0

Nowadays, any credit/debit card transaction made online (at least for mine) requires one to enter the card details (Account No., Expiry Date, CVV etc). In the end, a OTP (One Time Pass) is sent to the mobile number linked to that Credit/Debit card for 2-Factor Authentication.

In this process, if someone (other then the owner) possesses the correct Card No. and CVV of the card, can he gain access to the account and make any transactions?

This assumption is made while keeping in mind that the device on which the OTP is being sent is not compromised.

It seems like this method of authentication is not that predominant. If one has to pay a sum of 100$ via his account, the person goes through this process:

  1. Enter the Credit/Debit Card number, enter the Expiry date of the card and the CVV (a 3 digit code)

  2. For Complete Authentication of the User, an OTP is sent to the mobile number registered to that account.

  3. Now the user has to enter the OTP (this is the final step)

  4. If all the aforementioned details are valid, the transaction is made.

Certain things to keep in mind:

  • I get redirected to the bank account's site when i have to enter the OTP. i.e. The OTP isn't entered at the merchant store, rather it is entered at the bank site, which the merchant redirects us to

  • If the entered OTP is wrong, the site provides an option for resending a new OTP to the same number

  • OTP is 6 digits

Vasu Deo.S
  • 175
  • 1
  • 7
  • Looks good to me. Thanks! – Anders Nov 12 '19 at 12:28
  • Please include the name of the payment scheme you're asking about. Things like "SOFORT" and "iDEAL" for instance redirect you away from the merchants online store to your own banks online banking platform where you authenticate the transaction. You then use the native security of your own bank which most likely is difficult to circumvent without proper MFA. – Bob Nov 12 '19 at 11:51

1 Answers1

1

Your experiences are in no way universal. It's possible that many banks in your country do authentication that way, but it's not the case in the USA. Your question title makes it sound like you're talking about online banking (which usually just uses conventional username+password credentials, with sometimes the option of a second factor, once you're past account creation), but I assume you actually mean "Is it possible to pay with a card online without an OTP"?

In a strict sense, the answer is obviously yes; I can both sign into at least one of my banks or pay from several of my cards (though my usual one notifies me about certain payments) without any kind of OTP being involved at any step.

With all that said, let's look at the actual situation of your bank, and its 2FA implementation. There's a few things that need to be confirmed:

  • Is the OTP generated securely (that is, not predictable in any way)?
  • Is the OTP long enough that you can't just guess a bunch of times and brute-force it?
  • Does the OTP have brute-forcing protection, so you can't just set a script to trying for a day and get it anyhow?

Beyond ways that an attacker might bypass the OTP, they could also just get it sent to them. Phone numbers in general are not good for 2FA; it's too easy to maliciously port somebody's number (the carriers don't care). That's assuming you can't just steal the device and see the OTP above the lock screen (if a lock code is even set) or, if necessary, remove the SIM and put it in your own device. TOTP apps (such as Google Authenticator) plus a lock code, or a hardware token (such as a Yubikey) are much more secure.

Finally, consider that the system you described isn't actually two-factor authentication. Both factors are conventionally going to be a "thing you have", and while they're different things, they're both commonly carried in a purse or pocket, and sometimes are carried together (phone cases that also have slots for payment cards are somewhat popular around here). Yes, the phone might not be usable without its lock code or SIM security code (either of which are a "thing you know"), and the payment card details could be memorized rather than carrying the card (turning it into a "thing you know"), but the scheme overall still doesn't really fit the strict definition of 2FA.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Edited the question, and added some more detail regarding my question – Vasu Deo.S Nov 12 '19 at 11:16
  • 3
    *"which usually just uses conventional username+password credentials, with sometimes the option of a second factor"* - gaaaaah! To recycle your words and put them back to you: it's possible that many banks in your country do authentication that way, but your experiences are in no way universal. Here in the UK, using a card reader is universally required as part of the process of logging into your bank account online; the idea of a customer even having the option of logging into their bank account in 2019 with only a username and password is kind of disturbing to me. – Mark Amery Nov 12 '19 at 11:31
  • A card reader? Dedicated hardware on... what, your laptop? desktop? *phone?* I'm not saying that doesn't sound like an improvement, security-wise (albeit with some risks, like "if I lost the card, I now can't sign into the account to tell them I lost the card", but it sounds completely impractical from a user perspective. With that said, I am in **no** way defending the shoddy security practices of the major banks here in the US; they suck and I have, in polite professional wording while being paid hundreds of dollars an hour for being there, told them so. It didn't change anything. – CBHacking Nov 12 '19 at 21:03
  • @CBHacking A [card reader](https://www.nationwide.co.uk/support/security-centre/internet-banking-security/card-reader-and-security-questions) is a two-factor device for banks that reads your card, has you enter your PIN, then generates a two-factor auth code. They're everywhere (as every bank customer, i.e. nearly every adult, is sent one by their bank) and standardised (you can e.g. use a Barclays card reader to sign into HSBC), so even if you go traveling without yours, you can probably borrow one from a friend if you unexpectedly need to sign into your bank. All you need is your card. – Mark Amery Dec 04 '19 at 12:06
  • @MarkAmery Nifty! I hadn't seen those before, even while traveling, but I like the idea. AFAIK nobody in the US uses them, which is a shame. – CBHacking Dec 04 '19 at 21:47