Honey Badger

Is SMS OTP secure?

Administrator
Article

SMS OTP, also known as a One Time Password, is a security measure that involves users receiving a unique code via text message to verify their identity during transactions or when logging into their accounts. While SMS OTP is commonly used for its convenience, it does have vulnerabilities that make it less secure compared to other authentication methods:

Phishing and Social Engineering

Attackers can employ phishing tactics to deceive users into disclosing their OTPs. They may send messages that appear legitimate requesting users to provide their OTPs for various reasons. Furthermore, social engineering techniques can be used to manipulate individuals into revealing their OTPs.

SIM Swapping

Cybercriminals can execute a swap by convincing a mobile carrier to transfer the victims phone number to a new SIM card under their control. This enables them to intercept SMS messages, including OTPs effectively bypassing the intended security measures.

Malware and Device Compromise

If a user’s device becomes compromised by malware, attackers can gain access to stored SMS messages on the device, including OTPs. This undermines the effectiveness of using OTPs for security purposes.

Watch Now Icon The Risk of Invoice Financing

Consider alternatives to SMS OTP, such as Silent Authentication using the mobile network.

Play Video

Network Vulnerabilities

Weaknesses in the network infrastructure can potentially lead to interception or redirection of SMS messages, particularly if outdated protocols are being used.

Lack of Forward Secrecy

SMS OTPs are not designed with forward secrecy in mind. If an attacker manages to obtain an OTP, they can potentially use it to access an account even after the user has changed their password.

As you can see, while SMS OTP offers convenience in verifying identities during transactions or account logins, it does have vulnerabilities that you should be aware of.

So what are the alternatives? The good news is that authentication solutions like Silent Authentication offer more protection while also reducing customer friction.

If SMS OTP is still your preferred (or only!) option, then you can protect yourself by running SIM Swap and other fraud checks prior to issuing the OTP. This adds protection by querying the Mobile Network Operator and detecting recent changes or settings that indicate fraud.

Get a demo of SMS OTP alternatives

Enter your email address and we’ll send over some times for a demo.

Honey Badger HQ

Subscribe to receive updates on new posts

Related Posts

CloseMenu

Partner with us

Complete the form below and we’ll be in touch to kick off a discussion. 

Account Servicing

Stop fraud and improve customer experience during account servicing by eliminating SMS One Time Passwords (OTP). Instead, leverage phone based SIM authentication which involves comparing data generated by the Mobile Network Operator (MNO) with mobile device session data. This provides a foolproof way of proving that an individual is in possession of their two-factor device.

Benefits

This new approach to authentication isn’t susceptible to SIM swap attacks and doesn’t require the user to enter a password. Ultimately, account takeover attacks are blocked, while customer experience is improved and the time taken to service a request us reduced.

Made for

 LENDERS   ONBOARDING   AUTHENTICATION 

Get started via

 EMBEDDABLE WIDGET   API 

Pricing

 PAY PER AUTHENTICATION 

Request a demo

Contact Data Cleaning

Contact Data Cleansing verifies that the contact and personal information you hold isn’t out of date or inaccurate. Data is compared against the information held on file by Mobile Network Operators (MNOs). Whether processing a single record or sanitising thousands of records in batch, you’ll quickly identify bad data.

Benefits

The case for maintaining up-to-date records goes way beyond good practice for compliance and regulatory reasons. It’s critical to ensuring customers are contactable. Furthermore, it reduces security threats by ensuring communications aren’t sent to the incorrect individuals.

Made for

 LENDERS   FINTECH  KYC 

Get started via

 WEB INTERFACE   API 

Pricing

 PAY PER RECORD CHECK 

Request a demo

SIM Swap Detection

SIM Swap Detection is a critical step in stopping account takeover. Why? Because account takeover attacks commonly exploit the ease of which a phone number can be stolen by simply assigning it to a new SIM. This allows bad actors to intercept communications, such as SMS one-time-passwords (OTP), which are used by 93% of enterprises worldwide to verify customers.

Benefits

SIM Swap Detection instantly and silently checks the history of a SIM card to see when it was last swapped. Recent swaps indicate high risk of fraud, allowing you to take appropriate action, such as failing verification or requesting additional security procedures are followed.

Made for

 FRAUD PREVENTION

Get started via

 WEB INTERFACE   API 

Pricing

 PAY PER SIM SWAP CHECK 

Request a demo

Social Trace

Social Trace significantly reduces the risk of losing contact with your customers by diversifying communication channels. Simply drop the Social Trace widget into your onboarding workflow and allow customers to connect one or more social channels with just a click.

Benefits

Lenders who capture social channels are significantly less likely to lose contact with their customers. Why? Because different demographics prefer to engage over different channels. This is particularly important when it comes to collections. Initiating contact over different channels increases your chances of getting a response, which in turn increases the likelihood of resolving late or non payment. 

Made for

 LENDERS   ONBOARDING   COLLECTIONS

Get started via

 EMBEDDABLE WIDGET 

Pricing

 MONTHLY FEE 

Request a demo

Mobile Fraud Check

Mobile Fraud Check allow you detect fraud indicators using data provided by Mobile Network Operators (MNOs). Key checks include device overseas, call forwarding, SIM swap, a high risk number database lookup and much more.

Furthermore, Mobile Fraud KYC allows you to verify a person’s firstname, lastname, date of birth and postcode against the data held on file by MNOs. Since MNOs conduct their own KYC checks on new customers, it gives you the ability to match personal information you collect against a trusted and verified source.

Benefits

Mobile Fraud Checks happen instantly and with zero customer friction. The data held by MNOs is often more recent and reliable than other data sources and a level of granularity is provided,  allowing you to see how many and which KYC fields matched.

Made for

 LENDERS   ONBOARDING   FINTECH  RISK ANALYSIS

Get started via

 WEB INTERFACE   API 

Pricing

 PAY PER LOOKUP 

Request a demo

Mobile Data for Credit Risk

Mobile Data for Credit Risk delivers the data required to predict credit risk based on a persons mobile phone information. Key data attributes include the network provider, line type, and KYC match information. Working in partnership with lenders we’ve been able to clearly identify correlations between this data and the likelihood of a loan going into arrears.

Benefits

Open Banking Vs Mobile Data. Which is the most effective in predicting bad borrowers? A recent project with a UK lender compared a risk model built with Open Banking against a model built with Honey Badger’s Mobile Data. The results showed that both models outputted almost identical risk scores. The difference? Mobile Data could be deployed immediately with no customer friction required to calculate a risk score.

Made for

 LENDERS   ONBOARDING  RISK

Get started via

 EMBEDDABLE WIDGET   WEB INTERFACE   API 

Pricing

 PAY PER LOOKUP 

Request a demo

Geo Authentication

Geo Authentication™ provides frictionless identity verification that reduces abandonment rates. Users simply select images that they recognise from nearby to their address. In built anti-fraud controls ensure that valid users can complete the challenge whilst bad actors are blocked.

Benefits

Leading lenders such as Amplifi Capital use Geo Authentication during applications as an alternative to more intrusive identity verification checks, such as document uploads, that cause high friction and lead to increased dropouts. Completion rates with Geo Authentication are 28% higher and have subsequently helped drive an increase in revenue for the business.

Made for

 LENDERS   ONBOARDING   ACCOUNT RECOVERY 

Get started via

 EMBEDDABLE WIDGET   WEB INTERFACE   API 

Pricing

 PAY PER AUTHENTICATION CHECK 

Request a demo