One-Time Passwords (OTP) are used by banks to authenticate user login & authorize transactions, by ecommerce companies to confirm delivery, by UIDAI, for Aadhaar based verification, by stock brokers to confirm trades, by taxi aggregators to confirm trips and so many other similar use cases.
There are numerous news articles which state, people are being scammed by obtaining their OTP, losing their hard earned money, and as a result of the loss, suffering serious health issues. Scamsters are well trained to talk in a way that sounds very genuine and earn the trust of their prey.
Currently most of the OTPs are in the format of a 4 digit numeric value. What if we have a unique alphanumeric format of OTP that prefixes some meaningful words like “BANK”, for transactions that would debit money from a user’s account. A format that clearly distinguishes and denotes that it is a money related transaction and one that could be easily understood by common people, so that they become aware money will go out or debited from the account when they key in the OTP.
Below are a few examples for OTP that could be standardized for money related transactions:
If there are technical difficulties in having alpha-numeric OTP, then we can think of something like prefixing the OTP with 2 or 3 zeros, which can symbolically denote a transaction that would debit money from the user’s account once the OTP is keyed in.
If the central agencies can arrive at a format, the same can be standardized for all money related transactions across all banks. The public can then be educated so that they are able to identify/differentiate an OTP for monetary transactions and not share the same with anyone. Also, we can keep educating the public that they do not need any OTP to receive money.
Of late I also read news on how people get cheated when they search for customer care numbers online and end up calling some dubious numbers. The crooks on call convince innocent people to install screen sharing apps, generate OTP and carryout banking transactions using the OTP they can view while the screen is shared.
Suggestion: Android currently shows tiny green dots called privacy indicators while the phone’s camera or mic is on. In a similar way, the user should be clearly indicated while his screen is shared and on top of this, to prevent misuse during screen sharing or screen mirroring, the Android Operating System should suppress or not allow anyone to open/access notifications, messages, email, banking apps or similar sensitive apps, while the screen is being shared.
With respect to the customer care numbers being altered, on Google maps or search results page, one resolution could be RBI (Reserve Bank of India) maintain a page with the customer care numbers and email ids of all banking and financial entities, similar to how it is done here. When someone searches e.g. “SBI customer care no.” on Google, Google can prioritize the search result by showing the official page from RBI both on search results as well as the side pane that shows details from Google maps, along with a note advising the public to refer the contact details shared by RBI or on the banks official website.