By RBI mandate, as of February 1 2011, two factor authentication is required for all mobile based transactions. In compliance, we switched our mobile web payments to two factor authentication on February 1. Here’s what happened to our daily mobile transaction volumes that day.
Two factor authentication caused a 73% decrease in our average transactions and an 84% decrease against the highest volume day for the trailing 30 days.
Not a pretty picture.
The two factor authentication methods deployed by India’s banks are flawed–they are damaging India’s Internet growth and disadvantaging our internet companies.
First, a little bit of history for context–In February 2009, the RBI mandated that all web based transactions in India were required to implement ‘two factor authentication’ with effect from August 2009. Two factor authentication is a security scheme in which two independent authentication methods must be used before an action is authorised. To comply with the RBI mandate, all online payments in India had to add a second authentication method that required users to enter data that was not visible on the card itself.
In theory, this secures your cards against online fraud–if your card is physically stolen, the thief can no longer use it fraudulently online. The thief possesses the card details–name, number, expiration date, CVV–but not the “second factor” that must be entered before a transaction can be processed.
The RBI circular did not specify how two factor authentication should be implemented; they left that to the banks and payment gateways. Banks could have met the requirement by asking for a cardholder’s date of birth or billing address. Instead, they rolled out 3-D Secure, better know as Verified by Visa or MasterCard Secure–a two factor authentication scheme widely regarded as a failure for three reasons:
- The design of the system is vulnerable to phishing or man-in-the-middle attacks (How not to design authentication)
- The scheme is designed from the ground up to protect merchants not customers (article)
- Payment failures increase massively causing losses for merchants and frustration for customers (article)
Instead of focusing on delivering a secure, usable and efficient second factor authentication model, India’s banks rolled out 3-D Secure because it was the easy way out–the system was already available through payment gateways even prior to the RBI’s mandate.
The decision by India’s banks to deploy 3-D Secure was shortsighted and wrongheaded. In 2009, we were on record as stating that the decision was problematic for three reasons:
- Makes it harder for users to transact online without really reducing the risk of fraud
- Puts India’s internet businesses at a disadvantage by a) increasing failure rates, b) removing the ability to offer frictionless 1-click purchasing of the kind offered by Amazon or by Apple’s iTunes, and c) Making it impossible to have subscription based business models where cards are automatically charged in order to periodically renew a subscription
- Adapting the system for use in mobile commerce would be extremely challenging and burdensome for customers
The RBI mandate issued and implemented in 2009 explicitly exempted mobile-based online payments because 3-D Secure was never considered reliable for mobile transactions.
That was then.
In April 2010, the RBI issued a new circular mandating the use of two factor authentication for all IVR and mobile-based online payments with effect from January 2011.
To comply with the RBI’s new guidelines, India’s banks have made it mandatory for a customer to generate a “One Time Password” (OTP) for every single mobile transaction. How much additional overhead and headache does this create for honest customers that just want to buy something? How much does it increase costs for India’s online companies by increasing failure rates and customer support costs? (An article from MediaNama details how the new OTP system is hostile to customers)
As the graph above shows, the costs of the new system are very real and very large. We expect things to improve over the next few weeks as customers become accustomed to the new requirements for transacting via their mobile phones, but we believe India’s customers and India’s businesses deserve better from our banks than this.
Instead of fuelling the growth of mobile commerce by putting in place an efficient and secure payments ecosystem which is customer-friendly and business-friendly, India’s banks have thrown out the baby with the bathwater. Requiring the use of “One Time Passwords” is a giant step backward that may permanently hobble India’s mobile commerce potential.