By RBI mandate, as of February 1 2011, two factor authentication is required for all mobile based transactions. In compliance, we switched our mobile web payments to two factor authentication on February 1. Here’s what happened to our daily mobile transaction volumes that day.
Two factor authentication caused a 73% decrease in our average transactions and an 84% decrease against the highest volume day for the trailing 30 days.
Not a pretty picture.
The two factor authentication methods deployed by India’s banks are flawed–they are damaging India’s Internet growth and disadvantaging our internet companies.
First, a little bit of history for context–In February 2009, the RBI mandated that all web based transactions in India were required to implement ‘two factor authentication’ with effect from August 2009. Two factor authentication is a security scheme in which two independent authentication methods must be used before an action is authorised. To comply with the RBI mandate, all online payments in India had to add a second authentication method that required users to enter data that was not visible on the card itself.
In theory, this secures your cards against online fraud–if your card is physically stolen, the thief can no longer use it fraudulently online. The thief possesses the card details–name, number, expiration date, CVV–but not the “second factor” that must be entered before a transaction can be processed.
The RBI circular did not specify how two factor authentication should be implemented; they left that to the banks and payment gateways. Banks could have met the requirement by asking for a cardholder’s date of birth or billing address. Instead, they rolled out 3-D Secure, better know as Verified by Visa or MasterCard Secure–a two factor authentication scheme widely regarded as a failure for three reasons:
- The design of the system is vulnerable to phishing or man-in-the-middle attacks (How not to design authentication)
- The scheme is designed from the ground up to protect merchants not customers (article)
- Payment failures increase massively causing losses for merchants and frustration for customers (article)
Instead of focusing on delivering a secure, usable and efficient second factor authentication model, India’s banks rolled out 3-D Secure because it was the easy way out–the system was already available through payment gateways even prior to the RBI’s mandate.
The decision by India’s banks to deploy 3-D Secure was shortsighted and wrongheaded. In 2009, we were on record as stating that the decision was problematic for three reasons:
- Makes it harder for users to transact online without really reducing the risk of fraud
- Puts India’s internet businesses at a disadvantage by a) increasing failure rates, b) removing the ability to offer frictionless 1-click purchasing of the kind offered by Amazon or by Apple’s iTunes, and c) Making it impossible to have subscription based business models where cards are automatically charged in order to periodically renew a subscription
- Adapting the system for use in mobile commerce would be extremely challenging and burdensome for customers
The RBI mandate issued and implemented in 2009 explicitly exempted mobile-based online payments because 3-D Secure was never considered reliable for mobile transactions.
That was then.
In April 2010, the RBI issued a new circular mandating the use of two factor authentication for all IVR and mobile-based online payments with effect from January 2011.
To comply with the RBI’s new guidelines, India’s banks have made it mandatory for a customer to generate a “One Time Password” (OTP) for every single mobile transaction. How much additional overhead and headache does this create for honest customers that just want to buy something? How much does it increase costs for India’s online companies by increasing failure rates and customer support costs? (An article from MediaNama details how the new OTP system is hostile to customers)
As the graph above shows, the costs of the new system are very real and very large. We expect things to improve over the next few weeks as customers become accustomed to the new requirements for transacting via their mobile phones, but we believe India’s customers and India’s businesses deserve better from our banks than this.
Instead of fuelling the growth of mobile commerce by putting in place an efficient and secure payments ecosystem which is customer-friendly and business-friendly, India’s banks have thrown out the baby with the bathwater. Requiring the use of “One Time Passwords” is a giant step backward that may permanently hobble India’s mobile commerce potential.
Forces me to think – are these steps influenced by offline businesses lobbies?
First 3D sh1t, OTP, paypal – common, it's our money and we want to spend it online as we want.
I agree to your view point for IVR transactions. But for online transaction i feet 3-D secure has given more of a security.
+5 Insightful.
I guess this dip may be temporary, and one should wait for some time to draw the conclusions. Agreed, there is a loss happening every day, but eventually people would still prefer to book tickets online rather than going back to earlier avenues. So, its more of a nuisance for consumers, rather than the portals.
Suneet–the objections raised here are twofold, that is, there is an adverse impact on consumers and online merchants.
There are many different ways to implement two factor authentication, so it is unfortunate that banks have chosen a cumbersome method that impedes the growth of mobile commerce. What we need are secure, efficient systems that ensure smooth growth and speedy adoption, not systems that increase "friction" while processing payments.
Don't you think it is too early to consider this a trend. Right now the customers are not used to the 2nd level of authentication. Once they get used to it and set the password which is now required at the second level, things should be back to normal. I am not saying that you are wrong or something like that but I am hoping that I am correct.
Arkid–we certainly hope you're correct as well.
Clueless bureaucrats mandating a system they have no idea about …
Yeh Hai India meri Jaan !
Depply saddened
Yuvamani–actually, as we stated in the article, the RBI did not mandate 3-D Secure, they merely mandated two factor authentication. We think making people feel safer while transacting online is important and that's the intent behind the RBI mandate.
It is the banks that chose to implement 3-D Secure and One Time Passwords, not the RBI.
Online products & services in Banks are developed by General Managers, not Product Managers.
The main problem is that those who formulate policy are not themselves users of services like mobile payments, nor do they give two hoots about "the future of ecommerce in India." Their only agenda is to make sure they don't get any negative marks on their service record. That makes them a pathetic bunch of losers who can't see beyond the end of their noses, or eevn bother about the fact that their short-sighted and ill-considered policies are putting a break on mobile ecommerce services that would really make a difference to the common man.
You can't really the blame the banks if they take the easy way out when the policy makers in RBI and the Finance Ministry, instead of nurturing ecommerce through creative policies and legislation, simply put the onus of securing transactions onto the banks. As you say, there are many other ways this second level of authentication could easily be done…the OTP is easily the worst method created. I tried to make a payment using a Symbian phone which at least lets you have two apps open simultaneously. Even then, it was really stressful to have to first wait for the sms, then open it, commit the 6 digit password to memory, shift over to my ecommerce app, type half the password, then shift back to the sms to get the remaining numbers, all within the 2 minutes that was assigned to me by the ecommerce app.
I doubt that your mobile ecommerce graph will head north any time soon.
First of all, one day's data is not a trend. Let us not close our mind so quickly.
I agree the OTP authentication technology is inconvienent but that is not the requirement of 3-D Secure protocol or RBI. Probably the easiest to implement.
Secondly, from the all the data I have seen in India, ever since 3-D Secure has been implemented in India for online transaction, the online transaction volumes has gone up significantly for every Issuer. Ofcouse the authentication method used for online transactions is typically another password. So 3-D Secure is not the problem…maybe the specific OTP authentication method or maybe even the delivery mechanism of using sms.
In any case give the new system some more time, I am sure the authentication methods will be reviewed by the Issuers.
I fear you are throwing the baby with the bathwater by such hasty conclusions.
raj–I don't think we're drawing "hasty conclusions". We think things will stabilise over the next few weeks.
We do believe, however, that these methods will harm the future of mobile commerce in India. The systems that have been introduced do not properly anticipate the future of mobile commerce. As we can see from mobile apps, friction free purchasing is a critical dimension along which products compete–where does that leave online products that are shackled to unreliable and unfriendly payment systems?
As u know, security and fraud reduction are equally important to give Consumers the necessary confidence to shop online or via IVR while we all understand convienence is super important.
Obviously we should assume the card associations understand these basics too.
As i wrote earlier, i have seen tons of data in India and overseas, wherein 3-D Secure has increased online payment adoption while reducing CNP fraud in the case on online transactions.
Agreed that the jury is out there on the mobile/IVR payments front….including the use of OTP during such transactions.
I think the RBI goal of controlling the spirling payment fraud is correct and the 3DS design is correct but the means used to achieve this goal might be a little flawed….the OTP authentication method + the use of the slow sms delivery + lack of Consumer education might be a challenge….this needs monitoring and corrective action.
raj–could you point us to some evidence of "spiralling payment fraud" in India? It would help everyone understand how big or small the online fraud problem really is.
I think 3D Secure makes lives of many merchants easier especially those prone to fraud like digital goods. We at mobikwik.com sell mobile recharge and we fall in this category. For example, as a merchant we've been screwed by Paypal since they offer no seller protection. Two factor authentication concept is a boon, just that the implementation is not consistent and banks have not done enough to educate the customers on the same.
I have said this before. It's just an inconvenience. Merchants should own up responsibility for fraud. Indian rules are biased for the merchant. Only some people like Cleartrip are realising that this is only having a net negative effect on their business. The rest lobbies with RBI to get away from that responsibility.
How many of you commenting that this is going to bring down fraud realise a simple fact that the same card can be used with an international merchant without any of these additional checks?
US banks and card networks allow chargebacks not just on fraud but also on unsatisfactory goods or service. How many of us realise our system finds every possible way to screw the customer but lets the merchant and bank get away happily?
Let's ask ourself, if you ever hesitate to use your card online is it because it might be stolen or is it because you might be cheated?
A very dramatic graph. But do you really want us to make a snap judgment on one's days worth of data !
I disagree. I believe it has go to do with how you handle it. To me the two factor authentication has been working without any issues for the past 1-2 years.
The government knows what is best for you, trust the government.
Hrush
When 3d was implemented, travel industry and others had the same fear which were found not so true in the long run. In fact I feel safer doing transactions online now than I did in 2009 as even though breaking 3D secure is possible it is an order of magnitude difficult. I remember it being a minor blip for a few days and transactions went back to normal.
Please post an updated graph after a few days.
dont think of in cleartrip perspective think of customer also. if i loose 10000..who is responsible,,,
shakeeb & piyush–we will post an update with data for the last 15 days shortly.
R.Sriram–the two factor authentication method you've been using in the past is not the same as the one introduced for mobile phones. For people using desktop browsers, the second factor is 3-D Secure; for people using mobile browsers, the second factor is a one time password that the user must generate before he can transact.
What are people or IAMAI doing about this phenomenon? Somethings need to be done about this imo and quick. This kind of approach is definitely going to hurt everyone, the consumer most of all..
Nagar–we *are* thinking of consumers, not ourselves. Under 3-D Secure, the consumer is liable for ALL fraudulent transactions that may happen; neither the merchant nor the bank take liability: http://bit.ly/fUxPny
Well said Hrush. It's really the merchants and banks that are trying to wash off their hands of *any* kind of responsibility for fraud that could happen in their premises. Really sad a *lot* of people are not understanding this.
only solution is to wait and watch…hasty decisions are always bad….
graph is in percentage !!! and it is showing mobile transaction volumes. how significant it is against web transaction?
i did not notice two factor authentication since many banks rolled 3d-secure much before then 1st feb
pragnesh–the graph is absolute numbers, not percentages. And it is for our mobile transactions as the new OTP rules apply to mobile and IVR transactions only, not to transactions on our regular web site.
Give it time dude. In south africa we have a 3 step process, one login and 2 otp's. When they introduced it everyone complained, now we just accept it as part of online banking
Just one day's statistics is not enough. If you publish this article on 14th Feb would you mind sharing the figures from 2nd Feb to 13th Feb at least.
The transactions may go down for few days or weeks but long term benefit cannot be denied.
Very insightful Hrush.
More I see such horrible policies being implemented the more I am saddened.
Forget everything about it impacting the business, as a user I have no memory of what I set my OTP as. I mean really, I can barely remember my PIN and password to my email/sites (1Password to the rescue), how the hell do they expect the card holder to remember this piece of info?
On a similar page the recent RBI stunt against Paypal has been such a showdown for small scale business owners and freelancers.
I hope one day our policy makers have people who actually use these technologies.
85% of Indian economy runs on black money because 85% Indians do not have any bank a/c
"In theory, this secures your cards against online fraud–if your card is physically stolen, the thief can no longer use it fraudulently online."
Actually _in theory_ too it is only partially correct. The thief can still use it to make foreign payments.
This is sad
Government should encourage any form of e-commerce rather than coming up with weird rules and methodologies. Sad.
Perhaps that 75% of your customer base used stolen CCs
By the way who says 3D-Secure is a 2 factor authentication first. Correct your understanding of the definition. It is still first factor (something user knows like id and password). yes OTP is a 2 factor authentication (something user has like token, OTP etc). And just because users are not well educated, do not blame the security measure. Yes it definitely cannot stop other attacks like MITM. So blog before you understand sir.
I can not agree more on this rant. 1-2-3-4 factor authentication is a major blow to achieve seamless user experiences.
There is a lot of sophisticated technology and data, banks can use, behind the scenes to protect data. Banks in different parts of the world have been doing this for years, so it is not just some cool new framework or software. Indian banks need to be active, aware, collect and monitor data, and to really secure customers, offer insurance on fraud. Not delegate security off of their back to the customers hands.
I would say more but I am pissed.
Actually this article is heavily loaded in favor of Merchants. If you want Amazon like simplicity, then you should also offer fraud & spoof reversals quickly. The pain to reverse dubious transactions is just not worth it. How many of you have tried to call your bank saying there is a fraudulent txn, and have got your money back? As a merchant does Cleartrip have the tools to detect and combat fraud, and commit to refunding unauthorized txns immediately, instead of having banks/card companies take the responsibility, which in turn means its the customer who loses?
I agree 2FA is flawed, but its MUCH better than no system, especially one which is out to screw the customer in case of fraud.
rajiv–do you know what second factor authentication is?
According to Wikipedia's definition:
"Two-factor authentication (TFA) means using any independent two of these authentication methods to increase the assurance that the bearer has been authorized to access secure systems".
Where, by "these", Wikipedia lists three different methods, any two of which must be used to qualify as two factor authentication:
1. What the requestor individually knows as a secret, such as a password or a Personal Identification Number (PIN), or
2. What the requesting owner uniquely has, such as a passport, physical token, or an ID-card, or
3. What the requesting bearer individually is, such as biometric data, like a fingerprint or the face geometry.
In the case of 3-D Secure, the user must enter his secret PIN and his credit card details. This is use of the first two authentication methods described above.
We linked to Wikipedia from the post itself, but here's the link again for easy reference:
http://en.wikipedia.org/wiki/Two_factor_authentication
If 3-D Secure is *not* two factor authentication, then how did the RBI accept it as being compliant with their mandate to implement two factor authentication?
I'm not sure what your definition of two factor authentication is. Maybe you can educate us all? And, while you're at it, please make sure to educate the banks and the RBI also.
I have been doing regular online xactions. My CC company asks me for a pssword every time. Never been an issue to me. Infact i like it this way. Better to be safe than sorry.
I am sure you web based cos dont like it. But i would rather have a failed transaction than have to pay a lot of money to my CC company should my card be stolen.
Just my 2C worth.
Guys
RBI never said 2FA. All that RBI said is that
"it is mandatory for banks to put in place additional authentication/validation based on information not visible on the cards for all on-line card not present (CNP) transactions."
Neither did 3-D Secure claim it is 2FA.
3-D Secure is just payer authentication. The authentication method is chosen by the Issuing Bank as the liability for such CNP transactions is moved to the Issuing Bank from the online merchant.It so happens many Issuers have just implemented 3-D Secure (VbV) using passwords as it is easy and inexpensive while there are some Issuers around the globe who have implemented proper 2FA along with 3-D Secure too. Overtime every Issuing bank will use 2FA and fraud/risk management techniques along with 3-D Secure.
I have seen tons of data over the years across the globe and in India for the last few years to say that 3-D Secure has been very beneficial in growing ecommerce transaction volumes besides reducing CNP fraud. Period.
The specific authenticaiton method of using OTP over sms for IVR transactions in India is very inconvienent and I hope banks invest in adopting better 2FA solutions.
Can you give a better way to implement a more secure system than OTP or VBV ? Don't go on about billing address or date of birth, those are as shitty if not more.
Don't criticize w/o offering a better solution.
Plus how pathetic is to base your argument on one day's statistics? And that day being being OTP was launched. I claim OTP will attract more people than discourage in the long run. How is my argument as sound as yours? I base it on lack of data just like you.
couldn't agree with you more!
security is paramount… as the popular indian saying goes "aapna samaan bachao and dousrae ko chor na bolo", however, when it comes at the cost of progress – the balance is not right.
security should facility balanced progress, not hinder it in the name of fear – and of course, security is not "just" preventive – it can be reactive!
for example, deutsche bank sends out an SMS every time my credit card does a transaction (not matter how small or large)… it gives me comfort as i know if the credit card is misused – i will be able to inform deutsche bank of it within minutes and have the money transfer as part of the daily reconciliation stopped until the vendor can provide supporting documents that the purchase was actually made.
i think rather than putting barriers in place for "internet" purchases, if the right authentication/authorization mechanisms were put in place with really good realtime notification systems, the consumer would be better off (and what the bank does not realise, so would be bank, the the volume of flow of funds would be manyfold what it is now!)
the problem with Indian regulators is they turn the whole story of electronic commerce upside down either in the name of compliance or security. and then the worse is they never enforce smooth implementation of these.
instead of promoting online channels they levy artificial tax either by inducing pain (SMSing and then waiting for transaction to close) or charging money to consumers (IRCTC levies online booking fees + transaction charge even today, bank charge NEFT charges when they openly claim online transfers are cheapest).
we are in a land where mostly OLDies govern or run institutes of importance needing highest implementations of technology. and sadly, these OlDies don't understand technology.
OTP for IVR is just an incidence. its the attitudinal change required amongst the regulators.
In our work around providing frictionless online interaction solutions to several American and British etailers, we've found almost NO use of Verified by Visa, MasterCard SecureCode, or any other two-factor authentication (2FA) solutions – EVEN for PC-based online transactions. Against this backdrop, it comes as a shock to learn that even mobile phone based online transactions needs 2FA in India. As some comments say, maybe people will get used to juggling between screens on their mobile phones and eventually take transaction volumes back to their peak levels, but that's only likely for local users. This move by banks is definitely a bit hit to Indian etailers trying to attract customers from abroad.
Firstly, this is a very relevant topic and I see this in two parts – 1. RBI’s intent i.e. card security and 2. implementation by Banks
We should not make the common mistake of thinking that what works in the US would work here in India since VBV or OTP may not be mandatory in the US. The fact is that card security is an issue in India and if eCommerce needs to grow and get buyers confidence, card security has to enhance. RBI’s move to introduce VBV and OTP has been just that.
Now here is where things go wrong – solution design, execution and communication and the banks failed in all these three areas. As someone said in one of the post, the solution is not designed by actual product owners in the bank but by some GM’s sitting on top.
I personally volunteered to help in the design so that merchants and consumers needs and challenges are taken care at the design stage itself but the banks did not find this important. The key stake holders i.e merchants are not even informed with the right facts and on time let alone involving them in the design stage.
Execution again was most chaotic with no clear (standard) answers from banks even a day before the mandate was to kick off. Finally the way banks communicated to their users was as if saying we are sending mailers because we have to. The ownership to educate consumers seems to be left to the merchants. If the banks need to learn a lesson and do not repeat this going forward then involve merchants who will add value to make life easy and seamless for the consumer and also reduce revenue loss … only if the banks care
Belson–thank you for providing a balanced and knowledgeable perspective.
We're happy to contribute to solving this problem in any way we can.
I had been using the Subscription model for AWS. I never went through the hassle of two factor authentication except for the first time.
Hrush, Belson
Can the two of you get a room pls, and take your mutual love where the sun don't shine?
It would be intresting to see the trend in the fraud detection and lost revenue due to card frauds since the 3D was introduced. I bet you will see it going lower and lower.. towards less fraud.
I've tried the mobile site after reading this and was actually quite annoyed with the system – I didn't receive the OTP by SMS after trying three times.
I think ZipDial is much simpler and can be made to use here.
http://www.zipdial.com/corp/index.php
- Karan
It is a good thing to have double authentication for the sake of online business. If frauds are avoided the long term prospects will be healthy. However if frauds happen, as do in some overseas locations, online commerce will loose its constituency. Better be SAFE than LATE.
The govt. should perhaps check the overloaded pockets of people like A.Raja first, and bring the Indian money from Swiss Banks. That would help more, rather than implementing such laws, that would only put more difficulty for the honest man.
Hi Every one…… the other side which every one missed it and Hrush didn't mentioned is that Mobile transaction decreased but Online transaction has increased…………
I don't see inclusion of mobile online payment under IVR notification.
I see extra password requirement for all internet transactions are applicable from Aug 2009 in public domain
Can you include a link which shows mobile online payment was excluded from notifcation for internet transactions dated Aug 2009 and was included as part of IVR notification Feb 2011.
psh. All you guys are doing is whine whine whine. '' Omg why should we pay if consumer wants to be safe? Let there be fraudlent uses, wwe make money both the ways, let people lose their cards let others spend their hard earned money on our sites''
NON sense. A person always has his mobile fone with him. So if sm1 does use his card and the OTP is sent to native fone, the fool cant do any further damage. Same with vbv. Do you gave any idea how easy it is to gt someones birthdate and personal details ina college like environment? Are u gonna pay me back if someone uses my card details to book a ticket and i realise a month later? Atleast noone cn read my thoughts n noe my password.
Stop whining. The middle class has gained and u might have lost a little. Deal with it.