Actionable insights on equities, fixed-income, macros and personal finance Start 14-Days Free Trial
Actionable investing insights Get Free Trial

RBI: No “Cheating” Two Factor Auth. Clamps Down on Uber and Others.


RBI has, in a notification, banned companies like Uber (the taxi service) from charging Indian customers through US gateways and circumventing two factor authentication.

What the Heck is Going On?

Uber, a taxi service, takes your credit card details (card number, CVV2, expiry date). In India, of course, this would be safe to give, because online web sites cannot use your card to deduct money with just these details. Each transaction needs a “second factor” authentication, where a preset second password has to be entered on the credit card’s website for every transaction. Just with the card details, Uber couldn’t do a thing.

That’s what you thought.

Uber, though, wanted to do its thing. You take a taxi, but you don’t know how much it costs. Uber can’t bill you upfront because they don’t know how much, and they can’t “swipe” your card in the taxi because hey, that would ratchet up their cost tremendously (swipe machine in every car!).

So what they do is to effectively “work around the system”. The card details you give are used in a transaction gateway abroad.  These foreign gateways do not require a second factor auth, and will bill your card using just the details you provided. At the end of the ride, the driver clicks an “end ride” button, which then prompts Uber to bill you from their foreign gateway.

Uber would bring that money back in some other way (either as income or investment from their US entity to the Indian one), and use it to pay the taxi driver.

Uber ensured that the rupee amount billed to you was correct, using real time exchange rates (so you never saw a “dollar” charge, just a rupee fee for the exact amount). But some people might have been charged a conversion charge since the billing was effectively in dollars.

Why is this “cheating”?

The two factor auth was introduced to protect people on a per-transaction basis. So no one could steal your card and use it to transact online without your second password (which is not provided to anyone).

If someone takes your card in India and notes down the details, they can easily register on Uber and start using it. For you to find and reverse these transactions will have to involve complaints to your card company, the foreign gateway and the legal system, which is just too much of a pain. The Two Factor Auth prevents this madness.

That’s one reason. The other is that if the transaction’s being done in India between residents, why send the money out and bring it back, and incur unnecessary volatility on the currency? It may not happen today but if unchecked, obviously it will result in USD conversion of every rupee transaction. (The telecom equivalent is that you connect to an Indian website from India, but through hops that take you to the US and back)

Here’s an example of why this can be dangerous: Uber doesn’t call me to confirm I need a ride. My kids use the phone and can accidentally book something; and by the time I realize it and cancel, I might be charged a cancellation fee of Rs. 100 to Rs. 150. This is something they charge to my card anyhow, and they can do so because they have card details; and this is unfair, as they can charge any arbitrary amount any time and I have to find out and refute each one!

Two factor auth is what makes me comfortable in using cards online – this way I can be sure that the sites that take my details (including Flipkart and the like) don’t have access to one detail that will only put on the bank website (the second password). To bypass this security is to reduce such comfort.

(This isn’t about Uber; it’s just an example to demonstrate context. Indian CC transactions are safer for end-users because of the two factor, though as a system we need to ease the friction in two factor)

But I can’t even Buy Hosting?

There is a fear that legit purchases of foreign services will be banned. But the notification is clear – it’s only for transactions between residents where it’s clearly something that should have stayed in INR.

So buying Hosting on Amazon is fine; the service is provided abroad and normally this kind of thing would involve a forex transaction. Buying books off Amazon US is fine. But you will need two factor auth to buy from Amazon India.

The Technical Details

Here’s the relevant part of the notification.

3. It has come to our notice that despite the above clarifications there are instances of card not present transactions being effected without the mandated additional authentication/validation even where the underlying transactions are essentially taking place between two residents in India (card issued in India being used for purchase of goods and service offered by a merchant/service provider in India). It is also observed that these entities are evading the mandate of additional authentication/validation by following business / payment models which are resulting in foreign exchange outflow. Such camouflaging and flouting of extant instructions on card security, which has been made possible by merchant transactions (for underlying sale of goods / services within India) being acquired by banks located overseas resulting in an outflow of foreign exchange in the settlement of these transactions, is not acceptable as this is in violation of the directives issued under the Payment and Settlement Systems Act 2007 besides the requirements under the Foreign Exchange Management Act, 1999.

4. In view of the above, it is advised that entities adopting such practices leading to willful non-adherence and violation of extant instructions should immediately put a stop to such arrangements.

5. It is further advised that where cards issued by banks in India are used for making card not present payments towards purchase of goods and services provided within the country, the acquisition of such transactions has to be through a bank in India and the transaction should necessarily settle only in Indian currency, in adherence to extant instructions on security of card payments.

What does this mean?

  • RBI doesn’t like it when both parties are in India, but a payment is made by one to the other through a foreign gateway. Not because of any other reason, but because each transaction would result in outflow of forex and then an inflow, which is both unnecessary and a violation of the payments act.
  • So Uber is bad.
  • Amazon webservices is good (since the server is located abroad, and there’s no round tripping of the money).
  • Paying your web host is good.
  • Companies like Uber (and there are many now) should just stop this practice.
  • Banks need to be vigilant about services that are provided between Indian residents, and will have to introduce checks to ensure this happens. This is not rocket science: they can create a complaint mechanism where if you complain, they investigate, and if needed, effectively block such services through the Visa/Mastercard/Amex network.

Who Else?

It’s not just Uber. Companies like Freshdesk too have US entities that charge money from Indian subscribers in dollars, according to qz, because they need to do recurring payments. (Not possible in Ind due to need for second authentication).

Some other online companies do it because they don’t know how much they need to chare customers. Others because the billing details are stored and so rebilling an existing customer is easier.

All these will have to stop. They get until Oct 31, 2014 to fix things, so nothing changes overnight. But for companies like Uber, the business model will need to change. (It could still hold credit card details and ask for a prepayment for every ride, with an adjustment of the actual amount later)

Note: Yes, Uber is not a Taxi Service. But it’s a service you use to call a car for hire that will take you from place A to place B. You say Tom-ay-to, I say Tom-ah-to….

Update: Aditya in the comments mentions an elegant solution. That Uber be allowed to charge a certain amount on your card, as a “lien”. This just blocks the amount from the card, but doesn’t charge you yet – when your ride is done, it deducts the actual amount, and frees the rest of the lien. This transaction can use a 2 factor authentication, and might be more palatable. However, if the billed amount is greater than the lien (because someone changed destinations) it could be a problem but come on, this kind of stuff will even out eventually (and they can just pay the driver the difference, or agree to pay later).


Like our content? Join Capitalmind Premium.

  • Equity, fixed income, macro and personal finance research
  • Model equity and fixed-income portfolios
  • Exclusive apps, tutorials, and member community
Subscribe Now Or start with a free-trial