Opinion

Why banks should retire phone-based OTPs

Rajkamal Rao | Updated on November 29, 2020

Other alternatives like using ATM machines or WhatsApp messages to generate OTPs can be explored

The OTP is much like an elevator in a building. When it works, it does so like a charm, and life goes on without a hitch. When it doesn’t work, life comes to a grinding halt. There are no statistics about how many OTP requests fail, but even a 0.1 per cent failure rate means lakhs of incomplete banking transactions.

As internet banking rapidly advances in the country — more so in the Covid era — the telecommunications infrastructure is coming under heavy loads during peak times of the day. OTP delivery has always been unreliable when customers are in dead zones — but increasingly, customers with good cell receptions often have to request an OTP resend.

A bigger issue is that SMS-based OTPs, which, by design, cannot be encrypted, are not secure. In a recent blog post, Alex Weinert, Director of Identity Security at Microsoft, bluntly declares that “it is time to hang up on phone transports for authentication.” He argues that they are susceptible to call forwarding attacks or SIM jacking. A bad actor can pose as a victim at a mobile phone store and persuade the agent to swap a target’s SIM card to a new SIM card, allowing the bad actor to begin intercepting the target’s SMS messages.

Other options

Banks have numerous OTP alternatives that are vastly better. But they have repeatedly refused to implement them although American financial institutions that are reliant on Indian IT providers are innovating.

The easiest way out is to send a copy of the OTP to the customer’s registered email address, as a password-protected PDF file, like Karnataka Bank used to do, but lately, has discontinued the practice citing the risk of fraud. State Bank of India still does.

Or, banks could repurpose their ATM machines to also become OTP generators. The customer could request an ATM screen to print out a backup set of five OTPs that would expire in 30 days. For security, the slip would not include the name of the bank or the account number — just five OTP numbers, one line after another. These backup OTPs could save banking transactions from having to be abandoned when OTPs don’t arrive promptly.

Or, how about using WhatsApp for Business? Because WhatsApp does not need a SIM card or data plan to function — it works just fine on WiFi — message delivery is vastly more reliable. This makes WhatsApp invaluable to international travellers; they can wait for their phones to connect to a WiFi signal at a public airport or hotel, and instantly be in touch with their address book — and their banks.

WhatsApp messages are secured with 128-bit encryption, so there’s literally no chance that someone can snoop in on the contents of a WhatsApp message. WhatsApp is also 100 per cent free. Free, not like Google, Facebook, Twitter, or YouTube which bombard you with ads and incessantly track you. WhatsApp is free from any commercial interruption or invasion, period. And practically every Indian mobile phone already has WhatsApp installed.

Authenticator app

Another secure method is to employ an authenticator app — from Google or Microsoft — that generates a new 6-8 digit code each minute by always residing on a customer’s phone. Once activated, it does not require a network connection to generate the OTP. Indian banks have tried their own authenticators but have largely jettisoned them because of technical glitches.

It does not matter which solution is selected. The goal of banks should be to add backups to the ageing OTP/SMS platform, and over time, transition to a more secure, internet-based, or app-based mechanism to deliver the second-factor authentication code. The net banking customer deserves nothing less.

The writer is Managing Director, Rao Advisors LLC, US

Published on November 29, 2020

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor

You May Also Like