A Finextra member 02 March, 2009, 11:17 0 likes

The OTP generated by the card is not the same as the PIN, and it does not serve the same function.  In a CNP environment, the OTP is used to verify that the remote purchaser is the legitimate cardholder; it is one step more secure (allegedly) than simple VbV or SecureCode pre-set passcodes, and relies on the successful result of a PIN challenge generated by the card.  The OTP is then used in place of the static passcode.

Now, what would happen in a normal retail environment, or at an ATM?

I would have to ask the card to generate a OTP, which I hope is within the "magic number 7, plus or minus 3" capabilities of my short-term memory.  The card would then ask me to authenticate myself - and I do so by keying in my PIN - which is the only way the card can tell if it is indeed me!

Ooops!  Back where we started.

[Magic Number - George A Miller - 1956]

Joe Pitcher - Irrelevant - Wirral 02 March, 2009, 11:34 0 likes

Marite,

The current implementation is to use OTP for Internet/MOTO transactions only, not at ATM's. 

As such I agree that the benefit of having the ability to generate the OTP on the card is not great, a separate reader is more attractive when you consider the costs.  

A Finextra member 02 March, 2009, 13:47 0 likes

Yes, OTPs for card-not-present 'seems' to be a given and thus I intentionally focused on card-present fraud.

But although OTPs' lack of 'replayability' makes them a better authentication factor than let's say a pin-code, password or even biometrics, they are, however also not immune to man-in-the-middle attacks. So, let's also not get carried away with OTPs.

How difficult would it be to prop a legit-looking online merchant site (even mimicking a popular merchant site) and redirect unsuspecting Consumers to this website? Card details, even verified by visa passwords, MC's UCAF/SPA and yes, also OTPs can be intercepted and replayed by the fraudster with real legitimate online merchants.