payments – Page 2 – Pertinent Observations

No Chillr, Go Ahead

This is yet another “delayed post” – one that I thought up some two weeks back but am getting down to write only now.

After some posts that I’ve done recently on the payments system, I decided to check out some of the payment apps, and installed Chillr. This was recommended to me by a friend who has a HDFC Bank account, who told me that the app is now widely used in his office to settle bills among people, etc. Since I too have an account with that bank, I was able to install it.

The thing with Chillr is that currently they are tied up with only HDFC Bank. You can still sign on if you have an account of another bank, but in that case you can only receive (and not send) money through the system. So your incentive for installing is limited.

Installation is not very straightforward since you have to enter some details from your netbanking which are not “usual” things. One is a password that allows you to receive money using the app, and the other is a password that allows you to send money. Both are generated by the bank and sent to your phone as an SMS which the app automatically reads. I understand this is part of the system itself and this part won’t go away irrespective of the app you use.

Once you have installed it, you will then be able to use the app to transfer money to your contacts who are also on the app without requiring to know their account number. The payment process is extremely smooth with an easy to use second factor of authentication (a PIN that you have set for the app, so it is instant), so if more people use it, it can ease a large number of payments, including small payments.

The problem, though, is that it is currently in a “walled garden” in that only customers of HDFC Bank can send money, and hence the uptake of the app is limited. The app allows you to see who on your contact list is there on the app (since that is the universe to which you can send money using the app). The last time I checked, there were four people on the list. One was the guy who recommended me the app, the second was another friend who works in the same organisation as this guy, the third a guy who works closely with banks and the fourth a Venture Capitalist. And my phonebook runs into the high hundreds at least.

In terms of technology, the app is based on the IMPS platform which means that in terms of technology there is nothing that prevents the app from transferring money across banks using its current level of authentication. This is very good news, since it means that once banks are signed on, it is a seamless integration and there are no technological barriers to payment.

The problem, however, is that the sector suffers from the “2ab problem” (read my argument in favour of net neutrality using the 2ab framework). Different tech companies are signing on different banks (Chillr to HDFC; Ping Pay to Axis; etc.) and such banks will be loathe to sign on multiple tech companies (possibly due to integration issues; possibly due to no compete clauses).

Currently, if HDFC Bank has $a$ users and Axis Bank has $b$ users, and they use Chillr and Ping Pay respectively, the total value added to the system by both Chillr and Ping Pay is proportional to $a^2 + b^2$ (network effects, Metcalfe’s law and all that). But if these companies merge, or one of them gets the account of the other’s bank, then you have a single system with $a+b$ users, and the value added to the system by the combined payments entity is $(a+b)^2$ which is $a^2 + b^2 + 2 ab$ . Currently the sector is missing the $2ab$ . The good news, however, is that there are no tech barriers to inter-bank payments.

Postscript: The title is a direct translation of a popular and perhaps derogatory Kannada phrase.

Second factor authentication

Ever since I wrote my Pragati piece on the two bad recent pieces of regulation by the Reserve Bank of India, and since I had a long conversation with Deepak Shenoy about them, and since (I believe) Raghuram Rajan replied to my Pragati piece in a subsequent speech, and since I got a mail from Citibank that starting next month I can’t use my internet password as a second factor authentication and must instead use a One Time Password, and since I realised I’m traveling abroad next month, and am not planning to use international roaming to be able to receive the One Time Password, I’ve been thinking of ways in which a bank or a credit card company can securely use a second factor of authentication without really inconveniencing the customer.

Essentially, a second factor of authentication is the provision of a piece of information that is not stored on the magnetic strip or pin of your credit/debit card. This ensures that the possession of your card alone will not allow a fraudster to defraud you, unless he is also in possession with the second factor of authentication. This makes is much less likely for credit card fraud to happen (but not entirely foolproof – what if the same guy steals both your credit card and your phone? – but it is impossible to design systems to that degree of security).

The four digit PIN that you have to enter when you use an ATM is one such second factor authentication (remember the note the bank sends you along with your card telling you to not write down the PIN anywhere close to the card). Similarly, the four digit PIN you have to enter to authenticate a CHIP transaction on your credit card is a second factor. Earlier credit cards would require you to sign as a second factor, but that was done post payment processing, so that is not seen as a reliable second factor – and hence they are being phased out. In the United States, for example, your ZIP code (a piece of information not available on your card) is your second factor (in the rare case it is asked for – the US is among the last major countries to move to two factor credit card transactions).

Given that it could be just about any piece of information not available on your card that can be a second factor, it is puzzling that most banks and credit card providers insist on a One Time Password sent over SMS or email as being the second factor. It is as if they believe that telecom networks are far more secure than any other way to disseminate a second factor of authentication. A friend who was visiting from the US, for example, was unable to transact online in India since his Verizon package didn’t provide him SMS services – it has gone out of fashion there.

Earlier today I was reading this excellent piece on how the US’s move towards Chip and PIN cards (will take half a decade for the transition to be complete – interestingly India made this transition in less than a year) is going to lead to higher security for credit card transactions worldwide. Among other things, the piece mentions a “Visa Token Service” where a dynamic token will replace the static credit card number.

I have had a trading account with Kotak for a few years now, and they have provided me with a physical token. Upon pressing the only key on the token, a six figure number is displayed, which is my additional factor of authentication that I need to log on to the website and transact securities. The algorithm of my token is synced with my account (basically it’s to do with the seed of the random number generator that operates on my token), and thus I get authenticated.

My last employer had issued us Blackberrys for work email (this was in 2009, when they were in fashion). They had also issued us tokens that we could use to log on to the corporate network from home – in the rare case when we had to login from home. And since I got the token after I’d got my blackberry, the token simply sat as an app in my blackberry. Considering that this second factor authentication is just a six digit random number set to a certain seed, why can’t my second factor of authentication be tied to one such token that resides in the Citibank app on my phone (which is already authenticated), rather than being sent to me by SMS?

This is only one possible method in which the second factor could be authorised. For transactions on taxi services, for example, your credit card details can still be stored with the taxi service, but at the end of the service on your way out you simply enter a four digit passcode into the driver’s app (the passcode could be generated by your app, or your phone and the driver’s phone can do an NFC handshake).

As I had mentioned, the opportunities for a second factor authentication are endless, but for some reason banks seem to be hell-bent on using a SMS-based One Time Password. Could it be a conspiracy by the telecom companies to maintain at least some of their SMS revenues?

And I think we need a statement from the RBI Governor stating that banks are not obliged to use a SMS-based OTP as second factor authentication, and they can be creative with it!

Exponential increase in uptake of IMPS

We had dealt with exponential increases on this blog once before. We revisit the topic, and this time this is in the context of the inter bank mobile payment system that came into place sometime last year. I’ve never used it so I’m not sure how it works, but going by the data put out by the National Payments Corporation of India, the volume of transactions is increasing at an exponential rate.

How do we determine this is an exponential rate? First, let us look at the time series of total volumes of transactions:

Source: http://www.npci.org.in/impsVolumes.aspx

Notice that after remaining flat for a couple of months (maybe even decreasing) the number of transactions has really taken off (March is probably an aberration – but given that it’s the month of financial closure the higher volumes can be expected). Increased exponentially, you say? How can we test that?

We can test that by using a logarithmic scale for the y-axis. Here is the same plot again, except that this time the Y-axis is logarithmic.

Notice that apart from the part with the aberration and the initial two months, the graph is now linear. In other words, we can describe this graph by a line of the form

log y = a + b x

or y = exp (a + bx)

Thus, exponential!

Coming back from the geekery, it is really good to note that IMPS has taken off. However, this should not be taken as proof of the fact that mobile payments are easy, for IMPS is anything but easy. New RBI Governor Raghuram Rajan has said in his inaugural speech that he hopes to make it simpler to make payments via mobile. Hopefully this will take off soon. Till then all we can do is to contribute to the exponential growth in the update of the IMPS!