scorecardresearch

Password impasse

An anti-fraud measure has online merchants fuming.

The latest measure enforced by the RBI to check credit card fraud has led to an immediate drop in the number of people using their mobile phones to make payments, claim several retailers who are dissatisfied with the measure. The new rules make it mandatory for customers who use their phones to carry out financial transactions that call for revealing their credit card numbers - such as buying an airline ticket or paying a utility bill - to also clear an additional security layer before the transaction is processed.

This new security layer is the one time password, or OTP. When a customer starts a transaction, the bank that issued his credit card automatically texts a one time password to the mobile number it has on file for that customer. Only after the customer repeats the OTP successfully, is the payment order validated.

Hrush Bhatt, Founder, Cleartrip.com
Hrush Bhatt, Founder, Cleartrip.com
Sounds simple, but customers are fumbling with it. According to Hrush Bhatt, one of the founders of travel portal Cleartrip.com, which launched a mobile phone payment gateway six months ago, payments through this mode fell by 73 per cent the day after OTP came into effect. Two months later, payments by mobile are still half of what they used to be before the order.

"The process of generating an OTP is painful, inconsistent and prone to failure," says Bhatt. "Early indications are that it is not the best thing for either users or merchants. If the password does not arrive immediately when the customer is making his payment, he usually hangs up and never calls again."

Bhatt also points out that the system could inconvenience customers with more than one mobile phone, since only one mobile number can be registered with the credit card company.

Gautam Shiknis, CEO of mobile payment provider mChek, confirms that mobile transactions through his company's gateway have fallen to half of what they used to be. "Right now mobile payment has become a very cumbersome process," he says.

Search for security
The concerned RBI circular to the banks - whose draft was first sent out nearly a year ago - directed them to start using a security system called Two Factor Authentication, or TFA, for all transactions conducted, using a technology called Interactive Voice Response, or IVR. This technology forms the backbone of most phone payment systems.

What exactly is TFA? It requires that for any credit card transaction where the credit card holder is not physically present to hand over his card - that is, during online or mobile phone payments - he must provide not only his credit card details but also one more piece of information not recorded on his credit card. It is akin to asking a customer, even when he presents his credit card in person, to show his photo ID and confirm he is indeed the one to whom the credit card belongs. "The idea is to match what you have (a credit card) against what you know (the one time password)," explains Shiknis.

For payments made using the Net, RBI started insisting on TFA nearly two years ago. Accordingly, Visa and MasterCard introduced an additional security layer - VerifiedbyVisa and Securecode, respectively - which require customers to register a separate personal identification number, or PIN, for online transactions. Cleartrip's Bhatt says his portal saw a sudden fall in purchases over the Net - although not quite as drastic - at the time as well, although sales eventually did recover. The apex bank has similar guidelines for mobile banking, too. But so far payments through mobiles had been left out.

Mobile-linked payments are different from those made online because the keyboard in most mobiles is limited and cannot produce the range of alphanumeric passwords - including symbols and special characters that make them difficult to crack - that a computer keyboard can.

How the one time password works

Step 1 The consumer decides to buy a plane ticket online. He calls up the vendor's call centre to place his order

Step 2 The call is taken by an operator or a prerecorded message asks the customer to enter his credit card number, its expiry date, and the code on the back of the card

Step 3 While the customer waits, a message goes to the bank, asking it to release a one time password to the mobile number it has on file for the customer

Step 4 The consumer receives a text message from the bank with his one time password, which he provides to the call centre

Step 5 The purchase is processed
The idea that online merchants should ask for a second form of identification was first proposed by a regulatory agency in the United States in 2005. Since then, many other countries and international agencies have followed suit and made it mandatory. The intention globally has been the same: to check fraudsters from making purchases using someone else's credit card number.

At present, mobile payments are a tiny fraction of the total payments market. At Cleartrip, for instance, even before the guideline came into effect, mobile payments made up barely 10 per cent of the site's transaction volume.

But many reports suggest this segment is set to grow enormously in coming years. Nearly 75 per cent of Indian respondents to a recent survey by Accenture said they would be interested in making mobile payments, which put the Indians globally second only to the Chinese in their enthusiasm for this particular form of payment.

As India's demand for alternative methods of payment has grown, so has the number of security systems available. Many banks, for instance, operate several different TFA gateways simultaneously, striving to keep their systems user-friendly, even while complying with the Reserve Bank's guidelines.

Simpler solutions
"We're likely to introduce a system where customers can pre-request an OTP that will be good for several hours," says Suresh Sethi, president of the transaction banking group at YES Bank. "We're calling a dynamic PIN. It's the simplest system and also provides the best experience." YES Bank plans to roll out its own TFA system for IVR transactions soon, and has evaluated several different systems before choosing one.

Most banks have already opted for some variation of a dynamic PIN, but each bank has a slightly different system. Some provide a password in the middle of the transaction. Sethi says YES Bank discarded this system because not all customers can view their SMS inbox while making calls. Before the OTP system was introduced, mChek used to ask customers for a PIN for their mobile transactions, which had been provided to them earlier. But the PIN stayed the same for every financial transaction, much like the PIN a cardholder uses at an ATM stays the same. If a fraudster, making a purchase over a mobile phone while impersonating another person, were to equip himself beforehand with the PIN of that person as well, he would slip through this security layer.

Experts also point out that even if mobile payments technology gets more sophisticated, developing systems far more advanced than IVR, security concerns will always remain.

"Security is a key concern for anyone looking at mobile payments," says Ashok Jhunjhunwala, a professor at the Indian Institute of Technology, Madras, who is also Chairman of the Mobile Payment Forum of India. "While the one time password may be a good solution, there are also other technologies, like voice recognition, that are more interesting."

Even Bhatt and Shiknis acknowledge the need for greater security and support the idea of additional verification, while opposing the specific step RBI has taken.

Whatever the problems faced by online merchants, RBI has no plans to reconsider its TFA guidelines yet. "Banks are working out the best way to implement them," says an RBI spokesperson, confirming that the guidelines were there to stay. The currently tiny base of mobile payments in India might be a saving grace. "Because the base is so small, nobody minds a little experimentation," says Shiknis.

"I'm not as concerned about a payment drop in 2011, I'm concerned about 2015. At that point, we will have TFA, but I don't think the one time password will still be the way to go."