Why India has OTP's, but not the US

When we went to Singapore, I saw that my American bank issued credit card would not ask for an OTP for online transactions (even though in India, the same card would ask for the OTP). Whereas the Indian bank issued credit card would ask for the OTP even in Singapore.

 

I wondered yet again why the US doesn’t have an OTP equivalent system. I stumbled upon the answer while reading Patrick McKenzie’s article on the history of the American credit card system. The short answer? It is a “legacy system”:

“A legacy system is any outdated computing system, hardware or software that is still in use.”

 

How is the American credit card system a legacy system? How can the same system of credit cards then have the OTP security mechanism in India? Why can’t the US shift to the OTP equivalent system? Answers below.

 

McKenzie starts with the history of the credit card in the US. It was designed in the pre-Internet age, and therefore several choices were made which made perfect sense for that era.  It was visualized that fraud would require someone to steal the physical card. That was not easy to do on a massive scale – you could steal a few here and there, but how would one steal thousands of physical cards? And so the checks against fraudulent use were proportionally weak – if it was going to be a fairly uncommon event, why put too much thought into designing counter-measures?

 

While not perfect (obviously), this system was good enough. Until, that is:

“…the Internet came”.

Suddenly, the way to defraud changed drastically. One just needed to know the card details, not get physical possession of the card. An unsecure website could be tapped. The database of the Internet company with card details could be hacked. See how the Internet made possible fraudulent use of credit cards possible on a massive scale?

 

The architects of the credit card system scrambled to find a solution. They came up with the CVV (the 3-digit number at the back of the card) and the expiry date. Never share those, said the credit card industry. Problem solved? Hmmmm… Sure, this was an improvement. But the CVV and expiry dates had the same flaw – they could be tapped on an insecure Internet connection. And how could one be sure if every Internet site wasn’t saving the CVV or expiry date in its databases and potentially hack’able?

 

As McKenzie says:

“Many people interject at this point: for goodness sake, you folks are smart people. Could you please ask for information that is not printed on the freaking plastic rectangle?!”

In theory, yes, the credit card industry could think of many solutions. But:

“It turns out that, for legacy reasons, this is extremely difficult to do at scale, because those plastic rectangles were issued by tens of thousands of banks to hundreds of millions of customers for decades. It would be very bad for them to suddenly stop working, and the banks knew huge amounts of interesting things about many customers but very little in a consistent fashion about every customer.”

There was no solution that could be rolled out seamlessly since (1) any other piece of info that might serve as a second level check could not be standardized because not all card issuers would have that particular info about all their customers, and (2) the credit card handling system software across all banks would have to be updated to authenticate the extra piece of information, whatever it might be.

 

See why he calls it a legacy system problem?

 

Ok, but India came up with the OTP system. Why doesn’t the US switch to that? Aha, but most credit card issuers do not have the mobile number of all their customers. Many of their customers are from decades back. Ok, why not get that info over a period of time and then turn on the OTP’s? The reason surprised me: there are far too many people in the US who don’t have a mobile (smart or feature) phone! Especially the poorer ones.

 

All this makes me wonder if India got the OTP system implemented for credit cards (and a zillion other things) because:

  1. Systems like Aadhar were designed for the Internet + mobile phone.
  2. Thanks to Aadhar, there was a single digital unique ID that could be integrated across telecom and banking companies.
  3. Since landline coverage was so less, almost everyone has a mobile phone – feature or smart.
  4. The convenience of UPI payments incentivized more and more people to link their Aadhar ID’s to their bank accounts and their phone numbers.

 

I feel I have found the reasons that, even if not perfect, must be close to the reasons why the US still doesn’t have a system like OTP’s.

Comments

Post a Comment

Popular posts from this blog

Student of the Year

Image
As a toddler, my daughter loved Alia Bhatt’s songs, esp. the ones from Student of the Year . (That movie did have many good songs and well-choreographed dances). Fast forward to present day, when she is 12 yo. She rarely watches Hindi movies now, but one of the few ones she likes of late, Raja aur Rani ki Prem Kahani has, yes, Alia Bhatt.   If I had any hopes that there was anything to be read in the name of her toddler-time favorite ( Student of the Year ), they have been dashed. Our conversations come exam time are perfectly captured by this photo and its caption: In fact, the pic below captures how she and I look at her answer sheets – me intently, she with an expression of “It’s over, so why are you even looking at it?”   Of late, we pull her leg and tell her that she isn’t showing any signs of academic prowess, she’d better find a rich guy to marry. Some time later, she showed us this meme on the Internet: “Me No Study, Me No Care Me Go Marry Millionaire If He Die
Read more

Animal Senses #7: Touch and Remote Touch

Instinctively, we think touch is based on contact. Not entirely true, explains Ed Yong in Immense World – there’s a more important aspect than contact: “These incredible feats are possible through movement. If you rest a fingertip upon a surface, you can get only a limited idea of its features. But as soon you’re allowed to move, everything changes. Hardness becomes apparent with a press. Textures resolve at a stroke.” As you run your fingers over a surface, they hit the tiny peaks and troughs and set off vibrations in the mechanoreceptors at their tips.   At the tip of its snout, the star-nosed mole has many pairs of hairless appendages. It uses them to touch things around itself. Alive or dead? Food or ignore? It does these movements at an insane speed. In the time it takes to blink our eyes, the star-nosed mole can probe, identify and swallow its food. “Light may be the fastest thing in the universe, but light sensors have their limits, and the star-nosed mole’s sense of
Read more

The Retort of the "Luxury Person"

Image
Coming up with biting and witty retorts. It’s something we dream of, but rarely manage to pull off. Worse, the more we stew over the offending remark, the more likely we are to come up with that dream retort, as Calvin ruefully points out: During our last holiday at the Taj Resort, seeing my wife carrying towels to our poolside chairs, one of the kids there mistook her for a member of the staff and asked for a towel. When my wife narrated this to us, I did not imagine that my 8 yo daughter would come up with her own retort. But a day later, my daughter recapped the incident, an incident that didn’t even involve her in the first place , and said, “You know what I’d have told that kid who asked for the towel?”. And without waiting for an answer, she told us anyway: “I don’t work here. I too am a luxury person who is living at this resort. Go get your own towel.” We were highly amused by the phrase she had coined: “luxury person”. It certainly captures the kind of holid
Read more