Juspay is one of the worst payment gateways anyway. It makes it impossible to pay for anything and I get scared whenever I see this stupid logo during payment.
Their site is an example of over-engineering designed to make seemingly simple things hard. Like for example, it always tries to detect OTP and fails most of the time. Then it obscures the Continue button and add an extra step.
But worse is their internet speed detection algo. Why in the world does a payment processor need to check my internet speed and show me a popup your internet connection is slow (happens mostly on 4G). Then it tries some refresh voodoo which makes the payment fail sometimes debiting the amount and failing (which takes 5 days to refund).
It's mind boggling that Amazon is one of their customers. Is nobody doing user-experience testing?
As a counterpoint, Juspay's payments has always worked well for me, and the rotating logo personally inspires more trust than certain other wallet-cum-payment providers. I do all payments thru the web, and never on the phone, so that might apply.
I've also always had a flawless experience with Juspay payments, and their auto entering of OTPs is such a convenient feature! It baffles me why others haven't copied that yet.
OTPs are big in India. Sent via SMS to your registered phone numbers, it is a popular way to authenticate a transaction or even login to your accounts.
But text messages and phone numbers are not a secure medium. I am on the fence whether SMS based OTP is actually a net positive for security. Probably helps with senior people not accustomed to using passwords, but it definitely lowers my security (I have a hardware token and generally try to disable SMS OTP)
Not sure where you are from but getting a SIM (mobile connection) or even getting your own SIM/number re-issued is not as simple as that is in many (western) countries.
Transfers/switches/porting always have a decent cool-off period. So while I am not saying it's as safe as it gets, I was just wondering whether you were assuming it's the same way in many other countries.
PS. Credit cards just can't work just based on credit card number, CVV, and expiry MMYYYY here either. You have got to have that SMS OTP auth and in many cases a password as well. Also, at POS (shops, restos etc) you must enter your PIN, it's not optional. (Now up to ₹2000 some cards let you just swipe/tap w/o a PIN, but it's an opt-in feature)
One issue still left: SMS are "relatively" easy to eavesdrop.
I am in the US. SIM reissuing scams are not uncommon and my own number was reassigned for half a week due to a technical glitch. During that time I had multiple conversations with customer support staff and it was ridiculous how many changes I could request without any verification or authentication.
The aim is to reduce the possibilities of getting robbed. Targeted attacks like sniffing SMSs of a user requires significantly more effort than just stealing their card.
That was the same argument that I heard against ATM skimmers ... until my city was hit by a massive wave of skimmer-related thefts about 5 years ago. My debit card got cloned too -- I woke up one fine evening to the sound of SMSes announcing withdrawals from my savings account :) The next morning, there was a crowd of almost 300 people waiting to file FIRs at the local police station. Apparently there were similar scenes in other localities as well. It looked like a fairly well-planned and well-executed operation. (Technological) effort is not a significant barrier for thievery as long as there is enough money to be made out of it.
Thats still smaller when the entire population is considered. Also lack of security will erode the trust in digital banking which is terrible for a developing country like ours
Now I'm confused :) Are you arguing for better security than OTPs, or against?
My claim is that OTPs aren't secure enough; the skimmer example was to illustrate that thievery in India can also employ technical sophistication, and hence that "secure technology" isn't much of a barrier against a sufficiently motivated set of actors.
Their site is an example of over-engineering designed to make seemingly simple things hard. Like for example, it always tries to detect OTP and fails most of the time. Then it obscures the Continue button and add an extra step.
But worse is their internet speed detection algo. Why in the world does a payment processor need to check my internet speed and show me a popup your internet connection is slow (happens mostly on 4G). Then it tries some refresh voodoo which makes the payment fail sometimes debiting the amount and failing (which takes 5 days to refund).
It's mind boggling that Amazon is one of their customers. Is nobody doing user-experience testing?