Sick of OTPs? RBI has a new notification. You can say NO to the One Time Passwords that you need to key in every time you do an online transaction, but only for transactions less than Rs. 2000.
The idea is that the OTP is a pain. You get it by SMS. And SMS is not “deterministic” in the sense that there’s no guarantee you’ll actually get it. And then your phone’s battery may be off (and you might be trying to buy a new battery online!). Or you may be in a remote location with no mobile coverage but some internet. And if you don’t get the SMS, you can’t finish your transaction. Plus, it’s a bit of a pain to wait for it.
So the RBI says:
- We’ll allow YOU (the cardholder) to say “I don’t want OTP, dammit”
- But only for transactions that cost less than Rs. 2000
- And then also, it’s not smooth
- Because your card network – the Mastercard/Visa/Rupay – will ask you to login with a username and password you create on their website. Then only does the payment go through.
- So they’re replaced an OTP with a password, even if you did opt out
This is not so much of a difference. So instead of entering your card details and then an OTP, you just enter a login/password for each transaction at the mastercard/visa layer. To counter, banks could offer you the ability to use a password instead of an OTP. (HDFC Bank does offer it, and I really thank them for it)
So if your card details (minus CVV) are stored at say Flipkart or Amazon, your choices are:
- Checkout with CVV (since other card details are stored), and then OTP/Password at bank
- or, in the new system, Checkout and enter Mastercard/Visa login and password if the transaction size is less than Rs. 2000
For a consumer, the amount of work is approximately the same.
The OTP is not sacrosanct – a bank can offer ANYTHING as a second factor of authentication. They can ask you a password, a secret question, or even a fingerprint. But many banks just default to using OTPs, which are a pain.
But now, a user has to opt out of the 2FA plan for less than Rs. 2000 transactions. Then he has to create a user id and password at the network site (like a Visa checkout or such). Then a website/online merchant has to support non-2FA authentication, and when you check out, you need to go to that site, login again and approve the transaction. Instead of keying in your card number and CVV etc, you key in the username and password.
This may not really be of big use to anyone, since the number of steps involved are similar. However, it allows you to not put your card details in a merchant website, which is a nice security measure at a new website. (However, if you don’t opt out, you can give your card details to anyone – they won’t be able to use it without an OTP/Password. You can disable international transactions – they are disabled by default)
We say: Don’t Give Up The OTP!
Imagine that a card database leaks out and after some attempts, a bot is able to charge your account with, say, Rs. 200 at a time. You will now have to fight to get it reversed, and probably file an FIR with the cops etc. This is a horrendously difficult task in India and you will waste too many days on it.
Plus, you’re going to need an OTP for transactions greater than Rs. 2000 anyhow.
And this won’t make your uber ride any easier. You can’t enter your card details and have them charge whatever they want – the card network login will be needed for each payment (and Uber won’t be allowed to store those details).
It’s just useless then to have:
- card network login id and password if less than Rs. 2000
- OTP if greater than 2000
Just keep the darn OTP.
It’s safer too; if you don’t have the card network login, you would be hit if people started taking out small amounts from your account on a regular basis. That will happen if your card is compromised – even a waiter noting down card details will be able to use it later at his house. (With an OTP, or with a card network login, he will need information not on the card so it’s tougher).
If you want to keep getting the OTP, don’t do anything.
If you still want to opt out of this OTP thing, then you have to wait till your card issuer enables the option to opt-out, and then manually create a user name and password at the VISA/MC/RUPAY sites (which don’t have the facility right now). Only then does the OTP stop for small translation.
But our view is that OTP is easier. So don’t opt-out.