Stop using SMS OTP: Security is your responsibility

Nitish ChandanCyber Security, Law2 Comments

We have written multiple articles about 2FA (Two factor authentication). I am happy to share that a lot of people have opted for 2FA on their accounts after reading our posts and talking to us. Either via our WhatsApp helpline, Facebook Page or on Direct Messages to our team members. If you haven’t read about 2FA and Google Authenticator yet, read this first. The line of difference now is between SMS OTP and app based OTP.

What is OTP/ SMS OTP/ App based OTP?

OTP is a technology that makes use of mathematical algorithms to generate a secure code that is usable only once and is valid for a fixed time duration. Banks, Social Media services, Email providers etc. use this technology to verify your login. Calling it Two Factor means that in addition to your password, this OTP acts like the second layer that verifies it is actually you. SMS OTP is when this OTP arrives via text message on your device and is app based when an application on your smartphone generates it.

Every alternate day, there is a pathetic case in the nation where a fake SIM card is involved/used as a tool to commit a crime. The reason is improper KYC (Know your customer) procedure and misuse of SMS OTP. I am sure most of you have got your prepaid SIM card by just giving the retailer a copy of your ID proof and a few photographs. Most of you haven’t even seen the form that is to be filled and very few have actually even signed it. Yes, that is right. It is a cakewalk today to get anyone’s duplicate SIM card issued and misuse it to any effect. Let us assume you fall victim to some fraud. All you are left with is curses, abuses and blames at your telecom, bank, Social Media service etc. Yes, security is their duty as well.

But since it is your personal data, money and information that we are talking about, is it going to harm you too much to be a little proactive and take the liability upon yourself to stay safe?

It might sound astonishing to get hacked and defrauded but it is a nightmare for those who really undergo this. Just a few days ago, I was reading a great article about levels of personal security. It wonderfully explained how with a few simple implementations in your digital life, you can curb the chances of getting hacked up to 80%. Two factor authentication is one of the parameters. If you have Two Factor Authentication enabled for your bank account transactions and your OTPs arrive via SMS (SMS OTP), it’s time to upgrade. Almost all major banks today have their own apps now to generate the OTP with/without an internet connection. Major Social Media services too offer you this feature and it takes a few seconds to get this on. Today, most of your digital life involves online banking and social media.

App based OTP thus puts SMS OTP out of the picture and makes it only device dependent. This makes it difficult for a hacker to gain access to your account through SIM duplication/reading SMS etc. Hence, strengthening your personal security. Here are links to a few applications. In case of any doubt or clarification, We’d love to hear from you!

ICICI Bank

SBI Bank

Google Authenticator – For all other accounts including Facebook, Gmail, Outlook etc.

Note: This post is a part of a series that we are going to launch about personal cyber security. We will be publishing individual articles about things you can do to strengthen your personal security ecosystem.

Stop SMS OTP

Stop SMS OTP

2 Comments on “Stop using SMS OTP: Security is your responsibility”

  1. Hi
    If the phone company allots my phone to another customer being inactive for two months
    Does the new customer with my phone no can hack into bank accounts
    Even if I have the original SIM card will my bank OTP go to new allottee of phone no
    Thanks

    1. Hi,
      Consider that there are two persons – A & B. A has a number 1234567890 which remains inactive for a certain period of time. The telecom service provider issues a new SIM card to B for the same number. Once this new SIM card is issued to B, the SIM card with A is simply useless.

      And since this number is still a registered mobile number of A in the bank’s records, B can easily carry out transactions and reset passwords.

      Thanks,
      Raj P

Leave a Reply

Your email address will not be published. Required fields are marked *