One-Time Passwords (OTP) are used by banks to authenticate user login & authorize transactions, by ecommerce companies to confirm delivery, by UIDAI, for Aadhaar based verification, by stock brokers to confirm trades, by taxi aggregators to confirm trips and so many other similar use cases.
There are numerous news articles which state, people are being scammed by obtaining their OTP, losing their hard earned money, and as a result of the loss, suffering serious health issues. Scamsters are well trained to talk in a way that sounds very genuine and earn the trust of their prey.
Currently most of the OTPs are in the format of a 4 digit numeric value. What if we have a unique alphanumeric format of OTP that prefixes some meaningful words like “BANK”, for transactions that would debit money from a user’s account. A format that clearly distinguishes and denotes that it is a money related transaction and one that could be easily understood by common people, so that they become aware money will go out or debited from the account when they key in the OTP.
Below are a few examples for OTP that could be standardized for money related transactions:
If there are technical difficulties in having alpha-numeric OTP, then we can think of something like prefixing the OTP with 2 or 3 zeros, which can symbolically denote a transaction that would debit money from the user’s account once the OTP is keyed in.
If the central agencies can arrive at a format, the same can be standardized for all money related transactions across all banks. The public can then be educated so that they are able to identify/differentiate an OTP for monetary transactions and not share the same with anyone. Also, we can keep educating the public that they do not need any OTP to receive money.
Of late I also read news on how people get cheated when they search for customer care numbers online and end up calling some dubious numbers. The crooks on call convince innocent people to install screen sharing apps, generate OTP and carryout banking transactions using the OTP they can view while the screen is shared.
Suggestion: Android currently shows tiny green dots called privacy indicators while the phone’s camera or mic is on. In a similar way, the user should be clearly indicated while his screen is shared and on top of this, to prevent misuse during screen sharing or screen mirroring, the Android Operating System should suppress or not allow anyone to open/access notifications, messages, email, banking apps or similar sensitive apps, while the screen is being shared.
With respect to the customer care numbers being altered, on Google maps or search results page, one resolution could be RBI (Reserve Bank of India) maintain a page with the customer care numbers and email ids of all banking and financial entities, similar to how it is done here. When someone searches e.g. “SBI customer care no.” on Google, Google can prioritize the search result by showing the official page from RBI both on search results as well as the side pane that shows details from Google maps, along with a note advising the public to refer the contact details shared by RBI or on the banks official website.
Also, we receive lots of spam messages on the phone with shortened URL/link. It would be safer if the users are able to preview the full URL before the browser actually opens it. Also, make it difficult for innocent users to download malware or apps by the click of a link shared by scamsters.
We also receive QR codes from scammers, which people scan and end up losing money. It would be safer if some safety checks can be integrated within the camera application, which when used to scan QR codes, alerts the user if they were sent with malicious intent.
RBI warns against fraud calls, messages, emails and OTP scams | Mint
Avoid payment transfer scams – Google Pay Help
India: number of OTP frauds recorded by leading state 2021 | Statista
SBI OTP fraud alert! Lender says know how to make online system work | How-to
SBI Customers Alert! This OTP fraud can be dangerous; here’s how to avoid it
KYC, OTP and PIN theft, the biggest trends in financial cyber-crime: Report
Mumbai: Woman claims did not share OTP with cyber-fraudster but lost Rs 3.63 lakh | Cities News,The Indian Express
Punjab CM Amarinder Singh’s wife reveals ATM pin & OTP to fake bank manager, loses Rs 23 lakh – The Economic Times
Beware of these 4 frauds while making payments via UPI amid lockdown – The Economic Times
SMS Spoofing: How scammers are using this technique to steal money from your account – Times of India
Two OTP frauds reported every day in city | Mega Media News English
Cyber Crime: New form of OTP theft on rise, many techies victims
Walk-in fraud: How this gang steals money via OTP – Times of India
Tips to Avoid OTP Fraud – Bajaj Finserv
Tips to keep your OTP safe from online fraud
Beware of fake customer care numbers you find on Google | Mint
WhatsApp users lose over Rs 54 crore to a new scam, here is what happened – India Today
Illegal desi call centres behind $10 billion loss to Americans in 2022 | India News
Fake delivery executives scam with OTPs: Here’s how to prevent falling prey | Mint
Mumbai woman tweets train ticket details online, loses Rs 64,000: here is what happened
Flat owners lick wounds as fake army officers invade bank accounts – Times of India
NRI techie duped of Rs 10 lakh by fraudsters in Chennai
Fraud calls are a real threat to many sectors – The Economic Times
BFSI, telecom most impersonated by scamsters for customer care frauds, says CloudSEK report – The Economic Times
In Chennai, scammer swindles techie out of Rs 9.5 lakh
Beware! Scammers sending fraud messages to HDFC customers, do not click on the link – India Today
Sim boxes new tool in scammers’ arsenal – Times of India
They thought loved ones were calling for help. It was an AI scam