Mobile OTP: Cyanide Or Caffeine For Online Payments?

Ketharaman, put yourself into the issuer's shoes. How can you at least try to ensure the CNP transaction is carried out by the authorized party? OTP is not the best solution (from UX and security point of view), but still offers some protection.

If the banks shifted ALL fraud liability to the consumer, we'd be gladly jumping even through ten hoops to stay secure. It's all about perception and perspective.

@AlexP:

TY for your comment. The rationale from the issuer's p.o.v is clear: To make online payments more fraud-proof. Question is, will the resultant friction will also make it transaction-proof (for me, it already has).

In today's world, customers are spoilt for choice: They'll simply ditch the MOP that requires 10 hoops to stay secure; cash will make a comeback (as it is, cash-on-delivery accounts for 70% for ecommerce in India); we'll start seeing genuine innovation in payments viz. COD for otherwise completely digital transactions like e-tickets at no higher transaction processing cost than the MDF/MSC applicable for card payments, as I'd highlighted in The Death Of Cash Is At Least 190 Years Away.

I think the more likely scenario is as follows: the industry will eventually introduce standards based on biometrics, we'll accept or get used to them, and carry on. US is resistant to EMV. Why? Because the industry is making too much easy money to care about fraud. Once their margins drop (or regulations are enforced), they'll join in and will forget the whole saga in a year or so. Changing consumers behaviour is not easy, but is mostly doable.

I've been hearing about the eventuality of biometrics for 9 years. I'll give it one more year before commenting about it since I subscribe to Bill Gates' famous saying about how people underestimate the amount of change that can happen in 10 years. I'm not sure how EMV is relevant in the present context of CNP transactions but, nevertheless, in my interactions with merchants, banks and regulators in various parts of the world, it's not as though USA doesn't care about fraud. It's just that (a) only it gets friction and the other here-and-now revenue-threatening problems caused by overzealous implementation of fraud prevention measures, and (b) Even without VbV / SecureCode, there's no evidence that fraud as a percentage of CNP transaction value is any higher in the USA than other parts of the world that have implemented 2FA / Mobile OTP, etc.

Instead of USA following the ROW on convenience-versus-security, I'd place my bet on the opposite. With several Indian ecommerce companies getting rid of the extra hop involved with ePGs, a couple of them completely shifting to US-based payment processors in the recent past to circumvent friction, the trend has already commenced.

Some banks send OTP over the email "as well", as registered with them. It saves the hassle of not being on home network or while roaming internationally. I have made multiple online payments using OTP, while I was roaming internationally; with so much ease that I am a strong supporter of such technical initiatives. Pls note that additional sending of email for same OTP has done away many other cost inconveniences or security apprehensions around SMS. Now, it might open a question around security in emailing; which I think can be dismissed without even any required discussion.

Email alone is insecure. If you do CNP transaction, it's most likely e-comm. That means you have either a PC or a smartphone. Using "fingerprinting" allows to link cards to certain hardware, in a user-transparent way. Add public key app to pre-advice the transaction (akin to getting a card from a wallet) and you have reasonable security with good UX.

@RiteshA: TY for bringing up the alternative of Email OTP. While I've no personal experience with it - none of the close to a dozen-odd banks I'm exposed to uses it - Email OTP seems more convenient than Mobile OTP. However, Email OTP is "in band" and, for that reason, could be viewed by security purists as less secure than Mobile OTP, which is "out of band". 

@AlexP: TY for your comment. The same bank has been using hardware tokens for supplying OTPs for a different usage scenario (NetBanking) for several years. In 8+ years, I've never had a problem with it (knock on wood!). I guess it has moved away from a hardware alternative for online credit card usage due to a myopic focus on cost reduction. 

Hardware tokens are not ubiquitious and are "pain in the pocket" to carry. Smartphones offer an adequate alternative.

Agreed but I'd anyday accept the predictable "pain in the pocket" over the unpredictability of the smartphone / mobile OTP alternative. But, that's only me. As I said, "Only time will tell whether Mobile OTP will stimulate online payments or sound its death knell."  

AMEX and ICICI Bank...besides many more have been using it for years... :-)

I am coming from end-user convenience and security perspective. If I can get account statement on email..then why not OTP...?

Every thing else on technical concerns are problems of individuals.

It takes just 32 interactions to develop a habit :)

I was almost sold on Email OTP until I saw the analogy with eStatements: How Suitable Is Email For Delivering Bills And Statements? Do you have to supply a password before seeing the OTP?