In Malaysia, the rise of one-time password (OTP) theft has become a significant concern. To combat this growing threat, Bank Negara Malaysia (BNM) is urging financial institutions to abandon SMS OTP in favour of more secure authentication methods. This shift aims to enhance the security of online banking transactions and protect customers from scams.

The Problem with SMS OTP

SMS OTPs have been widely used for various online activities and transactions, including:

• Account opening
• Fund transfers and payments
• Changes to personal information and account settings

However, the security of SMS OTPs has been compromised by scammers who hijack transaction authorisation codes (TACs) sent via SMS. Cybersecurity experts warn that new tools can read OTPs and even delete the SMS notifications sent by banks, leaving victims unaware of unauthorised transactions. In 2018 alone, SMS OTP scams fleeced Malaysians of almost RM15 million.

The Shift to More Secure Authentication

To tackle this, BNM mandates financial institutions to replace SMS OTPs with more secure authentication methods, aiming to thwart scammers exploiting SMS OTP vulnerabilities. The Monetary Authority of Singapore (MAS) similarly urges banks to follow Malaysia’s lead in transitioning to more secure authentication methods for enhanced security.

Alternatives to SMS OTPs

Several alternatives to SMS OTPs offer enhanced security for authorising transactions:

• Biometric Authentication:

Fingerprint Scanning: Uses unique fingerprint patterns for identification.

Facial Recognition: Analyses facial features to confirm identity.

Iris/Retina Scanning: Utilises unique eye patterns.

• Two-Factor Authentication (2FA):

Combines something you know (password) with something you have (e.g., a hardware token or a mobile app generating time-based codes).

• Multi-Factor Authentication (MFA):

Requires multiple forms of verification, such as biometric data, passwords, and device-based authentication.

• Security Tokens:

Hardware Tokens: Physical devices generating codes.

Software Tokens: Apps like Google Authenticator or Authy that generate time-based codes.

• Push Notifications:

Sends a push notification to a registered device for approval or denial of transactions.

• Behavioural Biometrics:

Analyses user behaviour patterns, such as typing rhythm, mouse movement, or how a smartphone is held.

• Voice Recognition:

Uses the unique characteristics of an individual's voice for authentication.

• Passwordless Authentication:

Methods like WebAuthn or Magic Links allow users to authenticate without entering a password, typically using a trusted device or email.

Advantages and Drawbacks of the Abovementioned Alternatives

Each alternative method has its own set of advantages and drawbacks:

• Biometric Authentication: 

Highly secure but may require specialised hardware or requires devices used by the user to support biometric authentication. It can be less effective in low-light conditions or with dirty/damaged biometric data.

• Two-Factor and Multi-Factor Authentication: 

Provides an additional security layer but can be cumbersome for users to manage multiple forms of verification.

• Security Tokens: 

Highly secure but hardware tokens can be lost or damaged, and software tokens depend on users’ device security.

• Push Notifications: 

Convenient and secure but rely on the availability and security of the user's device.

• Behavioural Biometrics: 

Provides continuous authentication but requires sophisticated analysis tools.

• Voice Recognition: 

Secure and user-friendly but can be affected by background noise or changes in the user's voice.

• Passwordless Authentication: 

Enhances security and user experience but requires robust implementation to ensure security to sustain.

As Malaysian financial institutions move from SMS OTPs, adopting secure authentication methods will significantly boost online banking security, shielding customers from fraud and unauthorised access. Each method has benefits and challenges, but collectively, they mark a crucial advance in safeguarding financial assets in today's digital era. Stay vigilant and explore your bank's new authentication options for enhanced financial security.