Different Channel Registration
The mobile number registration is carried out at the branch and ATM. This way the security of mobile channel is upheld by allowing registration activities through different channels that have their own authentication mechanisms.
Customer has to activate the iMobile Pay client application using a second-factor authentication (2FA) mechanism. (Enter digits of Debit / Grid card number - these 3 digits are randomly generated at the time of activation). This ensures that only the rightful owner of the account who has the Debit card of ICICI Bank can activate iMobile Pay on his phone.
Customer is also required to create a 4-digit numeric PIN of his choice to log in. This acts as a verification mechanism to enter the application. The application gets locked in case of three incorrect PIN entries.
All data that is stored on the phone/client is encrypted using strong encryption standards thereby making it secure.
The data exchanged between client (i.e. iMobile Pay) and server is encrypted using PKI. End-to-end 256 bit encryption fulfills the confidentiality, integrity and security requirements.
Additionally, all financial activity involving Fund Transfer are verified using the 2FA (Grid card/ Debit card number). Also, for every session between application and the server, a key is exchanged which expires when the session terminates.