Dormant Digital Accounts Targeted by Cybercriminals; Experts Demand Mandatory Multi‑Factor Authentication

Recent investigations conducted by the Cyber Crime Investigation Cell in conjunction with leading financial‑security analysts have uncovered that a substantial proportion of dormant electronic banking accounts maintained by Indian financial institutions have become the target of coordinated cyber‑theft operations wherein illicit actors exploit previously stored card credentials to execute unauthorised monetary transfers, thereby exposing a systemic weakness in the prevailing digital custodial frameworks.

The modus operandi, as identified by forensic examinations, predominantly relies upon the illicit acquisition of user passwords through large‑scale phishing campaigns and the subsequent circumvention of single‑factor authentication mechanisms, thereby allowing perpetrators to manipulate dormant accounts that, despite containing negligible recent activity, retain active payment instruments linked to merchant services and utility payment portals.

This breach has imposed an estimated cumulative financial loss exceeding two billion rupees upon consumers and has compelled several banking establishments to allocate sizable portions of their quarterly earnings toward remediation, forensic auditing, and the provisioning of compensatory reimbursements, thereby diverting resources that might otherwise have been directed toward productive credit expansion and employment‑stimulating initiatives.

The Reserve Bank of India, in its latest circular concerning digital transaction security, ostensibly mandates the deployment of multi‑factor authentication for all high‑value electronic payments, yet the prevailing regulatory language remains ambiguous regarding the retroactive application of such safeguards to accounts that have remained dormant for periods exceeding one fiscal year, consequently furnishing a loophole that cyber‑criminals have demonstrably exploited.

Consequently, consumer advocacy groups have filed petitions before the Securities and Exchange Board of India demanding that the regulator issue clarificatory directives compelling banks to enforce mandatory token‑based verification on any transaction originating from accounts displaying prolonged inactivity, thereby aligning corporate practice with the broader public policy objective of preserving confidence in the nation's burgeoning digital payments ecosystem.

Banking institutions, while citing operational constraints and legacy system incompatibilities, have largely resisted the wholesale integration of advanced authentication protocols, arguing that the incremental cost associated with retrofitting dormant account infrastructures would erode profit margins already compressed by heightened competition from non‑banking fintech entrants, a rationale that, when examined against the backdrop of escalating cyber‑risk exposure, appears increasingly untenable.

The erosion of consumer confidence engendered by such high‑profile breaches is likely to curtail the adoption rate of electronic payment solutions among small‑scale merchants and salaried workers alike, thereby impeding the very digital inclusion agenda championed by governmental policy frameworks that envisage a transition toward a cash‑light economy within the next decade, a paradox that underscores the necessity for swift remedial legislation.

In light of the disclosed vulnerabilities, one must inquire whether the extant regulatory architecture, predicated upon periodic circulars rather than enforceable statutes, possesses sufficient deterrent power to compel financial institutions to remediate dormant account exposures before they become fertile ground for organized cyber‑theft, thereby preserving the sanctity of the public trust vested in the nation’s banking system.

Equally compelling is the question of whether banks, invoking legacy system constraints, should be mandated to allocate a dedicated portion of their capital reserves toward the development and deployment of token‑based, multi‑factor authentication mechanisms that operate irrespective of account activity status, a requirement that would ostensibly align corporate risk management with the broader public interest in fostering a resilient digital payments infrastructure.

Finally, it remains to be examined whether the Securities and Exchange Board of India, in concert with consumer protection agencies, possesses the statutory authority and procedural clarity to impose punitive sanctions on entities that fail to disclose the true extent of dormant‑account fraud exposure within their audited financial statements, thereby ensuring that shareholders and the taxpayer alike are shielded from the hidden cost of remedial payouts.

Given that remediation expenses are increasingly being financed through the reallocation of funds originally earmarked for credit‑extension programmes and small‑enterprise loans, one must question whether the present fiscal policy framework inadvertently subsidizes cyber‑criminal activity by allowing banks to absorb the cost of fraud without transparent accounting, thereby compromising the government's objective of channeling credit to productive sectors that generate employment.

Moreover, the persistent reliance on voluntary compliance with multi‑factor authentication recommendations raises the issue of whether statutory provisions should be introduced to obligate all payment service providers, irrespective of size, to undergo periodic third‑party security audits whose findings are publicly disclosed, thereby furnishing market participants with the requisite information to assess systemic risk and to hold culpable entities accountable.

Consequently, does the present legislative apparatus adequately empower regulators to enforce real‑time transaction monitoring and mandatory disclosure of dormant‑account fraud statistics, or must a more rigorous statutory regime be enacted to ensure that the ordinary citizen possesses the capacity to verify official economic claims against tangible outcomes, thereby restoring faith in the integrity of India’s digital economy?

Published: May 29, 2026

Published: May 29, 2026