The capital market regulator SEBI has proposed implementing a technological mechanism similar to UPI within the trading system. This proposal involves binding the Unique Client Code (UCC) to the SIM card and mobile handset to prevent unauthorized access to trading accounts, SIM spoofing (which can divert OTPs), unauthorized account modifications, and erroneous share transfers, among other potential threats. While the proposal deserves praise for its potential to reduce trading-related frauds and scams, certain loopholes need to be addressed before adopting the UPI-like system. Let’s discuss this in detail.
SEBI’s Proposal: Under the proposal, the UCC would be linked to the SIM number, and the mobile handset’s International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) would be paired together. To log in to a trading account, all three elements—UCC, SIM, and mobile handset (IMEI and IMSI)—must recognize each other. If the SIM is placed in another handset, login would be denied. Multiple trading accounts within a family can be linked to a single SIM and mobile handset. A biometric authentication would be mandatory on the primary SIM-bound device to authorize access to the trading application.
SIM Binding Technology: SIM cards use strong cryptographic security, making them difficult to clone. Mobile handset IMEI and IMSI numbers are also resistant to cloning. By pairing the SIM card’s cryptographic identification with the IMEI/IMSI of the mobile handset, a unique and secure binding is created. This binding extends to bank account details in the UPI payment system, where a combination of Bank Account-SIM-Mobile handset is used. In the proposed trading system, the UCC-SIM-Mobile handset pairing would be employed. The benefits of SIM binding technology include:
- No PIN Code Required: The system is immune to middle-man attacks since there’s no PIN code involved.
- Difficult to Clone: SIM cards are hard to clone due to the secure storage of cryptographic keys and complex algorithms.
- Protection Against Cyber Threats: SIM-bound handsets are resistant to malware, hacking, rooting, spoofing, and phishing attacks.
Catch in the System: While the binding of UCC-SIM Card-Mobile Handset is a good idea, biometric authentication should be implemented live. The UPI system currently has a loophole: biometric identification is limited to the biometric identity of the handset user. For instance, if I open a bank account in my friend’s name and use my handset and SIM to activate the banking app and link it with Paytm, the biometric identification of the account owner is not required. The biometric of the handset user alone is sufficient to use the UPI. This creates a security gap.
To address this, AU Bank has recently introduced iris scanning for mobile app activation. It matches the account holder’s iris profile with the one stored at the bank and UIDAI servers. If the profiles match, the activation proceeds; otherwise, it is halted. SEBI should adopt a similar approach and link the biometric identification of the UCC holder with the one stored at the UIDAI (Aadhaar) server. Otherwise, unauthorized access to trading accounts could continue. Unregistered portfolio managers could use a client’s mobile handset to place buy or sell orders, providing them with legal protection, as the trades would be executed through the client’s designated handset.
Pitfalls to Consider: Multiple logins from different devices must be carefully monitored, and data from such logins should be preserved. SEBI has suggested implementing a QR code-based, proximity-sensitive, and time-sensitive authentication for logging in to devices like desktops and laptops. However, multiple logins from different devices can slow down the system and cause execution delays. Therefore, the automatic log-out feature from other devices should be considered. For example, when a user logs into their trading account on a laptop or desktop, they should be automatically logged out from their mobile device. An effective fallout system should also be in place in case a device is lost or stolen.
Conclusion: The use of SIM binding technology in the trading system is a welcome move. Once implemented, it would add an extra layer of security for the trading community and help mitigate frauds. However, addressing the biometric loophole and refining the system’s functionalities will be crucial for its successful implementation.
