The quick and easy way we pay online is the most fundamental agenda of digital transformation accelerated by the pandemic. We live in a world where you can pay for items in your shopping cart with a single click of a purchase button, or transfer money by scanning a QR code without an additional payment process. But, are you sure that your payments are managed safely enough?
According to The Nilson Report, card fraud is expected to have cost the world $32.04 billion in 2021 and gross losses from card fraud are set to reach $38.5 billion worldwide by 2027.
To deal with this problem, banks, card companies, and payment gateways have been strengthening security by requiring two-factor authentication (2FA) such as PIN code, biometric authentication, and short message service (SMS) to close the payment, or by notifying the cardholder of approval details by text message.
Nevertheless, the risk of card duplication or sniffing attacks occurring during near field communication (NFC) is still ongoing. We also observe the convenience of user experiences is being compromised little by little, as more layers of security are added for financial transactions.
Mobile payment, which is rapidly growing, is trying to block cyberattacks altogether by using one-time tokenisation or requiring mandatory 2FA.
Thanks to such a strong policy, many users feel safe with mobile payment services, but it cannot solve the limitations of the smartphone itself. What if your smartphone runs out of battery, dies, loses signals, registers an error, or takes a long time to load?
"Major disadvantage being the money is stuck in phone, if battery dies or network is poor payment cannot be done." said the Adoption and Usage of Mobile Payment Systems by Consumers and Merchants Report conducted by Dr.Kirti Ranjan Swain and Dr. Vishal Kumar.
Safe and convenient digital payment is a challenge that financial service firms and digital payment service companies must improve. Among the technologies to solve their concerns, the technology that stands at the forefront is one-time authentication code (OTAC).
OTAC generates non-duplicate and non-reusable dynamic code even in the off-the-network environment without the aid of any additional infrastructure. As card not present (CNP) fraud is caused by username and password or card numbers based on a static value, even if card information is stolen during online payment, OTAC-applied payment is free from the threat of CNP fraud.
In addition, since OTAC proceeds in one way rather than with a ring structure in which authentication codes must be exchanged, you can expect faster and simpler authentication.
The Toss Bank case shows how OTAC can be applied to financial services. The switch OTP implemented in Toss Bank's debit card is based on OTAC technology. Toss Bank is currently applying this technology for authentication service when transferring large sums of money. All a user must do to use this service is to tap a debit card on the back of their smartphone. It shows that security can been greatly improved, with authentication that is much easier to use.
OTAC can also be embedded as an applet on an IC chip in smart cards such as a credit or debit card. A smart card with OTAC applet generates a new code every time it is used, thereby fundamentally preventing duplication or reuse. In addition, smart cards do not require batteries as they get power via communication with the reader. They also do not rely on cellular networks, and require minimal time to exchange information, meaning they can be used completely independently from smartphones.
Crucially, OTAC can prevent anyone from using your card illegally even if your card is copied or the command is stolen. It means that the uses of smart cards can be expanded to a much greater extent than they are today. If you don't have security concerns, there's no reason not to try a new service.
For example, suppose that your credit card can be used not only for transportation payment, but also for a pass to enter a building or a mission-critical staff-only room. If it is possible to generate a one-time QR code for access to the administrator's website without a 2FA process just by tapping on the smartphone with your credit card, there is no reason not to choose this multi-functional card. It's too safe and easy to say "No".
The emergence of all-in-one cards based on smart cards is no longer an exaggeration because of the advantage of being able to use this safe and easy process from payment to identity verification (know you customer, KYC). When financial service firms embed OTAC to their customers' corporate cards, they can expand their service from payment to a building pass, access to mission-critical websites, and even identity authentication. This paves the way for a new smart card ecosystem as OTAC eliminates security concerns such as sniffing.
Just as the smartphone pioneered a new ecosystem of app services where the role of mobile phones was only for phone calls and text services, smart cards with near-zero security concerns will expand themselves into the realms of access management and identity verification beyond payment.
Security and convenience are not a winner-takes-all option where you have to choose one, they can coexist. As technologies enabling convenient access services alongside minimal security concerns continue to emerge, we will discover more new technologies in the future.