‘SMS OTP no longer secure’: Data security threats in digital banking bared

March 20, 2023 - 4:42 PM
Automated teller machine Photo by Peggy und Marco Lachmann-Anke via Pixabay

Data security experts revealed that the use of one-time passwords (OTP), which are common in online transactions, is no longer as effective as before.

Representatives from Utimaco, a cybersecurity firm, and Securemetric, an IT service provider, explained this in a forum about the top cybersecurity threats in digital banking in the Philippines.

Topics related to digital banking in the world and in the Philippines were discussed with reporters and other stakeholders at the forum in Makati City on March 15.

Photo of Deval Sheth, managing director of Utimaco Asia Pacific, and Edward Law, CEO and executive director of Securemetric during the forum for digital banking infrastructure in the Philippines on March 15, 2023 (Released)

These include cybersecurity trends, threats, and best practices in digital banking.

Among the new threats seen is the lack of security in one-time passwords (OTP) being delivered or sent via short messaging services (SMS). This is authentication process is common in digital banks in the Philippines.

Edward Law, CEO and executive director of Securemetric, bared that OTP is no longer secure because text messages can now be easily compromised by malware.

“Many banks are using SMS OTP, the one-time password [that is delivered] by SMS. However, SMS OTP already no longer secure because today, malware can possibly intercept the SMS, right? Without you knowing it,” Law said.

According to the company executive, a common case is when bank account owners lose money even if their banks did not inform them about any transactions.

“The bank account owner [complained] how come my money gone away without me noticing it. I don’t receive any SMS. Why [is my] money gone?” Law said.

“So this mostly due to the fact the SMS perhaps have been intercepted,” he added.

Other common cybersecurity threats

Law and Deval Sheth, managing director of Utimaco Asia Pacific, told Interaksyon that they also see phishing and the proliferation of unregulated mobile applications as the top concerns in the digital banking infrastructure of the Philippines.

  • Phishing

Law said that phishing, a common cybercrime that involves the theft of victims’ sensitive data, is still common not just in the Philippines but also in the entire region.

He also said that hackers are becoming “smarter” over time.

“They will try to send you [an] SMS and say they are from [an] electricity company, right? They make you view your bill for example or make you to actually click to check your balance,” Law said.

“[They also] actually issue news and say that Air Asia is giving away one million tickets. Please click this to claim your free tickets,” he added.

Law said that these are schemes wherein malware can intercept or infect bank account owners’ devices.

RELATED: ‘Be smarter than a scammer’: Banks warn public vs fraudulent emails, SMS anew 

  • Unregulated apps

Sheth, meanwhile, raised concerns about the rapid rise of mobile applications for digital lending and remittance services.

RELATED: Shutdown: 4 loan apps accessed Filipino borrowers’ pics, email, social media | Loan on your phone: The experience of using money-lending apps 

He described the nature of digital lending services done via apps as “small-ticket” items. Meanwhile, he called the loans being transferred through remittance apps “short-value loans.”

Sheth observed that most of these apps are unregulated by the central bank.

“If you look at the app hardening or if you look at the security of the data, the transactional data, or data in motion, I think there is work to be done.  Also, [remittance] is as such not a regulated entity.  There is a moral guideline [that] has been given by the central bank,” Sheth said.

“These apps are not really regulated. So in some of these cases, there will have to be some intervention also which is external in nature so that the citizen, data and the citizen, money is kept secure,” he added.

Possible solutions in the future

A new device or application called a hardware security module (HSM) is now being used by some merchants, including banks, to better secure their digital infrastructures.

There are also different types of HSMs depending on the volume of data that business entities needed to protect.

“HSMs are essential to protect the ciphered transactions across the four corners of the data ecosystem. It acts as a safe in a financial institution’s network and houses the keys needed to decrypt consumers’ critical data. Now that banking transactions are increasing; data security and identity protection are more at risk from cybercriminals. This makes HSMs vital to the key parties in the data ecosystem,” Sheth said.