OTP – One Time Password is used as for direct authentication or during two-factor authentication. In two-factor/step authentication it is good. But can there can be disadvantages in 1-step authentication. There are payment options coming up at shops where a buyer is asked for his/her mobile number and retailer enters the same in the system. Next, buyer gets and OTP via SMS and tells it to retailer which can lead to a successful transaction.
There could be few things that should be thought about:
- Does a buyer checked from where the SMS came. Who is the sender? Is the sender same as what the retailer says. What retailer is saying about the vendor is the actual vendor for the transaction?
- Why this point? Retailer can tell buyer some wrong vendor name and could send some other request to buyer’s phone. Buyer should be aware from whom message will come. Buyer should check OTP sender.
- How long is OTP valid? Is it valid forever or through out the day. Less time validity would be good considering the optimum time for a transaction.
- Was there amount and purpose specified in OTP message. This would be of great help as buyer would know what this OTP message is for and how much worth. In case of message without amount buyer might end up paying more.
- Can OTP be hacked? It is coming by SMS. Is SMS safe?
- What is mobile is lost, stolen or is someone else’s hand. Person knows that the owner of the mobile has account on this payment service/gateway. This person goes for shopping and pay by the payment service. OTP is received on the mobile. person pays using OTP. Such a scenario can occur. How can the owner of phone prevent this?