India’s shift away from paper currency and toward digital payments, especially UPI, has resulted in significant and sustained economic growth for the fifth-largest economy in the world. In fact, experts anticipate that the value exchanged through digital payments will total $10 trillion USD by 2026. Unfortunately, similarly to the rest of the world, the rise of digital payments in India has resulted in a concerning unintended consequence: a spike in fraud made possible by legacy technologies like the one-time password (OTP).
In this blog, we’ll dive into the most important reasons why OTPs (one-time passwords) pose a risk to companies and financial institutions and outline what you can do today to fortify your MFA system and improve user experience.
Every single day, over 1 billion SMS messages are sent in India. Many of those messages contain OTPs or one-time passwords. The OTP is a commonly used credential that verifies a user’s identity using something they have (a cell phone). The name of this security flow is often referred to as “SMS 2FA” within the cybersecurity community.
OTPs are ubiquitous. Banks, social media platforms, P2P payment companies, healthcare portals, and e-commerce sites are just a few of the many different verticals that leverage OTPs for authentication purposes.
Here’s a real-world example of how 2FA via SMS works: When a user first creates an online bank account, they enter their mobile phone number as part of the onboarding process. Later, when the individual goes to log in to change account details, check their balance, or complete a high-risk transaction like a money transfer, they receive a series of random digits known as an OTP sent via SMS to their cell phone. To access their account, the user must enter the digits that were texted to them.
Recently, time-based one-time passwords (TOTPs), a subset of OTPs, have grown increasingly popular. TOTPs are simply OTPs with the added security benefit of a time limit. If you don’t enter the OTP within the given time, the OTP is no longer valid. Despite their popularity in India and abroad, OTPs (including TOTPs) have two major limitations.
Although OTPs do add some level of security to just a username/password, they do have security vulnerabilities and should be fortified, especially for high-risk transactions.
An account takeover occurs when “a malicious third party successfully gains access to a user’s account credentials. By posing as the real user, cybercriminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization.” There are a variety of ways fraudsters commit account takeover fraud.
What are popular forms of Account Takeover Fraud?
A SIM swap attack (a.k.a “port-out scam, SIM splitting, smishing or SIM jacking”) is a popular form of account takeover fraud that targets a weakness in two-factor authentication (2FA) mentioned earlier.
SIM swap fraud, also known as "‘ SIM card swapping,” ‘SIM splitting’ or ‘SIM jacking,’ is a fraudulent activity where a bad actor takes complete control of users’ phone accounts by either porting or cloning their SIM card without their knowledge. First, scammers trick victims into divulging personal information about themselves (often with the help of phishing attacks sent via WhatsApp, emails, and social media platforms) and then socially engineer customer service representatives to take over a victim’s mobile phone number by having them transfer the number to a new SIM card in their possession. Once they’ve done this successfully, the fraudster has complete control over the unsuspecting victim’s mobile number, allowing them full access to their accounts. SIM swap fraud can take place on both iPhones and Androids, regardless of mobile operator.
While victims are at risk of having their accounts drained or having their social media handles taken hostage, the harm to the service providers who failed to protect their users against these kinds of attacks ranges from significant reputational damage to liability for lost funds to the risk of losing users to more secure competitors.
To prevent fraud in India from continuing to skyrocket, it’s important to phase out OTPs and replace them with a more user-friendly and secure solution. Fortunately, when it comes to going passwordless, Prove provides you with next-generation authentication alternatives: Prove Auth and Mobile Auth.
Prove Auth™ enables enterprises to reduce reliance on passwords and OTPs and empowers consumers to frictionlessly authenticate in all channels including mobile phones, desktops, and call centers with a solution that is simple, cost-effective, and secure. Prove Auth protects consumers from fraud including account takeovers. Because Prove Auth is FIDO2 compliant, it protects against fraud vectors that SMS OTPs simply cannot.
Mobile Auth is another powerful solution that reduces reliance on OTPs. It passively authenticates every mobile login and signup without the use of passcodes, pop-ups, pins, or notifications, allowing businesses to seamlessly onboard customers faster and at a lower cost. It provides a real-time, passive authentication (aka, ”proof of possession check”) of a mobile device by resolving the mobile phone number assigned to the mobile device.
The best part about these solutions? Consumers in India are already accustomed to using their mobile phones, so there is no learning curve for your customers, regardless of what service provider they use. However, unlike OTPs (which also use mobile phones), Prove Auth works passively in the background so there is none of the friction or frustration of passwords and OTPs.
Trusted by 1,000+ leading companies to reduce fraud and improve consumer experiences. Contact us today to learn how you can frictionlessly secure your digital consumer journey — from onboarding to ongoing transactions.
Tap the button below to read our latest white-paper on the subject as industry leaders.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.
Download Aite-Novarica Group’s full report about Prove Pre-Fill, including a product overview, customer results, and how the product works.
Download the guide now to learn how you can improve security, cut down on fraud, and create the best possible customer experience.