Why Banks Should Urgently Move Away from OTPs

As the banking industry has become more digitized, social engineering scams like phishing attacks have become more common. Phishing campaigns see criminals create deceptive websites, emails and SMS messages designed to trick unsuspecting visitors into handing over knowledge-based authentication details. This threat is pervasive, with a study by BrandShield uncovering over 1,590 fake websites impersonating UK retail banks in May 2023. 

But it's not just user-generated passwords that are vulnerable to this type of attack. Even the security of One-Time Passwords (OTPs) is illusory. Even when OTPs are time-limited or generated from an app or hardware token, cybercriminals can still deploy phishing methods to intercept OTPs. 

In light of these vulnerabilities, this article should serve as a reality check for financial institutions using OTPs for authentication. It will explain how these systems can do more harm than good and highlight the urgent need for banks to explore more reliable and secure solutions.

Why cybercriminals see OTPs as an easy target

Many banks use OTPs for authentication because they offer a straightforward and versatile approach. Users input the information to verify their identity and banks can set them up as part of a 2FA or MFA process. A slightly more secure variant are Time-based One-Time Passwords (TOTPs), which, predictably, expire after a set time.Consumers also favor OTPs as they don’t have to remember their passwords. A TransUnion survey found that 52% of UK consumers cited OTPs as their preferred authentication method. 

The problem with OTPs is that they are not an overly secure authentication method, with vishing now one of the most popular ways of intercepting OTPs. Working in the same way as phishing, vishing occurs when scam callers pose as a victim’s bank (‘your account may have been compromised - could you confirm these details’). These attacks are very effective because customers are much more likely to trust someone calling them directly. Moreover, vishing is difficult to detect, as criminals can use telephone number spoofing technology to make it look like they are calling from a genuine bank. 

In the past year, phishing incidents increased by 61% across all industries, and vishing attacks increased by 142% worldwide between Q3 and Q4 2022. 

These statistics show that while phishing and vishing may not seem particularly sophisticated or even believable, a growing number of people are falling for the ruse. 

From the criminal's perspective, setting up a fake website or phone number to coax OTP information from unsuspecting victims is relatively easy and affordable. Additionally, customers may be more willing to hand over a one-time authentication code rather than their password because they know it is time-sensitive and only valid for one website visit. They may also use the same password across multiple platforms.

Overall, OTPs are an easy target for social engineering scammers because they are easy for account holders to obtain, easy to relay to other people and easy to exploit without detection. 

Elevating security and trust in digital banking with biometric authentication

In line with the rise of social engineering scams, many online banking customers are becoming savvy about the risks associated with knowledge-based authentication. To illustrate, 43% of UK consumers believed they were targeted by a phishing scam in 2023, and 56% of consumers polled by PYMNTS believe banks should deploy more secure banking authentication protocols. 

One of the best ways banks can eliminate phishing risk is to move away from OTPs and switch to more secure biometric authentication methods. 

Biometric authentication uses physical characteristics, such as fingerprints or faceprints, to confirm user identity, making them much more difficult for cybercriminals to take advantage of – even if they could steal a bank customer's OTP as an additional authentication factor. Moreover, a survey by MasterCard found that 93% of consumers would be willing to adopt biometrics. 

Most biometric authentication solutions will remove OTPs from the authentication process altogether. This is because it uses proprietary facial biometrics and device verification to confirm user identity, making it one of the most secure biometric solutions on the market. 

In essence, your customers' physical characteristics are the only information that will grant account access, and verification is as simple as taking a selfie on a device with a front-facing camera. 

What banks can do to improve security

Transitioning from OTPs to biometric authentication is not just a security recommendation for banks, but a strategic move that enhances the overall customer experience and builds trust in the digital banking industry. By embracing passwordless solutions, banks can adapt their security measures in real-time, striking the perfect balance between convenience and protection. 

With the added layer of biometric security, especially during high-value transactions, customers can confidently engage in online banking, knowing that their financial well-being is safeguarded. This proactive approach not only offers protection against common social engineering attacks but also strengthens the industry's defenses against a wide range of threats, ultimately reinforcing customer trust and ensuring a safer digital banking landscape for all.