wordpress blog stats
Connect with us

Hi, what are you looking for?

How India’s Banks Killed The Future Of Commerce – Hrush Bhatt, Cleartrip

Hrush Bhatt, Founder & Director (Product and Strategy) at Cleartrip, responsible for the companys corporate strategy and implementation of the Cleartrip’s web site. In this guest column, he writes about the impact that the One Time Password has had on mobile transactions. Cleartrip has a mobile web based site, and the issue detailed below raises another question: should mobile regulations be applicable to the mobile web?

By RBI mandate, as of February 1 2011, two factor authentication is required for all mobile based transactions. In compliance, we switched our mobile web payments to two factor authentication on February 1. Here’s what happened to our daily transaction volumes that day:

Two factor authentication caused a 73% decrease in our average transactions and an 84% decrease against the highest volume day for the trailing 30 days.

Not a pretty picture.

The two factor authentication methods deployed by India’s banks are flawed–they are damaging India’s Internet growth and disadvantaging our internet companies.

First, a little bit of history for context–In February 2009, the RBI mandated that all web based transactions in India were required to implement ‘two factor authentication’ with effect from August 2009. Two factor authentication is a security scheme in which two independent authentication methods must be used before an action is authorised. To comply with the RBI mandate, all online payments in India had to add a second authentication method that required users to enter data that was not visible on the card itself.

Advertisement. Scroll to continue reading.

In theory, this secures your cards against online fraud–if your card is physically stolen, the thief can no longer use it fraudulently online. The thief possesses the card details–name, number, expiration date, CVV–but not the “second factor” that must be entered before a transaction can be processed.

The RBI circular did not specify how two factor authentication should be implemented; they left that to the banks and payment gateways. Banks could have met the requirement by asking for a cardholder’s date of birth or billing address. Instead, they rolled out 3-D Secure, better know as Verified by Visa or MasterCard Secure–a two factor authentication scheme widely regarded as a failure for three reasons:

  1. The design of the system is vulnerable to phishing or man-in-the-middle attacks (How not to design authentication)
  2. The scheme is designed from the ground up to protect merchants not customers (article)
  3. Payment failures increase massively causing losses for merchants and frustration for customers (article)

Instead of focusing on delivering a secure, usable and efficient second factor authentication model, India’s banks rolled out 3-D Secure because it was the easy way out–the system was already available through payment gateways even prior to theRBI’s mandate.

The decision by India’s banks to deploy 3-D Secure was shortsighted and wrongheaded. In 2009, we were on record as stating that the decision was problematic for three reasons:

  1. Makes it harder for users to transact online without really reducing the risk of fraud
  2. Puts India’s internet businesses at a disadvantage by a) increasing failure rates, b) removing the ability to offer frictionless 1-click purchasing of the kind offered by Amazon or by Apple’s iTunes, and c) Making it impossible to have subscription based business models where cards are automatically charged in order to periodically renew a subscription
  3. Adapting the system for use in mobile commerce would be extremely challenging and burdensome for customers

The RBI mandate issued and implemented in 2009 explicitly exempted mobile-based online payments because 3-D Secure was never considered reliable for mobile transactions.

That was then.

In April 2010, the RBI issued a new circular mandating the use of two factor authentication for all IVR and mobile-based online payments with effect from January 2011.

To comply with the RBI’s new guidelines, India’s banks have made it mandatory for a customer to generate a “One Time Password” (OTP) for every single mobile transaction. How much additional overhead and headache does this create for honest customers that just want to buy something? How much does it increase costs for India’s online companies by increasing failure rates and customer support costs? (An article from MediaNama details how the new OTP system is hostile to customers)

Advertisement. Scroll to continue reading.

As the graph above shows, the costs of the new system are very real and very large. We expect things to improve over the next few weeks as customers become accustomed to the new requirements for transacting via their mobile phones, but we believe India’s customers and India’s businesses deserve better from our banks than this.

Instead of fuelling the growth of mobile commerce by putting in place an efficient and secure payments ecosystem which is customer-friendly and business-friendly, India’s banks have thrown out the baby with the bathwater. Requiring the use of “One Time Passwords” is a giant step backward that may permanently hobble India’s mobile commerce potential.

Reproduced with permission from the Cleartrip Blog. (c) Cleartrip 2011. The views expressed above are those of the author, and not necessarily representative of the views of MediaNama.com


Contribute: If you have an opinion or business practice details to share with our readers, please do send across your contribution to nikhil AT medianama DOT com

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ