Book Review: Heads You Win

The OTP experience

Many of the credit card issuing Banks have recently introduced a One Time Password (OTP) for doing internet transactions.  Of the credit cards that I have, in case of HDFC Bank, there is an option to choose between OTP and password and in case of HSBC, there is no choice - it is OTP.

So far, I have been using the password option to do internet transactions.  This morning, I decided to pay my cell phone bill using HSBC.   The payment options came up, and on choosing credit card option, the screen to enter credit details came up fine.  Then I was taken to the HSBC site, which asked me to enter OTP.  I kept checking my cell phone but no password came. I clicked on the option to resend OTP, but that seemed to do nothing.  I clicked on a "Help" link which said my cell phone details must be updated in the Bank records for this to work.   This was not a problem in my case, since I was receiving all other Bank communications on my cell phone.

Frustrated, I use HDFC credit card and made the transaction using the password.  After 10 minutes, I received the OTP from HSBC.

Why did the OTP take so much time?  Perhaps there was a fault in HSBC system.  Or, it could have been an issue with the mobile carrier.   In either case, OTP is not a foolproof way to do an internet transaction, which is time-bound.  Most e-commerce transactions time out in a minute, if not earlier.

The decision to implement OTP does not seem to be well-thought of.  Besides the issue outlined above, imagine a situation where your cellphone does not have charge or is out of range of network provider?   What if you are abroad without International Roaming, but want to make an electronic transaction?

It was not too long back that a two factor authentication process using Mastercard SecureCode and Verified by Visa came into existence to provide additional level of security for electronic transaction. 

The irony of it is, there are international ecommerce sites where a transaction goes through even without the CVV number, much less the OTP or password.   I don't want to name the site where I had a recent experience but it was a revelation to me!   

All the elaborate security setup goes for a toss, when not consistently implemented across the world!

Update:   I didn't want this to be a "one-time" experience.  Tried it a few hours back for another internet payment.  The OTP was generated instantaneously and I could transact successfully.  This does not change the premise of the article anyway:)


  1. Further to the owes, you do not recieve otp while on international roaming.


Post a Comment