Visa may reduce use of one-time passwords

A sales clerk swipes a customer's Visa card at a shop in Wellington, New Zealand. PHOTO: BLOOMBERG

Credit card giant Visa is looking to make online transactions easier by cutting down the use of one-time passwords (OTPs) - the codes sent to customers' mobile phones when they enter their card details.

Visa's country manager for Singapore and Brunei, Ms Ooi Huey Tyng, said there are "growing issues" with the authentication method, such as the OTPs arriving late, phones being disabled while travelling, and the system being "cumbersome" for smaller transactions.

The company is now working with banks to promote a "risk-based authentication" approach where only transactions that are "high risk" will require further authentication by means of OTPs.

She believes this will "significantly improve the experience for cardholders and merchants, while maintaining a level of trust with security".

Such an approach involves scoring a transaction for risk. Considerations include the transaction amount, regularity of the transaction in question, the location where the transaction is taking place and device information. It has been successfully implemented at banks in Britain, France, Australia and the Philippines, Visa said.

However the Association of Banks in Singapore (ABS) pointed out that the move might not sit well with some customers.

"While this approach may please some consumers, there are also consumers who would prefer that every transaction be authenticated in the name of security," said ABS director Ong-Ang Ai Boon.

"The one-time password helps to protect against online fraud. It is a secure way to authenticate that the customer making the online purchase is the rightful owner of the credit or debit card."

Mr Matthew Gyde of Dimension Data Group, an information technology solutions and services company, said he would prefer every transaction to be authenticated.

"If you look at a lot of the attacks that are out there, they are not necessarily trying to take a hundred thousand dollars off you. They are trying to take a couple of dollars off you, so you won't really notice it," said Mr Gyde, who is group executive of security.

He added that the biggest drawback of the risk-based authentication approach is that the company managing the online transaction "has to be super diligent about updating their user profile(s)".

However, he also said risk-based authentication "is getting better by the day".

Their comments come after Ms Brenda Scofield, 69, a tourist from Hong Kong, wrote to The Straits Times' Forum page about her difficulty with making an online booking with her credit card.

The counsellor told The Straits Times by phone that she could not receive an OTP, which was sent to the mobile phone of her husband, the principal cardholder. She was a secondary cardholder.

Even if she had asked for the password to be sent to her Hong Kong phone, she would not have received it on the Singapore SIM card she was using while here.

"Singapore has so much on offer and, until my latest visit, it was relatively easy to book tickets online using my credit card," she wrote.

"But now, I find myself at the mercy of the one-time password. I hope the authorities can make it easier for tourists to book tickets online, without the OTP."

Banks and merchants, including ticket outlet Sistic and Gardens by the Bay, told The Straits Times that the one-time-password has improved security, with Sistic adding that this was in line with Monetary Authority of Singapore guidelines.

Singaporedeals4u, which offers tourist deals online, and online store Qoo10 both said they have received complaints from tourists who could not receive OTPs.

Taxi driver Zheng Yuanyang, 30, finds the OTP system inconvenient when on holiday abroad. "If you (turn) on your roaming and then suddenly your friends message you or the data comes in, it is expensive," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on May 26, 2016, with the headline Visa may reduce use of one-time passwords. Subscribe