ISLAMABAD: The State Bank of Pakistan (SBP) has issued new directions for banks and microfinance banks (MFBs) to improve digital payment security.
According to these directions, banks must use a Transaction PIN (TPIN) or Financial PIN (FPIN) for financial transactions, instead of using the One-Time Password (OTP). This applies to transactions made through banking apps or online platforms.
Further, banks and MFBs must maintain complete logs of transaction notifications sent to their customers, which must be available in case of disputes or claims.
SBP directed that banks must send free notifications to customers via the app, email, or push alerts for transactions.
ALSO READ
Balochistan announces reopening of 3,000 closed schools with new contract teachers
Banks will ensure that in-app or push notifications remain active on customers’ phones, as SMS alerts will no longer be used.
In cases of fraud or unauthorized transactions through mobile apps, the bank or MFB will be liable for compensating the affected customer. These new rules will take effect on January 1, 2025.
What is the difference between OTP and TPIN/FPIN?
OTP (One-Time Password): This is a one-time password sent via SMS, and it is different for each transaction.
TPIN/FPIN (Transaction PIN/Financial PIN): This is a permanent PIN code linked to the customer’s specific account and is used to verify financial transactions. TPIN/FPIN is considered more secure because it is a static PIN verified by the customer, while OTP is a temporary code that changes for each transaction.
Why TPINs Are a More Secure Alternative to OTPs in Digital Transactions:
While OTPs are a valuable security layer, they are not without their vulnerabilities. Here’s why TPINs are considered more secure:
OTP Vulnerabilities:
SMS Interception: OTPs sent via SMS can be intercepted through SIM swapping or other hacking techniques, allowing unauthorized access to accounts.
Phishing Attacks: Phishing scams often trick users into revealing their OTPs, compromising their accounts.
Network Vulnerabilities: If there’s a vulnerability in the network infrastructure, OTPs can be intercepted during transmission.
TPIN Advantages:
Enhanced Security: TPINs are not transmitted over networks, making them less susceptible to interception.
Reduced Phishing Risk: TPINs are not typically requested through phishing attempts, as they are known to users beforehand.
Stronger Authentication: TPINs, when combined with other security measures like biometrics or device-based authentication, create a more robust security layer.
However, it’s important to note that TPINs are not entirely foolproof:
Weak Password Choice: If users choose weak or easily guessable TPINs, they can still be compromised.
Malware Attacks: Malicious software can capture TPINs entered on compromised devices.
Social Engineering: Skilled social engineers can manipulate users into revealing their TPINs.
To maximize security, it’s essential to:
Choose Strong TPINs: Use a combination of uppercase and lowercase letters, numbers, and special characters.
Enable Two-Factor Authentication (2FA): This adds an extra layer of security, often involving biometric verification or time-based one-time passwords (TOTP).
Be Cautious of Phishing Attempts: Be wary of suspicious emails, SMS messages, or phone calls requesting personal information or login credentials.
Keep Software and Devices Updated: Regularly update your operating system, browser, and security software to patch vulnerabilities.
Use Secure Wi-Fi Networks: Avoid public Wi-Fi for sensitive transactions and use a VPN for added protection.
By combining strong TPINs with other security best practices, users can significantly enhance the security of their digital transactions.
