Tag: token

Second factor authentication

Ever since I wrote my Pragati piece on the two bad recent pieces of regulation by the Reserve Bank of India, and since I had a long conversation with Deepak Shenoy about them, and since (I believe) Raghuram Rajan replied to my Pragati piece in a subsequent speech, and since I got a mail from Citibank that starting next month I can’t use my internet password as a second factor authentication and must instead use a One Time Password, and since I realised I’m traveling abroad next month, and am not planning to use international roaming to be able to receive the One Time Password, I’ve been thinking of ways in which a bank or a credit card company can securely use a second factor of authentication without really inconveniencing the customer.

Essentially, a second factor of authentication is the provision of a piece of information that is not stored on the magnetic strip or pin of your credit/debit card. This ensures that the possession of your card alone will not allow a fraudster to defraud you, unless he is also in possession with the second factor of authentication. This makes is much less likely for  credit card fraud to happen (but not entirely foolproof – what if the same guy steals both your credit card and your phone? – but it is impossible to design systems to that degree of security).

The four digit PIN that you have to enter when you use an ATM is one such second factor authentication (remember the note the bank sends you along with your card telling you to not write down the PIN anywhere close to the card). Similarly, the four digit PIN you have to enter to authenticate a CHIP transaction on your credit card is a second factor. Earlier credit cards would require you to sign as a second factor, but that was done post payment processing, so that is not seen as a reliable second factor – and hence they are being phased out. In the United States, for example, your ZIP code (a piece of information not available on your card) is your second factor (in the rare case it is asked for – the US is among the last major countries to move to two factor credit card transactions).

Given that it could be just about any piece of information not available on your card that can be a second factor, it is puzzling that most banks and credit card providers insist on a One Time Password sent over SMS or email as being the second factor. It is as if they believe that telecom networks are far more secure than any other way to disseminate a second factor of authentication. A friend who was visiting from the US, for example, was unable to transact online in India since his Verizon package didn’t provide him SMS services – it has gone out of fashion there.

Earlier today I was reading this excellent piece on how the US’s move towards Chip and PIN cards (will take half a decade for the transition to be complete – interestingly India made this transition in less than a year) is going to lead to higher security for credit card transactions worldwide. Among other things, the piece mentions a “Visa Token Service” where a dynamic token will replace the static credit card number.

I have had a trading account with Kotak for a few years now, and they have provided me with a physical token. Upon pressing the only key on the token, a six figure number is displayed, which is my additional factor of authentication that I need to log on to the website and transact securities. The algorithm of my token is synced with my account (basically it’s to do with the seed of the random number generator that operates on my token), and thus I get authenticated.

My last employer had issued us Blackberrys for work email (this was in 2009, when they were in fashion). They had also issued us tokens that we could use to log on to the corporate network from home – in the rare case when we had to login from home. And since I got the token after I’d got my blackberry, the token simply sat as an app in my blackberry. Considering that this second factor authentication is just a six digit random number set to a certain seed, why can’t my second factor of authentication be tied to one such token that resides in the Citibank app on my phone (which is already authenticated), rather than being sent to me by SMS?

This is only one possible method in which the second factor could be authorised. For transactions on taxi services, for example, your credit card details can still be stored with the taxi service, but at the end of the service on your way out you simply enter a four digit passcode into the driver’s app (the passcode could be generated by your app, or your phone and the driver’s phone can do an NFC handshake).

As I had mentioned, the opportunities for a second factor authentication are endless, but for some reason banks seem to be hell-bent on using a SMS-based One Time Password. Could it be a conspiracy by the telecom companies to maintain at least some of their SMS revenues?

And I think we need a statement from the RBI Governor stating that banks are not obliged to use a SMS-based OTP as second factor authentication, and they can be creative with it!

Flower Sellers

If you have ever been to Church Street in Bangalore, you would have come across this girl. It is extremely hard to miss her, and it is likely that she has pestered you at least once in your life. She was little the first time I saw her, but I happened to come across her recently, and she seems to have grown up now.

She is a fair girl, with a pleasant face. Her hair is usually tied up in two plaits, and whenever I have seen her, she is wearing this woollen pullover over her salwar. Her job is to sell flowers, red roses to be precise. And the first time I happened to see her was four summers ago, when I was walking down Church Street with a girl to whom I hoped to give red roses. And as her profession warrants, she was trying to sell us a red rose.

The worst insult you can give to a street vendor is to turn them into a beggar. Hawking on the streets is respectable business, it is a signal that you are willing to work for your living and don’t want to be shown pity. It is another matter that most street vendors don’t really get this and literally beg you to buy their product. Nevertheless, they do get extremely offended if you were to treat them like you would treat a beggar. That fundamental difference is there.

My companion on that day hadn’t wanted the flowers, not even if I were to gift them to her as a token of love. The flower seller, however, wouldn’t go away. Maybe she had figured that marketing to couples was an extremely profitable strategy, and didn’t want to let go of this opportunity. My companion had proceeded to pull out twenty rupees and give them to the vendor, asking her to keep it and not give her any flowers. Incensed at being treated like a beggar, the poor flower seller had run away. I don’t know if something snapped in me at that moment, but we broke up under inexplicable circumstances a couple of hours later.

Cut the scene forward by three years, three months and three days, and change the venue of the scene to Gandhi Bazaar in South Bangalore. It was a different vendor this time, and she was selling jasmine on strings. It was dark, and her face was dark, so I don’t really think I’ll recognize her if I see her another time. It was late in the evening so her stock of jasmine was almost over, and she was trying to get rid of whatever was left.

I was meeting this girl (not the vendor) for the first time that day, and her reaction was swift. “I’ll buy some for my mum”, she declared and quickly cleared the vendor’s stock. My mind quickly went back to that day on Church Street three years, three months and three days earlier.

Louis, I thought, this is the beginning of a beautiful friendship.