An Ode to the OTP
A few weeks ago, in the 2023 Budget, the Malaysian government announced a number of new initiatives designed to combat online fraud and scams. One of these initiatives was an instruction to banks to do away with One Time Passcodes for transactions and to utilize a more secure method of transaction authentication. Whilst no cutoff date was specified, the announcement in itself intimated that the One Time Passcode system had gaps, flaws and vulnerabilities. Naturally the more alert members of the public picked up on this and as such, created a sense of urgency in banks and financial institutions to either develop or fully migrate to a new, more secure method of transaction authentication despite not having specified a cutoff date.
Despite the announcement, and subsequent news articles, an important question has gone unasked and unanswered - why the sudden need to shift away from One Time Passcodes? It is probably due to the fact that the One Time Passcode system is now outdated and that there are better alternatives available both in terms of quantity and quality. Let us explore both of these potential reasons for shifting away from the One Time Passcode system.
Is the system Outdated?
The thought process being the One Time Passcode (OTP) system was simple - an account holder provides their bank with a number that only they (the account holder) will have access to. Therefore, in the event a transaction is authenticated by the user entering the correct OTP, it is safe to assume that the user is the account holder and that the transaction is legitimate. This system is capable of closing down on unauthorized transactions and it has done so very well over the past 10 years or so. As a matter of fact, the system proved so effective that it was adapted to serve as an authentication in other instances like signing into an account from a new device or as an avenue to allow one time logins when a user forgot their password. However, unauthorized transactions are no longer as common a modus operandi it once was.
In recent times, fraudsters have been able to use malware to mirror a victim’s phone enabling the fraudster to view the OTP and therefore authenticate the transaction. Worse still is the epidemic of OTP theft that is going around. Here, the victim receives a text message or call more often than not from a fraudster posing as an employee of an e-wallet informing the victim that they have won a cash prize. Once the victim engages the fraudster, the fraudster will advise the victim that they will need to send an OTP to the victim as a security measure. The fraudster then proceeds to take over the ewallet, top up the ewallet and exit the funds. As a matter of fact, this was responsible for about RM15Mil in losses in 2018 alone.
Furthermore, customer behavior in 2022 is not the same as it was in 2012. Despite fraud and scams being at extremely high levels, consumers are being nudged by e-commerce sites into opting into “one-touch” purchases, thus bypassing the protections afforded by OTPs. This is exacerbated by consumers having multiple digital devices already logged into an e-commerce site. This means a fraudster needs to gain access to just one device and they can purchase a high dollar and resale value item without the need for an OTP. In this instance, a bank would not accept responsibility for the transaction as they would expect the victim to exercise a higher degree of care.
In light of the above, there is some sentiment that having a single datapoint i.e. an OTP code to definitively state if an account holder has in fact authorized a transaction might no longer be sufficient in 2022. As such, one thing is clear, a more robust method of authentication is required to fight more sophisticated modus operandi.
What about 3DS 2.0? Wasn’t that supposed to be even more secure and safe? It is important to draw a distinction between the OTP system and 3DS as, believe it or not, they are not the same thing. As mentioned previously, 3DS was designed by Visa to fight credit card fraud in the online space and was seen as an additional verification checkpoint. It was not designed nor has it been used to prevent fraud in non-card transactions ex : online transfers. Even if 3DS was adapted for non card transactions, with all its new technology and data points, it shares the same vulnerabilities as the existing OTP system - it is made redundant by malware and passcode theft.
To combat these issues, which are the predominant modus operandi at point of writing, the solution must be more technologically forward.
Easy to say, difficult to do. What are the Alternatives?
The Bank Negara instruction did not specify the kind of solution that is to replace OTPs, just that it needs to be more secure, giving banks a wide berth to cast their net. Yet seemingly most banks decided on some variation of the same solution : transactions need to be approved by the customer, in the bank’s app. This might seem like the equivalent of putting a green case on a white phone - it might look different but it's actually the same. However, that is not true as this solution has lots more going on under the surface than meets the eye.
The first way in which this solution could be better than the current OTP system is that it caters for and considers many more data points. These data points are used to identify certain patterns that fit how an account holder behaves in a given day. For example, looking at payment patterns, a bank might identify that a certain account holder goes out for lunch between 12.30pm - 2pm on any given weekday and that the account holder enjoys a coffee on Friday mornings. This can be scaled up to consider larger patterns over a more prolonged timeframe. For example, an account holder makes a RM150 transaction via debit card at the Jabatan Immigration Malaysia and then purchases insurance worth RM97 a month later and proceeds to pay RM2,500.00 to Expedia two months later. The bank can logically conclude that this account holder is planning a vacation and therefore, if they make a foreign currency transaction on their debit card or if their bank account is accessed from a foreign IP, it is likely the account holder and not a fraudster. Even more appealing are instances where a bank uses a customer’s behavioral pattern with metadata that they can capture.
Everything from the physical location of the account holder when performing a transaction, to the time of the transaction, the screen resolution of the device used in the transaction, even the battery levels of the device are all examples of metadata. The relevance of these data points on a standalone basis is dubious at best but when collected over a period of time and combined, it enables the bank to create a digital identity of the customer. This plus the behavioral data allow banks to understand how an account holder should behave. As such, if the account holder attempts to login from a new device, changes the password, adds a favorite account and sends RM5,000.00 to the favorite account, the bank would be able to identify this as highly suspicious behavior and therefore block the account.
A very basic example how how a digital identity might work.
Regardless of how sophisticated a system might be, the truth is that each system will have weak points and vulnerabilities. Every time a method to protect account holders is designed, fraudsters will find a way to bypass these methods. With this in mind, it is critical that the solution be adaptive and modular enough to allow the bank to adapt to the next batch of modus operandi and the truth is that system might not even be available. However, what is available is a free, no-obligation, consultation with us where we can help you find the system you need to protect your organization from current and emerging fraud trends. Click here to get in touch with us.