ASEAN Banks and digital businesses are at a crossroads — Either to support SMS-based OTPs as a legacy system, or transition towards better authentication methods.
OTP stands for one-time passwords, or one-time pins: Unique codes (usually 6 digits) used to authenticate any form of transactions. This includes changing passwords, opening accounts, funds transfers and more. Traditionally, OTPs are sent via SMS —to prove that the user has access to the registered mobile phone number.
Companies today find it difficult to balance consumer demand, regulatory pressure and system scalability.
On one hand, 67% of Southeast Asian consumers prefer receiving SMS OTPs as a form of authentication, especially for digital banking and e-wallet apps. However, the Malaysian Central Bank has instructed financial institutions to stop using SMS OTPs, urging for more secure authentication methods. The same is happening in Singapore due to the OCBC Bank Phishing scams which happened in January this year. Even the Philippines’ government officials are aware of a new wave of hacking attempts that bypass the need for SMS OTPs and daily transaction limits.
Are OTPs now obsolete? Not exactly… Here are some merits to keeping OTP systems:
- It is only generated upon transaction initialisation.
- It is only valid for one-time use.
- It is only valid for a few minutes
- It becomes invalid upon entering, regardless if the code was entered correctly or incorrectly.
- It functions as a barrier against fraudsters beyond just username and password
If the system works well, why is it a target for scrutiny? This is because SMS is an inferior delivery channel for OTP codes, and for good reason:
- Apps today can automatically retrieve OTP codes stored within SMS: which is a backdoor that fraudsters can exploit. Fraudsters can initiate requests, retrieve the OTP codes from the victim’s phones whilst remaining undetected.
- SMS-based OTPs are also costly to implement: Requiring the infrastructure and services built by telecommunication companies and third-party providers. This represents an additional vulnerability point that can be targeted by fraudsters. It also serves as an accountability and legal nightmare if and when a cyberattack occurs.
- The narrative surrounding SMS-based OTP shortcomings are also flawed. Public service announcements largely warn users not to share their OTP codes, inferring the idea that OTP security is ultimately the user’s responsibility, and it is the user’s fault that the OTPs are stolen. However, service providers play a more significant role in implementing more secure, much smarter authentication systems.
- More importantly, SMS-based OTPs can only validate the user’s ownership of the registered mobile phone number, which is relatively easy to spoof. This also represents only one out of the three total authentication factors:
- What the user owns (mobile phone number, device binding, ID authentication … )
- What the user knows (Passwords, security questions …)
- What the user is (Thumbprint recognition, facial recognition ….)
Impact of Poor Implementation
A poorly implemented SMS-based OTP system can only result in personal, commercial and social ramifications.
In Singapore, OTP hacks had affected 75 consumers amounting to SGD 500,000 in losses. The victims had not initiated any transactions nor received any SMS OTPs regarding this incident. It turns out that international cybercriminals have long obtained the victim’s credit card details. Once they gained backdoor access to overseas telecommunication providers, they diverted the SMS OTPs away from the victims.
In Malaysia, the commercial crimes investigation department (CCID), recorded a total of 71,833 scams between 2020 and May 2022, resulting in more than RM5.2 billion worth of personal losses. Once the monies have been transferred overseas or laundered through layers of mule accounts, the chances of the victims retrieving the funds are slim to none.
A bank which does not prioritise the account security of their customers will also incur damage towards their brand image and customer loyalty. A research study shows that this is particularly true regardless of income levels and education levels.
Overcoming SMS Limitations
The truth is — SMS-based OTPs are ancient in innovation terms. Hardware and software tokens have taken centre stage in recent years, and have proven to be a reliable method of authentication. However, they add a barrier to access: Requiring users to hold onto a physical device that can be lost, or download an additional app that is infrequently used.
Device binding and push-notification based authentication is currently a great solution that balances user convenience and account security. How the system works on the back-end is detailed here: FIDO and EMV3DS, which also serves as industry compliance standards.
In short, it uses cryptographic login credentials that are bound to a user device, which is more secure than a mobile phone number. It is private, where cryptographic keys and biometric data do not leave the user’s device. It is also relatively cheaper to implement compared to SMS OTP and hardware tokens. Users also do not need to leave the app to authenticate transactions, which helps with user convenience. More importantly, this system rarely exists in isolation, often paired with biometric and ID verification to create a multi factor authentication (MFA) system.
Beyond implementing state-of-the-art MFAs, here are some short term action items that can help improve account security for your digital platforms:
- Cooling off period. Attempts to login to the account using a new device will incur a cooling period that lasts a few days, preventing any transactions from happening on the new device. This warns the user of any unwarranted sign-in attempts, and gives anti-fraud personnel time to investigate the source of any suspicious activity. The cooling period can be bypassed if the user undergoes a detailed authentication process.
- Conduct an account security audit. The best way to identify gaps within account security is to have a trusted provider tinker around and attempt to break the system your company has established. In general, the cost of managing a crisis resulting from account security breaches far outweighs the cost of conducting the audit in the first place.
- Deploy apps through official and proper channels. There are some app providers that prefer hosting their apps on their official websites instead of the official iOS or Android app store. However, doing so will set the precedent that certain apps can only be downloaded through third-party sites, thus opening up the app to phishing attacks. Hosting through official app stores gives consumers confidence that the apps downloaded are legitimate and genuine.
Once implemented, a scalable and robust MFA system will pay off dividends down the road. This is because MFA systems need to be constantly updated — with fraudsters constantly inventing new methods to bypass older authentication methods. Worse of all: These “fraud innovation” cycles are shortening, and are increasingly dangerous for both consumers and companies.
Fortunately, there are a multitude of other verification methods that can be used to verify a user’s identity. Companies like Innov8tif Solutions are in a constant arms race against fraudsters, providing the most updated and secured authentication systems for digital businesses.
How Innov8tif Can Help
Innov8tif Solutions has partnered with certified institutions to help companies implement robust multi-factor authentication systems (including OTPs) in a robust manner.
We have been developing A.I. solutions aimed specifically at resolving ID authentication problems. Our solutions can be broken down into identity authentication, customer due diligence and transaction authentication services. Our flagship product is EMAS eKYC, where users capture a live selfie and a photo of their ID document to authenticate their identities. Beyond that, we also offer device binding implementation, automated user background checks and more.
Beyond OTP implementations, we also deliver our authentication solutions through the use of APIs. This ensures that our enterprise customers gain access to the latest security updates and product features. In an environment where security exploits can be found and spread within a few hours, APIs ensure that customers are given the latest protections as quickly as possible.
We also specialise in the ASEAN region, with our systems able to support Thai and Khmer languages as well. We have local representatives in most of the ASEAN member states, where customers can gain access to immediate support. We are currently serving the major telecommunication players and financial institutions within the region, and are thus familiar with the regulatory, technology and business landscapes our clients are operating in.