RBI’s switch of a domain name for banks won’t really help tackle online fraud
Summary
- Moving banks to ‘.bank.in’ websites won’t address people’s real vulnerabilities in digital spaces. We mostly use apps for bank transactions now and the tricks used by fraudsters are evolving fast.
The Reserve Bank of India’s (RBI) recent suggestion to move all Indian bank websites to the ‘.bank.in’ domain has garnered attention, yet it represents a classic case of regulatory over-enthusiasm for a non-priority issue. While well-intentioned, it offers a superficial solution to a deep problem.
As digital banking evolves in India, the primary threat to consumer security lies not in the domain names of websites, but in the proliferation of fraudulent apps and inadequacy of protections. A change in domain name, in isolation, will do little to combat the growing menace of digital fraud.
Also Read: Proving you’re human in the age of AI could become as easy as ABC
As apps have become the primary point of interaction with banks for most consumers, the relevance of website domain names has diminished. Gen Z and Gen X, for example, may not even recognize the concept of ‘www,’ having grown up in an apps-first world. For consumers of all ages, the Unified Payments Interface (UPI) has shifted the focus to mobile apps.
The real danger now lies in fraudulent apps that bypass traditional web-based checks, with fake apps on both the Google Play Store and Apple Store continuing to pose a significant problem.
Consider a recent incident involving a frequent visitor to the RBI website. For reasons initially unclear, her browser displayed an “Authentication Error," which led to an hour-long investigation. It was eventually discovered that a mis-configuration of the office router was appending a random suffix to the URL, transforming ‘rbi.org.in’ into ‘rbi.org.in.domain.name.’
While this error could have caused confusion, the individual—being tech-savvy—quickly recognized the discrepancy and took steps to safeguard herself against potential phishing attempts.
However, had this error occurred on a commercial bank’s website and the individual had been using an unsecured public wi-fi network, the risks would have been far greater.
An attacker could have intercepted the connection, deceiving her into entering her login credentials on a fraudulent website designed to impersonate the bank. This example demonstrates the inherent vulnerabilities in digital banking. Yet it also reveals the inadequacy of relying solely on visual checks of domain names as a security measure.
Also Read: Vivek Kaul: Financial frauds evolve fast but it’s not as if we’re helpless
True protection here came not from recognizing the URL discrepancy, but from the use of a password manager. These tools, now standard with most browsers and operating systems, are designed to thwart phishing attempts by validating the integrity of the URL before auto-filling any credentials. Security professionals call this solution ‘invariant,’ as it works across all online services—not just banks. It highlights why a shift to ‘.bank.in’ would do little to address the core problem of security.
Data from Indian Cyber Crime Coordination Centre (I4C) shows that 40% of local-origin frauds are related to Know Your Customer (KYC) expiry notices. These scams typically involve deceptively similar URLs, often with slight variations in the domain name.
However, the success of this scam arises not from the domain name, but from the systemic issue of KYC freezes that lock users out of their accounts without notice. Economist Jean Dreze recently pointed out that 70% of households in Jharkhand have lost access to at least one of their bank accounts due to these freezes, underscoring a larger problem of financial exclusion.
Also Read: KYC exists to prevent fraud and not to make people miserable
To effectively combat fraud, regulators must focus on the more pressing issues that affect consumers.
One such measure could be requiring banks to stop freezing accounts without notice—a practice that creates confusion and urgency, which leaves individuals vulnerable to phishing scams. However, even this proposal would likely face some pushback from the banking industry, which faces its own challenges in managing the complexities of digital payments.
The transformation of personal bank accounts into quasi-commercial accounts, with frequent transactions, has inadvertently eased money laundering and other illicit activities. No single regulatory measure can fix this, let alone RBI’s domain action.
This brings us to the larger issue at hand: the failure of traditional regulatory approaches to the rapidly evolving world of digital finance. The shift to ‘.bank.in’ is a short-sighted solution that optimizes the system for one variable, neglecting others.
Also Read: Private companies can use Aadhaar infrastructure for identity checks again
Regulators must adopt a more nuanced and flexible approach that recognizes the interconnectedness of the modern financial ecosystem. Innovation Hubs—regulatory think-tanks that explore new ways of governing digital finance—can play a crucial role in this. These hubs should not only focus on technical and financial innovation, but also explore new regulatory models that address all facets of the digital finance landscape.
As India continues to embrace digital finance, financial regulators must recognize that traditional methods involving static rules cannot effectively mitigate the multifaceted threats being faced. The speed at which technology evolves, coupled with new fraud techniques, demands a dynamic and adaptive approach. The real solution lies in a comprehensive attack on fraud to shield and empower consumers through a truly future-ready framework.
The authors are, respectively, corporate advisor & independent director on corporate boards; and co-founder and CTO, DeepStrat.
topics
