GTM360 Blog

Official Blog of GTM360 Marketing Solutions

I recently received an SMS from one of my credit card issuing banks – the Indian subsidiary of a British high street bank that has a global presence – informing me about the following change in procedure for using its credit cards online:

With immediate effect, for each online transaction on your BANK1 Credit Card, an OTP (One Time Password) will be sent via SMS to your registered mobile number. In order to complete the transaction, this OTP will have to be entered by you instead of the erstwhile Verified by Visa password.

As though making online payments isn’t terribly painful as it is, this bank has just raised the friction in the process to the next level. Successful completion of a transaction is no longer just a function of quality of Internet connectivity and the uptime of merchant, acquirer, issuer and epayment gateway websites. It now also depends upon the mobile network coverage, message delivery times and availability of the mobile phone at the point of transaction.

Even before this new step, the end-to-end payment chain had so many moving parts that almost one in 12 payments failed, as I’d highlighted in my earlier post Skating Away With Online Payments. Now, I expect failure rates to shoot up with Mobile OTP because network coverage is spotty while indoors and in roaming mode, messages  could be delayed by several hours during peak volumes observed on holidays and the presence of the regular mobile phone at the point of transaction is not guaranteed when the shopper is traveling abroad since most people tend to use a different SIM to avoid the exorbitant international roaming charges charged by their primary Mobile Network Operator. All these will only reinforce my recent shift to Cash on Delivery for online shopping and avoidance of online bill payments.

Going back a couple of years, BANK1 introduced two-factor authentication for all types of card-not-present payments – via web, mobile and phone. It had also started sending SMS Alerts for all card transactions (more on that here). In all those cases, the bank had ascribed the new security measures to the Reserve Bank of India, which is India’s central bank cum banking regulator. BANK1 hasn’t (yet!) chanted the “As per RBI rules” mantra to backstop its latest move. I fervently hope that the regulator doesn’t mandate mobile OTP and instead focuses on the huge problem of failed payments. Ideally, it should issue a mandate to all card issuers to reverse debits in the event of all incomplete payments, no questions asked. But I digress.

If it’s not to comply with regulation, I wonder why BANK1 chose to implement mobile OTP, a move that could diminish loss of its interchange revenues by further alienating experienced users away from online card transactions.

Is it to persuade 70% of online shoppers who currently use cash-on-delivery to switch over to credit cards? It’s quite possible that, when they hear about mobile OTP, many fencesitters might feel comfortable about exposing their card information online. Until they actually experience online friction and failed payments, the heightened security promised by the new step might just nudge them towards using their credit cards to make online payments, thereby boosting the bank’s interchange revenues.

Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell.

Ketharaman Swaminathan On September - 13 - 2013

Categories

BFSI, eCommerce, Uncategorized

Tags

Related Posts

  • No related posts found
  • sketharaman

    Per Economic Times (http://ow.ly/vQHB3), the actual success rate of an online payment in India is only 50%. That means, one in two is a failed payment.

  • sketharaman

    Time has told: Mobile OTP is indeed cyanide for online payments. It has driven diehard credit card users like me to cash (http://gtm360.com/blog/2015/01/09/going-from-card-to-cod/) and resulted in the proliferation of third party mobile wallets (e.g. PayTM, HDFC Bank PayZapp) that deliver a highly frictionless experience by deftly sidestepping mobile OTP and obviating the need to enter card information for every transaction (http://gtm360.com/blog/2015/07/03/hdfc-banks-payzapp-ends-my-bill-payment-woes/).

  • sketharaman

    SBI launches Secure OTP App, which eliminates the need to wait for the SMS – often endlessly – that brings Mobile OTPs. This is a nod to what I’ve been saying for a long time about Mobile OTP being a cyanide for online payments. However, I can’t help feeling that SBI is a bit too ambitious in expecting its customers to install “yet another app” on their already-space-starved smartphones. That too an app they will only use sparingly. Wish SBI had bitten the bullet and introduced a hardware token. This may be old-fashioned but, going by my decade-long experience of tokens from HSBC Bank, this solution works flawlessly. Or been a bit more innovative and found ways of obviating the need for OTPs altogether while still preserving payment security, a la HDFC Bank PayZapp.

  • sketharaman

    UPDATED DATED 4 AUG 2016:

    Mobile OTP is not safe either!

    It’s Official: Using Text Messages to Secure Your Passwords Is a Bad Idea

    http://www.slate.com/blogs/future_tense/2016/07/26/nist_proposes_moving_away_from_sms_based_two_factor_authentication.html

    Now that Mobile OTP is neither frictionless nor secure, is it high time to stop it?

  • Facebook
  • Linkedin
  • RSS
  • Twitter
  • Youtube
  • See our Pinboard
Enter the video embed code here. Remember to change the size to 300 x 250 in the embed code.

Sponsors

  • GTM360 - Marketing for Midsize IT Companies
  • EMAIL360 Website Lead Generation Widget
  • SAP Mailing List
  • QR360 - Beyond Quick Response Codes


Switch to our mobile site

Enter your email to sign up for GTM360 Blog: