Are OTP’s still effective?

Everywhere you look you see another headline about fraud. Whether synthetic, check, or account takeover scams, you don’t have to look far to find another financial institution (FI) targeted. Fraud has become a major concern mainly due to increased transaction volume and data breaches exposing private information. And even though solution providers are continuing to push innovation forward, the world of fraud is only becoming more and more complex.  

The 4th pillar in lending

The traditional pillars of unsecured lending still hold true today. Credit decisions must incorporate these traditional factors: 

• Ability to pay 
• Stability 
• Willingness to pay 

However, due to modern fraud threats, a fourth pillar of lending has emerged: presence. 

What is proof of presence? 

Proof of presence means confirming that the person on the other end of a transaction is in fact who he or she claims to be, and is presently engaged in said interaction. In the past, FIs would only use standard authentication procedures or challenge questions to establish presence, but fraudsters may have access to and know this information on par with (if not better than) the actual customer.

3 reasons why OTP’s can be beat

Many FIs have implemented modern authentication methods like one-time passcodes (OTP) or one-time links (OTL). However, these methods, when deployed alone, are being compromised. But is the passcode delivery mechanism the problem? The answer is no. Here are three common missteps FIs make when trying to establish proof of presence with OTP’s:

1. Sending OTP’s to unverified phone numbers.
2. Failing to fortify the OTP process with strong anti-hijacking detection measures.
3. Ignoring warning signals before sending OTP’s.

1. Unverified phone numbers

Authentication starts with the phone number, and the phone number must link to the consumer. Tenure, frequency and velocity are critical when establishing phone number linkage. At Innovis we spend a lot of time understanding the relationship between the phone number, device, and the consumer in order to confirm ownership and detect out-of-pattern anomalies. 

2. Failing to fortify the OTP process with proper security measures

When OTP compromises are reported, a detailed review of the cases frequently reveals that the OTP process used was not fortified with appropriate risk controls. Since the introduction of phone-based authentication, bad actors have devised a number of schemes to undermine the security of the process. These schemes include stealing a victim’s phone number via porting or SIM swap, using higher-risk VoIP or prepaid phone services, installing message-forwarding malware on a victim’s device, manipulating victims through social engineering scams, and others. An effective OTP or other phone-based authentication system must include countermeasures to detect these and other tactics to secure the process. Furthermore, it’s important to layer on behavioral measures to detect out-of-pattern activity, which is especially valuable when a specific takeover tactic evades other technology-based risk checks.

3. Bypassing Initial Warning Signals

Delivering the best customer experience can be a differentiator, but at what cost? FIs must resist the temptation of skipping another security check in order to deliver the best CX. In post-mortem reviews, we frequently find that there were risk indicators present, but the agent chose to continue by using a different phone number, vendor, or process. Fraudsters, however, are often well-versed in these alternate processes and will use them to identify and exploit weaknesses. They are also very persuasive communicators. The most effective way to remove this human temptation is to use technology that automates case handling and routing based on business rules, ensuring proper and consistent treatment. FIs that leverage this type of technology and embedded business logic, whether with their own or third-party platforms, can effectively insulate their business from questionable human judgment calls and the pressures of a bad actor attempting to exploit the goodwill of their personnel. 

Trust the tool

The technology of one-time passcodes and links, specifically those with layered security checks, are effective for proving the presence of a customer. 

The key is to trust the tools and leverage technology that helps implement business rules to automate case handling. By doing so, FIs can streamline processes, reduce average handle time (AHT) and deliver exceptional customer experiences, all while bolstering their defenses against fraud.

* Reminder – GLBA products may not be used to make lending decisions.