Why India has OTP's, but not the US

When we went to Singapore, I saw that my American bank issued credit card would not ask for an OTP for online transactions (even though in India, the same card would ask for the OTP). Whereas the Indian bank issued credit card would ask for the OTP even in Singapore.

 

I wondered yet again why the US doesn’t have an OTP equivalent system. I stumbled upon the answer while reading Patrick McKenzie’s article on the history of the American credit card system. The short answer? It is a “legacy system”:

“A legacy system is any outdated computing system, hardware or software that is still in use.”

 

How is the American credit card system a legacy system? How can the same system of credit cards then have the OTP security mechanism in India? Why can’t the US shift to the OTP equivalent system? Answers below.

 

McKenzie starts with the history of the credit card in the US. It was designed in the pre-Internet age, and therefore several choices were made which made perfect sense for that era.  It was visualized that fraud would require someone to steal the physical card. That was not easy to do on a massive scale – you could steal a few here and there, but how would one steal thousands of physical cards? And so the checks against fraudulent use were proportionally weak – if it was going to be a fairly uncommon event, why put too much thought into designing counter-measures?

 

While not perfect (obviously), this system was good enough. Until, that is:

“…the Internet came”.

Suddenly, the way to defraud changed drastically. One just needed to know the card details, not get physical possession of the card. An unsecure website could be tapped. The database of the Internet company with card details could be hacked. See how the Internet made possible fraudulent use of credit cards possible on a massive scale?

 

The architects of the credit card system scrambled to find a solution. They came up with the CVV (the 3-digit number at the back of the card) and the expiry date. Never share those, said the credit card industry. Problem solved? Hmmmm… Sure, this was an improvement. But the CVV and expiry dates had the same flaw – they could be tapped on an insecure Internet connection. And how could one be sure if every Internet site wasn’t saving the CVV or expiry date in its databases and potentially hack’able?

 

As McKenzie says:

“Many people interject at this point: for goodness sake, you folks are smart people. Could you please ask for information that is not printed on the freaking plastic rectangle?!”

In theory, yes, the credit card industry could think of many solutions. But:

“It turns out that, for legacy reasons, this is extremely difficult to do at scale, because those plastic rectangles were issued by tens of thousands of banks to hundreds of millions of customers for decades. It would be very bad for them to suddenly stop working, and the banks knew huge amounts of interesting things about many customers but very little in a consistent fashion about every customer.”

There was no solution that could be rolled out seamlessly since (1) any other piece of info that might serve as a second level check could not be standardized because not all card issuers would have that particular info about all their customers, and (2) the credit card handling system software across all banks would have to be updated to authenticate the extra piece of information, whatever it might be.

 

See why he calls it a legacy system problem?

 

Ok, but India came up with the OTP system. Why doesn’t the US switch to that? Aha, but most credit card issuers do not have the mobile number of all their customers. Many of their customers are from decades back. Ok, why not get that info over a period of time and then turn on the OTP’s? The reason surprised me: there are far too many people in the US who don’t have a mobile (smart or feature) phone! Especially the poorer ones.

 

All this makes me wonder if India got the OTP system implemented for credit cards (and a zillion other things) because:

  1. Systems like Aadhar were designed for the Internet + mobile phone.
  2. Thanks to Aadhar, there was a single digital unique ID that could be integrated across telecom and banking companies.
  3. Since landline coverage was so less, almost everyone has a mobile phone – feature or smart.
  4. The convenience of UPI payments incentivized more and more people to link their Aadhar ID’s to their bank accounts and their phone numbers.

 

I feel I have found the reasons that, even if not perfect, must be close to the reasons why the US still doesn’t have a system like OTP’s.

Comments

Post a Comment

Popular posts from this blog

Why we Deceive Ourselves

In their book, The Elephant in the Brain , the authors describe this weird aspect of deception that we practice: deceiving ourselves! That is so weird: “If our minds contain maps of our worlds, what good comes from having an inaccurate version of these maps?” The Sigmund Freud school of thought treats self-deception as a defense mechanism, “a way for the ego to protect itself”. The mind seeks to protect itself from anxiety and other negative emotions. Many object to this reasoning: since accurate information is so critical to our survival, surely distorting information would be dangerous. Wouldn’t the goal of protecting our self-esteem have been better achieved by making the brain’s self-esteem mechanism stronger instead? The new school of thought explains self-deception as “primarily outward-facing, manipulative, and ultimately self-serving”. This is based on Thomas Schelling’s work on game theory: “In a variety of scenarios, limiting or sabotaging yourself is the winn...
Read more

Europe #3 - Innsbruck

The last city we visited in Europe was Innsbruck in the Austrian Alps. After the cold and windy experience (at times) of Paris and Netherlands, Innsbruck was a wonderful change – it didn’t feel that cold, it was not windy all of which made it easy to walk around. Something absolutely necessary given how scenic the place is.   Since the hotel check-in time was much later in the day, we left the baggage and went to the Swarovski HQ-cum-museum about an hour by bus from Innsbruck. The crystal exhibits were brilliant – colorful, bright, shiny. Jewellery aside, it was a display of what one can do with crystals. While my wife and daughter loved the jewellery, I liked the superhero themed exhibits of Batman, Spiderman, the Hulk, and Star Wars. We didn’t buy anything there, though we did buy stuff in the Swarovski store in Innsbruck – jewellery, not the superhero stuff.   Innsbruck is a major tourist attraction during the skiing season but now in summer, we saw many groups of ...
Read more

The Thrill of the Chase

So many people complain about the difficulty in making decisions while shopping. Do you buy Brand X that gives 20% extra free? Or Brand Y that has 10% off? Or Brand Z that gives something else free with it? Do you buy that flat screen TV today or wait for the sale at Diwali? Now since the customer is king, shouldn’t companies be simplifying pricing choices? Like maybe offering consistently low prices all the time? Not so fast, as the US store, JC Penney discovered to its cost. Turns out that while people do complain about pricing choices, they are irrational. Also, they enjoy the thrill of the chase. Huh? The word “sale” acts like a siren call for many people: it lures them in to make that purchase. Consistently low prices don’t do the same. Besides, if a competitor lowers their prices just one time of the year, and Poof! Suddenly that low price claim becomes suspect in shoppers’ eyes. Then there are those sites that offer coupons: have lunch at Restaurant A on Wedne...
Read more