Telecom operators shall expose USSD APIs. Financial organizations, or payment gateways, eCommerce websites can use these USSD APIs to prompt their customers for password.
This makes a complete seperate authentication channel for online transactions.
example: A user is buying a product online from his PC/Laptop using his credit card. credit card company shall prompt him on his mobile for password (using USSD menus provided by telecom operator). then the transaction on his PC/Laptop is authorized.
In this scenario, even if his PC is spyed using a key logger or any other tool, hacker can't use for any other transaction.
If the user looses his/her bag, hence both his mobile and card fell in wrong hands, still user is safe because it is password protected. (This is not the case with OTP).