Why One-Time Passcodes Are So 2019

Greg Esser, director of strategic partnerships in the U.S. at Entersekt, said one-time passcodes (OTPs) are due for a reckoning.

For now, OTPs are still a valid way for consumers to authenticate themselves and the transactions they wish to complete.

But OTPs, he told PYMNTS in an interview, are increasingly being targeted by fraudsters.

Beware the Man in the Middle

“Man-in-the-middle attacks can easily defeat one-time passcodes,” said Esser, noting emails sent with innocuous-seeming links can lure unwitting recipients to click and give hackers entrance to communications and back-office systems — and they can go on to impersonate banking executives, chief financial officers or IRS officers.

And for the consumer, said Esser, “You’re receiving a text message from your bank … you click that link, and in all reality, you’re actually navigating to a fraudster site.”

The fraudster takes the username and password, shifts to the banking site, sends an OTP requesting authentication, and then gains full access to the accounts.

We’re moving bit by bit away from OTPs and other “traditional” means of authentication — a pivot that will be determined, at least in the near term, on a market-by-market basis.

Data sharing is paramount, Esser said.

“If we don’t do it, then we’re going to be stuck in a negative infinity loop that just keeps on going … until the marketplace puts its hands up and says, ‘All right, we have to make an adjustment.’”

There has been some roadmap made with the likes of PSD2. He added, “we’re moving in the right direction, across the globe, with regulations changing” and with marketplaces and financial institutions (FIs) better understanding who their cardholders are — and aren’t — through the use of data and behavioral biometrics.

The shift toward harnessing data and behavioral biometrics has hit some stumbling blocks because some smaller FIs, including credit unions, don’t have the budget or the staff on hand to upgrade their technology, Esser said. But partnering with providers and platforms can ease the transition and minimize dependency on OTPs delivered via mobile SMS and email, and create a better consumer experience.

Some Guiding Principles

No matter the approach the FI takes, said Esser, “the focus should really be on how the cardholder normally authenticates themselves instead of introducing a new solution that the customer might even think is fraud. Then they call the bank, and the bank’s call center volume goes up,” and operational expenses rise too.

Banking technology providers are proving adept at making a range of solutions available to serve those purposes — and to convey proper communication to cardholders and customers that there are other ways of authenticating themselves, he added. There’s room for continued inroads to be made with 3DS, as merchants and FIs can look at robust data streams at the pre-authorization stage to gauge risk in near real time.

“We’re seeing these merchants and financial institutions work together with the new versions of EMV 3DS, sharing information” that can authenticate users in a frictionless way — or step up that friction on an as-needed basis, he said.

Linking better behavioral analytics and risk decisioning has the positive ripple effect of sending more “good” transactions through the commerce ecosystem, he added.

“We’re all angling to identify the right mix,” he concluded, referring to the marriage between technology and risk-based decision-making.