One-Time Passwords (OTP) are used by banks to authenticate user login & authorize transactions, by ecommerce companies to confirm delivery, by UIDAI, for Aadhaar based verification, by stock brokers to confirm trades, by taxi aggregators to confirm trips and so many other similar use cases. 

There are numerous news articles which state, people are being scammed by obtaining their OTP, losing their hard earned money, and as a result of the loss, suffering serious health issues. Scamsters are well trained to talk in a way that sounds very genuine and earn the trust of their prey.

Currently most of the OTPs are in the format of a 4 digit numeric value. What if we have a unique alphanumeric format of OTP that prefixes some meaningful words like “BANK”, for transactions that would debit money from a user’s account. A format that clearly distinguishes and denotes that it is a money related transaction and one that could be easily understood by common people, so that they become aware money will go out or debited from the account when they key in the OTP.

Below are a few examples for OTP that could be standardized for money related transactions: 

If there are technical difficulties in having alpha-numeric OTP, then we can think of something like prefixing the OTP with 2 or 3 zeros, which can symbolically denote a transaction that would debit money from the user’s account once the OTP is keyed in.

• 0001234

If the central agencies can arrive at a format, the same can be standardized for all money related transactions across all banks. The public can then be educated so that they are able to identify/differentiate an OTP for monetary transactions and not share the same with anyone. Also, we can keep educating the public that they do not need any OTP to receive money.

Addendum:

Of late I also read news on how people get cheated when they search for customer care numbers online and end up calling some dubious numbers. The crooks on call convince innocent people to install screen sharing apps, generate OTP and carryout banking transactions using the OTP they can view while the screen is shared.

Suggestion: Android currently shows tiny green dots called privacy indicators while the phone’s camera or mic is on. In a similar way, the user should be clearly indicated while his screen is shared and on top of this, to prevent misuse during screen sharing or screen mirroring, the Android Operating System should suppress or not allow anyone to open/access notifications, messages, email, banking apps or similar sensitive apps, while the screen is being shared.

With respect to the customer care numbers being altered, on Google maps or search results page, one resolution could be RBI (Reserve Bank of India) maintain a page with the customer care numbers and email ids of all banking and financial entities, similar to how it is done here. When someone searches e.g. “SBI customer care no.” on Google, Google can prioritize the search result by showing the official page from RBI both on search results as well as the side pane that shows details from Google maps, along with a note advising the public to refer the contact details shared by RBI or on the banks official website.

Also, we receive lots of spam messages on the phone with shortened URL/link. Leave aside spam messages, a user received a message for an item ordered online, from a local ecommerce firm, with an OTP to share to delivery person and a link to track shipment. The user was highly suspicious to click the link or share the OTP as it was from an unknow courier service. It would be safer if the users are able to preview the full URL before the browser actually opens it. Also, we should make it difficult for innocent users to download malware or apps by the click of a link shared by scamsters. Like privacy indicators, the user should be notified when something is being downloaded in the background or on click of any link, and also notify the location/folder where was it actually downloaded. An even better option would be when user clicks any malicious links from mobile, block any background installation without user entering the device security code. A differentiated OTP would have made the user feel at ease and a mechanism to block/check if any malware was downloaded by a link click, would make users feel safe.

We also receive QR codes from scammers, which people scan and end up losing money. It would be safer if some safety checks can be integrated within the camera application, which when used to scan QR codes, alerts the user if they were sent with malicious intent.

News references:

RBI Press Release
RBI warns against fraud calls, messages, emails and OTP scams | Mint
How to avoid OTP fraud
Avoid payment transfer scams – Google Pay Help 
India: number of OTP frauds recorded by leading state 2021 | Statista
Rise of OTP based Frauds 
SBI OTP fraud alert! Lender says know how to make online system work | How-to
SBI Customers Alert! This OTP fraud can be dangerous; here’s how to avoid it
KYC, OTP and PIN theft, the biggest trends in financial cyber-crime: Report
Mumbai: Woman claims did not share OTP with cyber-fraudster but lost Rs 3.63 lakh | Cities News,The Indian Express
Punjab CM Amarinder Singh’s wife reveals ATM pin & OTP to fake bank manager, loses Rs 23 lakh – The Economic Times 
Beware of these 4 frauds while making payments via UPI amid lockdown – The Economic Times 
SMS Spoofing: How scammers are using this technique to steal money from your account – Times of India  
Two OTP frauds reported every day in city | Mega Media News English 
Cyber Crime: New form of OTP theft on rise, many techies victims 
Walk-in fraud: How this gang steals money via OTP – Times of India 
Tips to Avoid OTP Fraud – Bajaj Finserv 
Tips to keep your OTP safe from online fraud 
Beware of fake customer care numbers you find on Google | Mint 
WhatsApp users lose over Rs 54 crore to a new scam, here is what happened – India Today 
Illegal desi call centres behind $10 billion loss to Americans in 2022 | India News 
Fake delivery executives scam with OTPs: Here’s how to prevent falling prey | Mint 
Mumbai woman tweets train ticket details online, loses Rs 64,000: here is what happened
Flat owners lick wounds as fake army officers invade bank accounts – Times of India 
NRI techie duped of Rs 10 lakh by fraudsters in Chennai 
Fraud calls are a real threat to many sectors – The Economic Times 
BFSI, telecom most impersonated by scamsters for customer care frauds, says CloudSEK report – The Economic Times 
In Chennai, scammer swindles techie out of Rs 9.5 lakh 
Beware! Scammers sending fraud messages to HDFC customers, do not click on the link – India Today 
Sim boxes new tool in scammers’ arsenal – Times of India 
They thought loved ones were calling for help. It was an AI scam
Scammers steal Rs 1 crore from 81 users who were making UPI payment in Mumbai, how to stay safe – India Today