Are One-Time Passwords (OTPs) Holding India’s Financial Sector Back?

India’s shift away from paper currency and toward digital payments, especially UPI, has resulted in significant and sustained economic growth for the fifth-largest economy in the world. In fact, experts anticipate that the value exchanged through digital payments will total $10 trillion USD by 2026. Unfortunately, similarly to the rest of the world, the rise of digital payments in India has resulted in a concerning unintended consequence: a spike in fraud made possible by legacy technologies like the one-time password (OTP).  

In this blog, we’ll dive into the most important reasons why OTPs (one-time passwords) pose a risk to companies and financial institutions and outline what you can do today to fortify your MFA system and improve user experience.

What is an OTP? 

Every single day, over 1 billion SMS messages are sent in India. Many of those messages contain OTPs or one-time passwords. The OTP is a commonly used credential that verifies a user’s identity using something they have (a cell phone). The name of this security flow is often referred to as “SMS 2FA” within the cybersecurity community.

OTPs are ubiquitous. Banks, social media platforms, P2P payment companies, healthcare portals, and e-commerce sites are just a few of the many different verticals that leverage OTPs for authentication purposes.  

Here’s a real-world example of how 2FA via SMS works: When a user first creates an online bank account, they enter their mobile phone number as part of the onboarding process. Later, when the individual goes to log in to change account details, check their balance, or complete a high-risk transaction like a money transfer, they receive a series of random digits known as an OTP sent via SMS to their cell phone. To access their account, the user must enter the digits that were texted to them. 

Recently, time-based one-time passwords (TOTPs), a subset of OTPs, have grown increasingly popular. TOTPs are simply OTPs with the added security benefit of a time limit. If you don’t enter the OTP within the given time, the OTP is no longer valid. Despite their popularity in India and abroad, OTPs (including TOTPs) have two major limitations.

Although OTPs do add some level of security to just a username/password, they do have security vulnerabilities and should be fortified, especially for high-risk transactions. 

What are the downsides of OTPs? 

• Account Takeover Fraud: SMS OTPs can be intercepted by bad actors via SIM swap fraud. As a result, they cannot be relied upon for their intended purpose of keeping fraudsters out of online accounts. For example, let’s say a fraudster already has a password to one of your online accounts and is initiating an online transaction on that account that requires an SMS OTP to be sent. By intercepting that SMS OTP, they can easily get the numerical password that was meant to be sent to you and key it in to gain access to your account. In an ironic twist, the SMS OTP that was meant to protect your account actually went to the fraudster, allowing them to access your account. 

• The Customer Experience: SMS OTPs cause friction in the customer experience. If you’ve ever tried to log into an account or reset your password using an SMS OTP, you know that the experience of fumbling between your computer and your phone or multiple apps on your phone and trying to memorize a numerical password so you can type it in is not exactly seamless. SMS OTPs can also be unreliable with many consumers reporting that they initiated an SMS OTP authentication but never actually received an SMS code. 

How does account takeover fraud work?

An account takeover occurs when “a malicious third party successfully gains access to a user’s account credentials. By posing as the real user, cybercriminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization.” There are a variety of ways fraudsters commit account takeover fraud. 

‍

What are popular forms of Account Takeover Fraud? 

‍A SIM swap attack (a.k.a “port-out scam, SIM splitting, smishing or SIM jacking”) is a popular form of account takeover fraud that targets a weakness in two-factor authentication (2FA) mentioned earlier. 

SIM swap fraud, also known as "‘ SIM card swapping,” ‘SIM splitting’ or ‘SIM jacking,’ is a fraudulent activity where a bad actor takes complete control of users’ phone accounts by either porting or cloning their SIM card without their knowledge. First, scammers trick victims into divulging personal information about themselves (often with the help of phishing attacks sent via WhatsApp, emails, and social media platforms) and then socially engineer customer service representatives to take over a victim’s mobile phone number by having them transfer the number to a new SIM card in their possession. Once they’ve done this successfully, the fraudster has complete control over the unsuspecting victim’s mobile number, allowing them full access to their accounts. SIM swap fraud can take place on both iPhones and Androids, regardless of mobile operator.

While victims are at risk of having their accounts drained or having their social media handles taken hostage, the harm to the service providers who failed to protect their users against these kinds of attacks ranges from significant reputational damage to liability for lost funds to the risk of losing users to more secure competitors.

What’s the solution to Account Takeover Fraud? Go passwordless. 

To prevent fraud in India from continuing to skyrocket, it’s important to phase out OTPs and replace them with a more user-friendly and secure solution. Fortunately, when it comes to going passwordless, Prove provides you with next-generation authentication alternatives: Prove Auth and Mobile Auth. 

Prove Auth™ enables enterprises to reduce reliance on passwords and OTPs and empowers consumers to frictionlessly authenticate in all channels including mobile phones, desktops, and call centers with a solution that is simple, cost-effective, and secure. Prove Auth protects consumers from fraud including account takeovers. Because Prove Auth is FIDO2 compliant, it protects against fraud vectors that SMS OTPs simply cannot. 

Mobile Auth is another powerful solution that reduces reliance on OTPs. It passively authenticates every mobile login and signup without the use of passcodes, pop-ups, pins, or notifications, allowing businesses to seamlessly onboard customers faster and at a lower cost. It provides a real-time, passive authentication (aka, ”proof of possession check”) of a mobile device by resolving the mobile phone number assigned to the mobile device.

The best part about these solutions? Consumers in India are already accustomed to using their mobile phones, so there is no learning curve for your customers, regardless of what service provider they use. However, unlike OTPs (which also use mobile phones), Prove Auth works passively in the background so there is none of the friction or frustration of passwords and OTPs.

Ready to reduce reliance on vulnerable OTPs, stop account takeover and go passwordless? Schedule a meeting with a digital identity expert today