Recently RBI has put the onus of verifying customers on the merchants and e-commerce Industry has begun to implement the outcome. While the central bank may have put a development-oriented policy the risk and outcome of the new methods lie completely with the merchants and is only going to increase possibilities of frauds.
2nd Factor authentication as it is called is designed by a few spirits as below:
– The merchant should authenticate the user through an independent system
– The merchant should authenticate the user for each transaction
– Not necessary but the method should be easy to use by the public at large
So long the methods that are being proposed by leading e-commerce players like Paytm, Visa, and Flipkart among others are concerned are complying mostly to the last spirit. The flaw in the process is
– The verification system has to be a completely independent system. You cannot be the Judge and the plaintiff at the same time.
– It should not use the stored information to authenticate. Authenticating automatically through stored information is a huge risk to the user’s personal sensitive information.
If this new method continues we will see large chunks of user personal sensitive information being traded across insecure API’s only to present an opportunity to hackers and fraudsters to feast upon. While some players can secure their systems they may not have wherewithal to secure the endpoints on which the transactions take place.
SMS OTP’s continue to present a technology case that is completely safe, independent and user-friendly. Its widely adopted and accepted across the world. We see that more careful organizations will continue to use SMS OTP’s to validate transactions and not compromise user information especially in view of the GDPR like policies being framed across the world.
