Want more insights?
Sign up to join our mailing list.
They were once expected to be a kind of smart bomb that would be a terminal blow to crooks.
But lately the fraudsters have found one or two cracks that can allow them to bypass the hitherto completely impenetrable security OTPs provided.
There’s certainly no need to panic – OTPs are still largely a robust means of protecting users from fraud during transactions. But there are now some known ways fraudsters can bypass them.
One of the newest scams, for example, allows fraudsters to get hold of OTPs without even having the victim’s phone or a replica of it. Instead, they’ll send an SMS that appears to come from their target’s bank asking if they just made a high value transaction – a £10,000 holiday booking, say. The horrified account holder will reply ‘no’. A new SMS will then ask them to verify this reply by sharing the OTP they are about to receive. At the same moment the hacker will attempt to log in to an account belonging to their victim. This will initiate a genuine OTP being sent by SMS to their phone – but worried about that holiday booking, the victim will enter it as instructed. In so doing, of course, they are actually sending that access code to a hacker.
At the other end of the scale, on a cruder but more frightening level, is this version. A friend of mine was mugged recently. They took his phone and threatened him with violence unless he revealed his PIN to unlock it. Once they had that they could get into all his apps and begin causing mayhem with his money. Long after the phone was reported stolen they were still getting sent OTPs to facilitate their theft – because there was no correlation between the phone’s status as stolen and its ability to perform transactions.
There are multiple variations on these scams but you get the broader point – OTPs do have some vulnerabilities that can allow them to be bypassed by criminals.
This is a fast, frictionless and, crucially, entirely secure way of verifying users that is soon to be a very big deal in online security. For use at the point of onboarding and/or subsequent purchases, silent authentication gets rid of the vulnerabilities that OTPs have developed.
And the reason is that it’s based solely on the real time data around the user’s mobile phone.
We’ve been evangelical for years about how the key to online security is to use telecom data as it can tell us more about the user than any other insight. And that’s exactly what silent authentication does. So, it’s really gratifying to see it finally being adopted as the cutting-edge security weapon we always knew it could be.
And I hope it goes without saying, but we’ll of course be at the forefront of introducing silent authentication to mainstream use.
Our own version of silent authentication is called TMT Authenticate and brings data from over 50 telecom network operators globally into play. This means it offers genuine worldwide security protection to a standard never attained before.
It takes away that longstanding antagonism of having to choose between cutting edge fraud controls and a frictionless user experience: suddenly you can have both.
The ultimate winner here is the customer: because they never wanted to have to make the invidious choice between a fast, seamless online experience and feeling safe and protected either.
Now they won’t have to.
Sign up to join our mailing list.
Take a look at our latest white paper, Tackling Mobile Identity Fraud in Financial Services. Our our product experts are always on hand to answer any questions!