One-Time Passwords (OTPs) were created to help enhance security, as they can protect you from an identity theft attack. OTPs can take the form of automatically generated numbers that are sent to your cell phone or specific text/word strings that the user needs to recite in order to capture their voice sample. OTPs are often used for the purpose of account login, identity verification, device verification, or password recovery. However, the protection OTPs once offered has diminished and users today can be easily deceived. Through deception, a fraudster can steal your personal data to gain access to your bank accounts and other valuable data.
Fraudsters can use various platforms including social media, phone calls, and online chat applications to target their victims to mistakenly reveal personal information. Fraudsters can use various schemes to induce the victims to share their OTPs, such as encouraging the victim to join a contest or telling the victim that s/he has won a prize¹. They can impersonate government or bank officials, technical support staff, or the victim’s friends to access personal details and accounts. For example, a fraudster can call the victim, pretending to be a telecom technician, and tell the victim that their account was compromised by a hacker. After that, the fraudster can instruct the victim to download an application for the telecom company to conduct investigations. This way the fraudster can remotely access the victim’s computer, and ask the victim for bank login details and an OTP, claiming to check if the victim’s account had been compromised. If the victim provides these details, the fraudster can transfer the money in her account to another count.
Here are some key reasons why OTPs might not provide the best security to use for authentication:
- Increase in Average Handle Time (AHT): Customers may have long waits to receive OTPs depending on their phone signal strength or may not have instant access to their cell phone. This will increase the AHT and create a bad customer experience, especially for genuine callers. This is definitely a problem with significant financial consequences any company would want to avoid. A couple of years ago, Forbes reported that businesses lost $75 Billion due to poor customer service.²
- Increase in Cost: To provide a customer with an OTP, companies have to pay a certain amount per SMS-based OTP. Depending on the customers’ cell phone carrier, they may encounter bad signals and delay the delivery of the OTP. If customers have to request an OTP multiple times, the companies’ costs will only grow. Additionally, the increase in costs might also include headcount. If OTPs are adding handle time to every call, will that require more employees?
- SimJacking: Based on the most recent Facebook breach³, we know that almost half a billion phone numbers and their corresponding Facebook accounts were exposed. The leak of phone numbers could potentially make a huge number of users prone to SIM swap-type fraud. In addition to a list of these numbers, fraudsters can also buy digital files packed with personal data and account details sourced from mass online data breaches and cyberattacks, to open an account in their victim’s name⁴. If fraudsters, combined with other details, potentially accessed separately through either social engineering or online searches, could gather enough information to pass security questions at the respective mobile network operator, they could theoretically register a new SIM. The victim’s SIM could also get deregistered, and the answers to security questions changed to new information no longer matching the victim’s, allowing the fraudsters to take over the victim’s account and eliminate the victim’s attempts at correcting the situation.
- Diminished Impact on Security: Over time, fraudsters adapted and found ways to beat OTPs. Simple, quick turnarounds such as calling the bank pretending to be the victim and getting the bank to send the OTP followed by a call to the victim, pretending to be the bank and asking the victim to read back the code on the text message, are low tech.
- Added Friction: OTPs add an additional layer of identity verification and authentication burden on the consumers. The extra time required to process the OTP and the additional work the consumer needs to do diverts the focus of the conversation and delays the resolution of the consumer’s issue. This friction could result in lower Net Promoter Scores and reduced customer satisfaction.
Today, many companies are still using OTPs for authentication purposes and those who use them could face higher costs and unhappy customers. Therefore, the importance of having an authentication technology based on credentials and risk criteria extracted from a call clearly stands out – especially if such decisions are automated and governed through a flexible policy engine aimed to build trust for genuine callers. There are other ways to establish trust in a customer interaction without creating the additional cost and friction of OTPs. For example, you can use spoof detection techniques to determine whether an incoming call is spoofed or not and whether you can trust the call. For further security and identity verification, you could deploy multi-factor, risk-based authentication processes that allow you to leverage other factors like certain behaviors, voice, and device.
Ready to ditch your OTPs to better deal with those on the prowl? Pindrop can help. Contact us.
¹Wong, Cara; The Straits Times, “Scammers tricked more people into revealing their OTPs last year; victims lost more than $15 million” (https://www.straitstimes.com/singapore/scammers-tricked-more-people-into-revealing-their-otps-last-year-victims-lost-more-than-15), April 1, 2020, straitstimes.com
²Hyken, Shep; Forbes, “Businesses Lose $75 Billion Due To Poor Customer Service” (https://www.forbes.com/sites/shephyken/2018/05/17/businesses-lose-75-billion-due-to-poor-customer-service/?sh=2d33a02016f9), May 17, 2018, forbes.com
³Cunningham, Ben; Pindrop, “Facebook Breach Means More Munitions for Fraudster ATO attempts” (https://www.pindrop.com/blog/facebook-breach-means-more-munitions-for-fraudster-ato-attempts/), April 6, 2021, pindrop.com
⁴Patterson, Dan and Kates, Graham; CBSNews, “We found our personal data on the dark web. Is yours there, too?” (https://www.cbsnews.com/news/we-found-our-personal-data-on-the-dark-web-is-yours-there-too/), March 25, 2019, cbsnews.com