Banking communications have experienced an evolution over recent decades, moving from paper-based statements and mailed notifications to the immediacy and personalisation of digital messaging.
Today, as the demand for secure and real-time account alerts grows, financial institutions are critically evaluating the efficacy of their notification channels, especially when it comes to authentication methods like one-time passwords (OTPs).
SMS: Old and ubiquitous
SMS-based OTPs have long served as a widely accessible second layer of authentication. Their main appeal has been their universality: virtually anyone with a mobile phone, regardless of smartphone ownership or internet connectivity, can receive an SMS OTP.
However, modern research and a series of high-profile security incidents have exposed the substantial limitations of SMS notifications. SMS messages are vulnerable because they are transmitted in an unencrypted form and rely entirely on the security of mobile networks. Hackers increasingly exploit these weaknesses through various methods by which elements of the telephone network exchange information.
As cybercrime escalates, so do delivery failures and manipulation, often leaving customers at risk of account compromise or fraud. According to a security study by PCI (Payments Council of India), over 900,000 phishing and fraud cases related to OTP and SMS occurred in India between 2020 and 2022, leading to significant financial losses.
The security concerns around SMS OTPs have grown rapidly with the advancement of cybercrime tactics. The proliferation of such attack methods has made it clear that SMS OTPs are no longer sufficient to safeguard sensitive banking transactions.
Fraudsters are increasingly leveraging these vulnerabilities, leading to a notable uptick in incidents where customers’ accounts are compromised and funds are stolen.
Techniques like OTP bypass, SIM-swapping, and phishing now routinely exploit SMS vulnerabilities, posing significant risks to financial security. Strengthening defences through the implementation of multi-factor authentication, cryptographic token hardening, and behavioural monitoring is essential to effectively mitigate these risks.
Furthermore, as more customers transition to smartphones and digital channels, the static, one-way nature of SMS alerts becomes a drawback. Central banks worldwide, including the Reserve Bank of India, are phasing out SMS OTP authentication due to its security shortcomings.
Studies indicate that about 10-15 per cent of SMS OTPs never reach users because of network congestion, carrier filtering, and device issues, which increases user frustration and operational costs for banks.
The inability of SMS-based systems to provide context-embedded or actionable notifications further reduces their effectiveness in a modern digital banking landscape.
App-based OTPs: The safer alternative
App-based OTP systems, integrated directly into banks’ own applications or through recognised authenticator apps, offer security and control that SMS simply cannot match.
These codes are typically generated and verified within the app environment itself, meaning they do not travel across telecommunication networks vulnerable to interception or redirection.
Because authentication apps are tied to the device and often protected by local biometrics or PINs, stealing the OTP requires not just remote access but physical possession of the device as well.
App-based OTPs enhance user experience by enabling banks to send interactive, real-time notifications that support instant responses and in-app verification.
Integrated with adaptive features like risk-based authentication for unusual activity, they meet the growing demand for both security and convenience in financial services. To strengthen protection further, multifactor authentication (MFA) incorporating app-based OTPs, biometrics, and behavioural analytics could become standard for sensitive operations.
Adapting regulations for a secure digital era
As the frequency and sophistication of cyber threats continue to rise, the shift to app-based OTPs has become a necessary evolution for banking security. To ensure that these security benefits are accessible to every segment of the population, regulatory frameworks must adapt to the changing landscape.
This begins with mandating multi-factor authentication, requiring banks to implement security systems that prioritise app-based OTPs, particularly for sensitive transactions.
For instance, Singapore’s Monetary Authority (MAS) employs a hybrid notification system that integrates SMS with app-based alerts during its transition toward secure digital payments. This approach ensures service continuity and inclusivity for all customers, addressing the needs of users with varying levels of technology access.
Meanwhile, the European Central Bank (ECB) strongly mandates app-based multi-factor authentication to protect sensitive transactions. It mandates Strong Customer Authentication (SCA), requiring consumers to verify their identity using multiple factors. This framework significantly reduces fraud risks associated with SMS OTP vulnerabilities by adding multiple layers of security during customer authentication and payment transactions.
Similarly, the United Kingdom’s Financial Conduct Authority (FCA) enforces continuous security enhancements for financial institutions. These include routine vulnerability assessments, mandatory security testing, and public transparency reporting. Such requirements foster a consistent culture of cyber resilience in digital banking communications.
Revised regulatory approach is the need of the hour
India must act decisively to adopt these proven regulatory frameworks without delay. By adopting the proven strategies of global leaders, India could secure its digital banking landscape and protect financial transactions against evolving threats.
Embracing app-based multi-factor authentication, while maintaining hybrid notification systems for inclusivity, is essential to protect millions of users from the increasing cyber threats. Regulatory mandates for continuous security testing and transparency will ensure resilient defences against fraud.
The time to modernise is now, as delaying will put users and institutions at unnecessary risk.
The author is a digital payments strategist and the Chairman of the Governance Council, Fintech Association for Consumer Empowerment (FACE)
The opinions expressed in this article are those of the author and do not purport to reflect the opinions or views of THE WEEK.