Illustration of people's SMS OTPs getting intercepted by fraudsters - instead of more sophisticated technology like behavioral biometrics.

Why do some banks still use SMS-based one-time passcodes (OTPs) to authenticate customers when behavioral biometrics is a more effective and seamless option? 

In this day and age, using SMS OTPs for authentication is like watching DVDs instead of streaming or connecting to the internet with a dial-up modem instead of wi-fi. Yes, any of these solutions will work. But there are better, more effective options available. 

Here’s what banks need to know about implementing behavioral biometrics authentication and shifting away from outdated tools like SMS OTPs.

Is SMS OTP at its EOL?

One-time passcodes sent via text and SMS were one of the earliest forays into online fraud prevention. The design was simple. Send customers a unique code via SMS, text, or email to complete their online account login. But fraudsters have embraced more advanced tactics over the years, and these advancements are laying SMS OTP’s limitations bare. 

SMS OTPs have proven to be a liability in some markets. In Malaysia, for example, the nation’s central bank is urging financial institutions to shift away from SMS OTP as an authentication method. Bank Negara Malaysia (BNM) wants local banks to implement stronger authentication methods to prevent online scams. BNM’s decision comes as fraudsters have learned to intercept SMS OTPs and compromise customers’ bank accounts. This type of activity has resulted in RM414.8 million ($95.4M) in financial losses as recently as July 2022. Customers are forced to bear the losses.

BNM’s move comes as other financial institutions worldwide start to understand the limitations of SMS OTPs in preventing fraud. Fraudsters can use malware to intercept SMS OTPs on users’ phones and use them to access bank accounts. These passcodes are then deleted before customers have a chance to read them. They are also highly vulnerable to SIM swapping attacks in which bad actors manipulate a legitimate user’s mobile provider information to alter their SIM cards. By doing so, the bad actors can redirect the real user’s legitimate phone calls to a different number. Once this is done, they can intercept calls and text messages and commit account takeover fraud (ATO).

How Behavioral Biometrics Authentication Makes the Shift from SMS OTPs Easier

BNM urges Malaysian banks to drop SMS OTP passwords in favor of more secure authentication alternatives. These include multi-factor authentication (MFA) or hardware tokens for some transactions.  With this move, BNM joins a chorus of global banks that realize SMS OTPs are no longer suitable for today’s fraud prevention challenges. 

A few years ago, a group of German banks shifted away from SMS-based OTPs to remain compliant with updated PSD2 regulations in Europe. Meanwhile, Turkey’s Law No. 7192 restricts banks’ use of SMS OTP for authentication.

Given these risks, it’s time for banks to consider a more effective approach to authentication: behavioral biometric technologies.

The biggest limitation of SMS OTPs is that they are only able to authenticate a customer at a single moment in time. If the customer’s smartphone has been compromised by a fraudster using SIM swapping or malware, a bank will have no way of knowing. On the other hand, behavioral biometrics can continuously authenticate at different points of the customer’s journey.

The core principle of behavioral biometrics authentication is to ask the customer “are you really you?” at each point of interaction. As its name suggests, behavioral biometrics prevents account takeover by understanding who a user is based on their behavioral patterns. Behavioral biometrics authentication analyzes a user’s unique patterns. This includes how the user normally types, handles their phone, or swipes on their screen, which all make up that person’s unique digital identity. An SMS OTP can be accessed and used by anyone. But a person’s behavioral biometric patterns are much harder to replicate.

Ending SMS OTP is the First Step to Upgrade Fraud Prevention Efforts

Urging banks to shift away from SMS OTPs is one component of BNM’s five-part proposal to make digital banking safer. The other components urge banks to:

  • Implement a verification and cooling-off period for new enrollees of digital banking services or new devices;
  • Limit electronic banking authentication to a single mobile device or secure device per account holder;
  • Create a 24/7 online channel or hotline for customers to report scams and fraud incidents;
  • Strengthen fraud detection rules and triggers to block suspicious transactions.

Many banks use a rules-based system to detect fraudulent activities. However, fraudsters quickly learn how to navigate these rules to their advantage. This makes rules easy for fraudsters to understand and outmaneuver. On this last point, implementing machine learning on top of banks’ existing rules would improve the quality of alerts. 

For example, let’s say a bank sets a rules threshold for high-value transactions at $10,000. It won’t take long for fraudsters to learn that this is the limit. So they lower the transactions below the threshold to an amount that won’t trigger an alert like $9,000. 

Machine learning models don’t have to replace rules, but they can supplement them by finding insights and patterns in how customers transact. For example, if the fraudster makes multiple transactions valued at $9,000 (below the high-value threshold), the model can detect and bring the suspicious pattern to light. That’s why banks should consider implementing machine learning technology alongside their existing rules-based systems.

3 Steps to Shift Away from SMS OTPs

The age of OTP is coming to a close. As digital fraud and scams become more common, banks should invest in new solutions to prevent fraud. Here are three things banks can do to improve their fraud prevention efforts.

1. Invest in Behavioral Biometrics Authentication

SMS OTPs are too outdated and risky to maintain as an authentication technique. Their biggest limitation is that they can be compromised at any time without the customer even realizing it. This means when banks issue an SMS OTP they could unwittingly grant a bad actor access to a legitimate customer’s account. Advanced solutions like behavioral biometrics authentication make up for these shortcomings by getting to know customers at the behavioral level. How customers hold their phone, swipe the screen, and type is much harder to compromise than SMS OTP, which requires knowledge-based prompts. Additionally, behavioral biometrics solutions learn additional information and build a unique digital profile of that customer every time they log into their account. This makes it more challenging for fraudsters to compromise these users’ identities. 

2. Go Beyond Rules, Implement Machine Learning Models

In addition to behavioral biometrics, banks should also ensure their existing rules-based systems are enhanced with machine learning models. Machine learning models are not limited to limitations or specific thresholds set in a bank’s rules. Additionally, models generate risk scores based on patterns – not rules. With these models in place, banks can uncover suspicious patterns earlier and respond faster.

3. Invest in Future-Proof, Scalable Fraud Prevention Solutions

The sheer volume of data generated is exploding in the digital banking age. What’s more, existing banking channels and technologies are constantly evolving, and new ones will eventually be introduced. This means any investment a bank makes should be future-proofed against later developments. Banks must ensure their solutions can handle the demands of big data in real-time. If a bank’s solutions aren’t scalable, it could compromise its effectiveness. For example, when a local on-premise system can no longer handle a company’s data volume, it’s time to upgrade to a cloud-based server that can handle the demands.

For many banks worldwide, it’s time to look closely at the effectiveness of their fraud prevention systems. Phasing out SMS OTPs for authentication in favor of more advanced solutions like behavioral biometrics is a long-overdue step. But it shouldn’t be the last one. From enhancing rules-based systems with machine learning to meeting the demands of big data, banks need to keep digital banking secure while ensuring customers can complete their transactions smoothly.