May 26, 2020

One-Time Passcodes (OTPs) delivered via SMS are increasingly being used by companies to secure transactions and protect customer data. But growing rates of compromise are causing concern for regulators. Adam Lee, Chief Product Officer at Boku, looks at what’s happening and suggests some alternatives.

Our previous blog looked at the rapid rise of Account takeover (ATO) as a fraud risk for companies across many sectors. As explained in that article, many companies are now looking to OTPs delivered by SMS to confirm user identity and secure transactions, given growth in ATO compromises. However, a number of developments point to the growing insecurity of OTPs as a means of account confirmation – and the industry is weighing alternative means of verifying user identity.

For European companies, alarm bells started to ring earlier this year when respected international fraud specialists FICO published their 2018 fraud report for Europe. That report revealed that ID theft had shot up by 48% in the UK alone, driven mainly by increasing fraud on mobile devices. Around 70% of that mobile fraud can be attributed to ATO, in which criminals target user accounts by compromising their social media information or purchasing stolen account information over the dark net.

Although many companies have started using OTPs delivered via SMS to secure accounts and confirm transactions, there’s growing evidence that this method of identity confirmation is less secure than might be hoped, and that additional factors or verification methods might be needed. Evidence from FICO aside, we understand that regulators in France and Germany are currently reviewing the suitability of OTP via SMS as a confirmatory factor for the EU’s Strong Customer Authentication (SCA) rules. In the UK, the Financial Conduct Authority (FCA) published guidance in late January 2020 urging banks and others to, “reduce their reliance on text-based One-Time Passcodes” in response to growing rates of fraud employing SMS OTP as a means of compromise.

Recent experience in India suggests that the UK regulator is on the right track. Despite a comprehensive government digital ID initiative called Aadhaar, and a government-backed financial services portal known as Jan Dhan, to say nothing of comprehensive Know Your Customer (KYC) arrangements and the full co-operation of India’s largest banks, fraud rates for transactions using OTP via SMS as a confirmatory factor shot up by 74% between 2018 and 2019 when measured by value, and 15% in terms of the number of fraud attacks. Indian telecommunications firms are now looking to alternative means of user identity confirmation.

At Boku, we believe the most promising alternative to OTPs is a next-generation service developed by MNOs that validates a user’s mobile number and SIM card through real-time queries over the mobile network. We call this silent phone number verification, or PNV. Because this service does not utilise an OTP, the risk of passcode theft is eliminated. PNV improves the consumer experience and reduces fraud risk: as our white paper on this subject makes clear, PNV the best choice for businesses looking to grow sales online, protect their brands and customer relationships, and secure confidential data.

Click here to download Boku’s white paper on preventing Account Takeover fraud in your business, or visit www.boku.com for more information.