Personal Blogs
Using device isolation
—
4 Steps to secure your Aadhaar or Bank OTPs
Authentication based on Aadhaar OTP has made systems fast but its has also burdened users with more responsibilities. Especially, when your banks are now linked to it and also other online investments.
OTPs are One Time Passwords, generally 4/6 digit numbers, which are communicated to the user on her registered phone number in a form of SMS. So far only the user has access to the SMSes the system is secure.
But, there are many apps that we have installed that can also read our SMSes; many of these apps need permission from the user to get that access and we grant them mainly because of our ignorance. And, this precisely breaks the system.
Hence there is a need of guarding the OTPs from malicious apps. The following is one way to do so.
The core idea is your Aadhaar linked phone number, let’s call this as primary phone number, sits in a phone which is not a smartphone but a feature phone, or an old model phone with buttons. A phone like that has many benefits; cheap, long battery life and long lasting. Such phones are generally available under 1000–1200 Rs in India. The sole purpose of this phone in this story’s context is to receive OTP and the only way to retrieve it by unlocking the phone with some pin code and opening the message inbox and reading it manually; ie., no third party software would automatically read it.
What this also means is one would need another phone number, let’s call this as secondary phone number, which will be installed in the smart phones where you can install payment apps or do your online transactions from; apps like BHIM or Google Pay.
But, there is a catch.
These apps don’t work on the phone number which is not linked with any bank. Ideally they should have allowed running of payment apps on secondary phones with Aadhaar OTP authentication but unfortunately we are not there yet.
This gets us started for setting up a new bank account with your secondary phone number. Let’s call this account ‘checking account’; its only purpose is to send & receive money online using these payment apps.
All one needs an online bank account and preferably zero balance.
There are many options and it also depends on one’s luck. I tried ICICI’s Pockets which didn’t work and then moved to Kotak’s 811 which worked perfectly.
Download their apps, authenticate using Aadhaar OTP and then offline KYC will be done to activate your bank account. This bank account provides a saving account number with a IFSC and a virtual debit card; the kind of details which will enable activating the payment apps on the smart phone with a secondary phone number.
This setup will allow us to maintain a small amount in the checking account which will be linked to the payment apps and your UPI id.
Another good hack is to forward all the calls from your primary phones to secondary that way carrying just the secondary phone is sufficient.
This isolation would definitely enhance the security but at the cost of a new feature phone and a new phone connection. But that’s the operational cost of living in this digital age.