20 December 2014

Talk of Many Things

Ketharaman Swaminathan - GTM360 Marketing Solutions

56Posts 230,984Views 1,604Comments

Mobile OTP: Cyanide Or Caffeine For Online Payments?

03 June 2013  |  3004 views  |  7

I recently received an SMS from one of my credit card issuing banks - the Indian subsidiary of a British high street bank that has a global presence - informing me about the following change in procedure for using its credit cards online:

"With immediate effect, for each online transaction on your BANK1 Credit Card, an OTP (One Time Password) will be sent via SMS to your registered mobile number. In order to complete the transaction, this OTP will have to be entered by you instead of the erstwhile Verified by Visa password."

As though making online payments isn't terribly painful as it is, this bank has just raised the friction in the process to the next level. Successful completion of a transaction is no longer just a function of quality of Internet connectivity and the uptime of merchant, acquirer, issuer and epayment gateway websites. It now also depends upon the mobile network coverage, message delivery times and availability of the mobile phone at the point of transaction.

Even before this new step, the end-to-end payment chain had so many moving parts that almost one in 12 payments failed, as I'd highlighted in my earlier post Skating Away With Online Payments (hyperlink removed). Now, I expect failure rates to shoot up with Mobile OTP because network coverage is spotty while indoors and in roaming mode, messages could be delayed by several hours during peak volumes observed on holidays and the presence of the regular mobile phone at the point of transaction is not guaranteed when the shopper is traveling abroad since most people tend to use a different SIM to avoid the exorbitant international roaming charges charged by their primary Mobile Network Operator. All these will only reinforce my recent shift to Cash on Delivery for online shopping and avoidance of online bill payments.

Going back a couple of years, BANK1 introduced two-factor authentication for all types of card-not-present payments - via web, mobile and phone. It had also started sending SMS Alerts for all card transactions (more on that here). In all those cases, the bank had ascribed the new security measures to the Reserve Bank of India, which is India's central bank cum banking regulator. BANK1 hasn't (yet!) chanted the "As per RBI rules" mantra to backstop its latest move. I fervently hope that the regulator doesn't mandate mobile OTP and instead focuses on the huge problem of failed payments. Ideally, it should issue a mandate to all card issuers to reverse debits in the event of all incomplete payments, no questions asked. But I digress.

If it's not to comply with regulation, I wonder why BANK1 chose to implement mobile OTP, a move that could diminish interchange revenues by further alienating experienced users away from online card transactions.

Is it to persuade 70% of online shoppers who currently use cash-on-delivery to switch over to credit cards? It's quite possible that, when they hear about mobile OTP, many fencesitters might feel comfortable about exposing their card information online. Until they actually experience online friction and failed payments, the heightened security promised by the new step might just nudge them towards using their credit cards to make online payments, thereby boosting the bank's interchange revenues.

Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell.

Hello, hello, can you hear me? TagsCardsMobile & online

Comments: (12)

Alexander Peschkoff - TEDIPAY - London | 03 June, 2013, 22:53

Ketharaman, put yourself into the issuer's shoes. How can you at least try to ensure the CNP transaction is carried out by the authorized party? OTP is not the best solution (from UX and security point of view), but still offers some protection.

If the banks shifted ALL fraud liability to the consumer, we'd be gladly jumping even through ten hoops to stay secure. It's all about perception and perspective.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 04 June, 2013, 07:02

@AlexP:

TY for your comment. The rationale from the issuer's p.o.v is clear: To make online payments more fraud-proof. Question is, will the resultant friction will also make it transaction-proof (for me, it already has).

In today's world, customers are spoilt for choice: They'll simply ditch the MOP that requires 10 hoops to stay secure; cash will make a comeback (as it is, cash-on-delivery accounts for 70% for ecommerce in India); we'll start seeing genuine innovation in payments viz. COD for otherwise completely digital transactions like e-tickets at no higher transaction processing cost than the MDF/MSC applicable for card payments, as I'd highlighted in The Death Of Cash Is At Least 190 Years Away.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 04 June, 2013, 07:39 I think the more likely scenario is as follows: the industry will eventually introduce standards based on biometrics, we'll accept or get used to them, and carry on. US is resistant to EMV. Why? Because the industry is making too much easy money to care about fraud. Once their margins drop (or regulations are enforced), they'll join in and will forget the whole saga in a year or so. Changing consumers behaviour is not easy, but is mostly doable.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 04 June, 2013, 08:14

I've been hearing about the eventuality of biometrics for 9 years. I'll give it one more year before commenting about it since I subscribe to Bill Gates' famous saying about how people underestimate the amount of change that can happen in 10 years. I'm not sure how EMV is relevant in the present context of CNP transactions but, nevertheless, in my interactions with merchants, banks and regulators in various parts of the world, it's not as though USA doesn't care about fraud. It's just that (a) only it gets friction and the other here-and-now revenue-threatening problems caused by overzealous implementation of fraud prevention measures, and (b) Even without VbV / SecureCode, there's no evidence that fraud as a percentage of CNP transaction value is any higher in the USA than other parts of the world that have implemented 2FA / Mobile OTP, etc.

Instead of USA following the ROW on convenience-versus-security, I'd place my bet on the opposite. With several Indian ecommerce companies getting rid of the extra hop involved with ePGs, a couple of them completely shifting to US-based payment processors in the recent past to circumvent friction, the trend has already commenced.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ritesh Agarwal - On My Own - Bangalore | 06 June, 2013, 07:32

Some banks send OTP over the email "as well", as registered with them. It saves the hassle of not being on home network or while roaming internationally. I have made multiple online payments using OTP, while I was roaming internationally; with so much ease that I am a strong supporter of such technical initiatives. Pls note that additional sending of email for same OTP has done away many other cost inconveniences or security apprehensions around SMS. Now, it might open a question around security in emailing; which I think can be dismissed without even any required discussion.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 06 June, 2013, 07:58 Email alone is insecure. If you do CNP transaction, it's most likely e-comm. That means you have either a PC or a smartphone. Using "fingerprinting" allows to link cards to certain hardware, in a user-transparent way. Add public key app to pre-advice the transaction (akin to getting a card from a wallet) and you have reasonable security with good UX.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 June, 2013, 08:46

@RiteshA: TY for bringing up the alternative of Email OTP. While I've no personal experience with it - none of the close to a dozen-odd banks I'm exposed to uses it - Email OTP seems more convenient than Mobile OTP. However, Email OTP is "in band" and, for that reason, could be viewed by security purists as less secure than Mobile OTP, which is "out of band". 

@AlexP: TY for your comment. The same bank has been using hardware tokens for supplying OTPs for a different usage scenario (NetBanking) for several years. In 8+ years, I've never had a problem with it (knock on wood!). I guess it has moved away from a hardware alternative for online credit card usage due to a myopic focus on cost reduction. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 06 June, 2013, 09:25

Hardware tokens are not ubiquitious and are "pain in the pocket" to carry. Smartphones offer an adequate alternative.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 June, 2013, 10:32

Agreed but I'd anyday accept the predictable "pain in the pocket" over the unpredictability of the smartphone / mobile OTP alternative. But, that's only me. As I said, "Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell."  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ritesh Agarwal - On My Own - Bangalore | 06 June, 2013, 10:43

AMEX and ICICI Bank...besides many more have been using it for years... :-)

I am coming from end-user convenience and security perspective. If I can get account statement on email..then why not OTP...?

Every thing else on technical concerns are problems of individuals.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 06 June, 2013, 10:59

It takes just 32 interactions to develop a habit :)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 June, 2013, 13:36

I was almost sold on Email OTP until I saw the analogy with eStatements: How Suitable Is Email For Delivering Bills And Statements? Do you have to supply a password before seeing the OTP?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Ketharaman

How To Lie With Big Data

18 December 2014  |  1270 views  |  0  |  Recommends 0

Fate Of Predictive Analytics After Obama Credit Card Decline

19 October 2014  |  5342 views  |  0  |  Recommends 0 TagsCardsRisk & regulation

Difference Between Data Mining And Predictive Analytics

10 October 2014  |  6885 views  |  0  |  Recommends 0 TagsInnovationTransaction banking

How To Fulfill Targeted Offers To Hear More Ka-Chings

06 October 2014  |  2443 views  |  0  |  Recommends 0 TagsRetail bankingInnovation

Apple Puts Banks Squarely At The Center Of Mobile Payments

10 September 2014  |  5324 views  |  3  |  Recommends 1 TagsCardsPayments

Ketharaman's profile

job title Founder & CEO
location Pune
member since 2009
Summary profile See full profile »
As Founder and CEO, S. Ketharaman provides overall direction and leadership toward setting and achievement of GTM360's goals and objectives.

Ketharaman's expertise

What Ketharaman reads
Ketharaman writes about

Who is commenting on Ketharaman's posts

John Candido
R G
Chetan Ghadge
Jim Wells
Andrei Charniauski
John Quamina
Sian Bentley
Tony Wenzel
Nick Collin
Alex Johnson