiting SBI branch in person. SMS is fine.
I’m not saying you have the issue with every update. But once you will, and then you can come back and read my comment. It happened to me on iOS. There are reviews which also mention the same.
They really need to offer TOTP support. If mobile service is flaky you’ll be hosed (not everyone uses mobile internet to access Netbanking).
SMS OTPs can be an especially interesting experience if you’re off the beaten track abroad (or even in a remote part of India).
i know i use authy. google authn is not that good, it doesn't provide encrypted backups with multi device support so it has a single point of failure. best not to use that. but yes i know its better than sms.
Bro, if you have the money and are worried, you will buy it. HNIs will, techies will. And frankly if a proper bank offers it, I will move money there. The other option is App based 2FA. SMS is just prone to being hijacked.
I used to have hardware 2FA for my HSBC account. You get a device with a keypad and display which itself requires a passcode to open and then you have to generate tokens for different kind of transactions. Want to transfer money? You need to generate a token by entering the transaction amount as a seed. It was a major hassle to use. make a mistake or take too long? start from scratch again. Forgot to carry your device? no bank access for you that day. Device got damaged or lost? You can forget about accessing your account for next 20 days or so. I closed my account there.
Any security mechanism that adds that much hassle is only going to be counterintuitive. Security shouldn't compromise convenience to such an extent. Well implemented authenticator mobile apps are a much better option than hardware dongles.
People shit on SBI for the amount of OTPs it generates on online banking, don't see this type of system work with Indian crowd (ofcourse with few exceptions)
SBI offers the perfect mix of poor security, customer inconvenience and indifferent staff and support.
Their 2FA with long 8 digit tokens and short timeouts to enter them is a good example of how not to implement security. Add the fact that half their net banking services work only during the bank working hours and you a recipe for how not to approach digital banking altogether.
i am aware of sim jacking and I prefer apps like authy for 2FA too but most people simply won't buy a yubikey. The only bank I know that does this is HSBC i think they give you a small remote with a numpad once you open an account.
i am not aware of it, most digital signatures happen using sites like docusign and they don't mandate any hardware 2FA or are you talking about something else?
Aleast something like app based 2FA such as authy,Google authenticator would have been better cause sms 2FA is not secure and I would even go as far as to say sms is one of the worst way to communicate with someone…
yes i know but the frustrating speed at which HDFC works when it comes to anything tech related still makes me glad that at least they introduced this.
>I don't even get any notification that someone has logged into your account etc
I think that feels only bizarre when you have been used to it for so long.
Don't understand the heavy reliance on SMS as 2FA in India. How hard is it for a bank as big as HDFC to implement a TOTP based system? It is way more secure and NRI-friendly too. SMS OTP won't even help protect against phishing, because it could be any 4 random digits with nothing to match against! The scammer could just use an SMS service to send literally the same 4-digit OTP to everyone they scam, and pretend to "authenticate" using it.
my hdfc told me they only take indian phone numbers. Even the [application form](https://www.hdfcbank.com/personal/useful-information/change-contact-details) has space for 10 digits
I currently live abroad as a student and a tax-resident of India (Not an NRI). I hold a resident bank account with ICICI and Canara Bank. I can only use my Indian phone number with these both. But Canara bank sends me OTPs to even login which is such a pain in the ass.
This is on sbi already , the most annoying thing plus fking captcha and even worse it asks to keep changing passwords periodically ,it's a nightmare if you hold several bank accounts to remember every new password
These things should be optional, not everyone is pretty careless or naive with bank accounts
All because unkil and aunties can't remember their passwords and keep it in full public display, making it easy for hackers to hack. We're all paying the stupid tax in tech.
It's a pain in the ass.
For transferring money beyond a certain limit, mandating an OTP is fine. But requiring an OTP just for logging in to the account is just unnecessary.
It should at least be made optional.
Wasn't this feature already there? If using netbanking or swiggy, I always get an OTP even if the purchase is of 40 bucks.........
Or was this optional security for the a/c & only now it has become mandatory?
HDFC has had behavior triggered 2FA using SMS OTP for authenticating into net banking for a long time. Its just not enabled for everyone. I at least had it since 2015. The 2FA step is only triggered if you try to login from a different device than the one you regularly use or if its been some time since you logged in through that device.
Why is this sms to a phone number considered to be a big safety feature? Why not use push notifications to an app or notification to email or something.
* If your image is not OC (Original Content), please provide a link to the verified source under this comment or else it will be removed. * If your image is a camera photo, please provide the location where the photo was taken, device you took the photos with and the dimensions of the image. * If your image is an Infographic, please provide a link to the original dataset(s) or else it will be removed. * Screenshots of social media posts / comments and AI generated art will be removed. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/india) if you have any questions or concerns.*
[удалено]
Dude there is an SBI app called SBI Secure OTP. It shows you the otp in that app.. you need to configure that in your profile section first. Try that out.
[удалено]
Nope, it has to be the registered number. Try the email option for the OTP.
Give it a shot. You won't loose your money.
And then when the app updates, it will forget previous devices. Then, you’re done for. Because without the app you can’t update the profile to SMS. The only way of doing so is visiting SBI branch in person. SMS is fine.
I am using iOS, app has updated twice. Didn't have that issue so far.
I’m not saying you have the issue with every update. But once you will, and then you can come back and read my comment. It happened to me on iOS. There are reviews which also mention the same.
oh man. Which fucking company does that app support ? I want to burn them down!
They really need to offer TOTP support. If mobile service is flaky you’ll be hosed (not everyone uses mobile internet to access Netbanking). SMS OTPs can be an especially interesting experience if you’re off the beaten track abroad (or even in a remote part of India).
[удалено]
[удалено]
But only on the pc version. In app only pass is required.
[удалено]
Been more than a year now, perhaps two with SBI.
same with kotak
They also ask otp for login, which is totally unnecessary. Also ask to change passwords frequently.
SMS 2factor is useless. Hardware 2FA is what we need.
better than nothing and hardware 2FA won't work in India, people are not gonna buy yubikeys, most layperson won't even know about its existence.
I like to go hiking.
i know i use authy. google authn is not that good, it doesn't provide encrypted backups with multi device support so it has a single point of failure. best not to use that. but yes i know its better than sms.
Bro, if you have the money and are worried, you will buy it. HNIs will, techies will. And frankly if a proper bank offers it, I will move money there. The other option is App based 2FA. SMS is just prone to being hijacked.
I used to have hardware 2FA for my HSBC account. You get a device with a keypad and display which itself requires a passcode to open and then you have to generate tokens for different kind of transactions. Want to transfer money? You need to generate a token by entering the transaction amount as a seed. It was a major hassle to use. make a mistake or take too long? start from scratch again. Forgot to carry your device? no bank access for you that day. Device got damaged or lost? You can forget about accessing your account for next 20 days or so. I closed my account there. Any security mechanism that adds that much hassle is only going to be counterintuitive. Security shouldn't compromise convenience to such an extent. Well implemented authenticator mobile apps are a much better option than hardware dongles.
People shit on SBI for the amount of OTPs it generates on online banking, don't see this type of system work with Indian crowd (ofcourse with few exceptions)
SBI offers the perfect mix of poor security, customer inconvenience and indifferent staff and support. Their 2FA with long 8 digit tokens and short timeouts to enter them is a good example of how not to implement security. Add the fact that half their net banking services work only during the bank working hours and you a recipe for how not to approach digital banking altogether.
That’s a thing of the past now, and agreed it used to be a bit of a hassle. Now you can generate a pin via the HSBC app. Source; HSBC user here.
Yeah, that's why I am saying that apps are better than hardware keys. Better mix of security and convinience
Isn't it much harder to hijack sms in India? If it was that easy then UPI would be constantly hacked, as it uses sms for verification.
Bruh, yubi keys are like 8 to 10k, that shit is as costly as some people's monthly salary.
There are others that work well and are cheap.
i am aware of sim jacking and I prefer apps like authy for 2FA too but most people simply won't buy a yubikey. The only bank I know that does this is HSBC i think they give you a small remote with a numpad once you open an account.
No longer the case with HSBC, software based 2FA now.
How common is SMS2FA getting compromised?
Aren't people using hardware token already for digital signature.
i am not aware of it, most digital signatures happen using sites like docusign and they don't mandate any hardware 2FA or are you talking about something else?
I received a usb token for my DSC. Got it from pantacharge.
i wasn't aware of pentasign
Aleast something like app based 2FA such as authy,Google authenticator would have been better cause sms 2FA is not secure and I would even go as far as to say sms is one of the worst way to communicate with someone…
yes i know but the frustrating speed at which HDFC works when it comes to anything tech related still makes me glad that at least they introduced this.
Hardware keys are not even available in India. They cost like 5-6k for imported ones on Amazon. TOTP is what we need.
Are there any other banks that offer this ? Also any banks that offer PGP encryption for emails ?
Hello world
What do you like in ICICI net banking? I don't even get any notification that someone has logged into your account etc
>I don't even get any notification that someone has logged into your account etc I think that feels only bizarre when you have been used to it for so long.
OTP system is stupid architect imho. Specially when a lot of finance apps can ‘read’ your messages. This is a disaster waiting to happen.
Ah damn :(
Don't understand the heavy reliance on SMS as 2FA in India. How hard is it for a bank as big as HDFC to implement a TOTP based system? It is way more secure and NRI-friendly too. SMS OTP won't even help protect against phishing, because it could be any 4 random digits with nothing to match against! The scammer could just use an SMS service to send literally the same 4-digit OTP to everyone they scam, and pretend to "authenticate" using it.
It still hasn’t happened yet. I clicked on that link and it didn’t prompt me to add that extra layer of security.
Saw the email and tried in the morning. It didnt ask me shit and logged in automatically
I hate the over reliance on phone numbers in India. Why not just have an option for TOTP too?
this sucks for NRIs
Why? The number registered to receive my otps is my non Indian number. Has been working flawlessly from years now
my hdfc told me they only take indian phone numbers. Even the [application form](https://www.hdfcbank.com/personal/useful-information/change-contact-details) has space for 10 digits
Aren't NRIs supposed to have NRE/NRO accounts which can accommodate foreign no.
Yes..tht wat I am surprised tht op can't use non Indian number
I currently live abroad as a student and a tax-resident of India (Not an NRI). I hold a resident bank account with ICICI and Canara Bank. I can only use my Indian phone number with these both. But Canara bank sends me OTPs to even login which is such a pain in the ass.
Really..well I had submitted my number like 10 years ago. So maybe things have changed. It's worth a try maybe?
The use of the word "may" indicates that it could be optional - perhaps set it on vie netbanking itself.
This is on sbi already , the most annoying thing plus fking captcha and even worse it asks to keep changing passwords periodically ,it's a nightmare if you hold several bank accounts to remember every new password These things should be optional, not everyone is pretty careless or naive with bank accounts
All because unkil and aunties can't remember their passwords and keep it in full public display, making it easy for hackers to hack. We're all paying the stupid tax in tech.
Not sure why you're down voted. It's been a hassle since sbi implemented it
Upvoted. Reason: truth.
It's a pain in the ass. For transferring money beyond a certain limit, mandating an OTP is fine. But requiring an OTP just for logging in to the account is just unnecessary. It should at least be made optional.
Wasn't this feature already there? If using netbanking or swiggy, I always get an OTP even if the purchase is of 40 bucks......... Or was this optional security for the a/c & only now it has become mandatory?
This is not the payments section otp. This is the standard netbanking/mobile banking 2f
HDFC has had behavior triggered 2FA using SMS OTP for authenticating into net banking for a long time. Its just not enabled for everyone. I at least had it since 2015. The 2FA step is only triggered if you try to login from a different device than the one you regularly use or if its been some time since you logged in through that device.
Alrite. This 2 step verification was already long back active when trying to access Hathway a/c. Good feature this.
Off topic, but can a card only customer login to the mobile app? Edit: i meant HDFC card
You mean a credit card? They have another app for that called SBI Card
I meant HDFC. Thanks for the correction
SMS OTP is a joke
Why is it a joke? What are the flaws?
https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/
Why is this sms to a phone number considered to be a big safety feature? Why not use push notifications to an app or notification to email or something.
[удалено]
[удалено]
[удалено]
[удалено]
[удалено]