The Indian government is collaborating with SBI Cards and Payment Services Ltd (SBI Card) and various telecom operators to introduce a new system aimed at preventing one-time password (OTP) fraud.
The development comes as a response to the increasing incidence of cyber fraud and phishing attacks targeting the banking sector.
How does the new system work?
The proposed system is currently in its testing phase and seeks to enhance the security of digital payment transactions by ensuring that OTPs are sent to the customer's correct geographic location.
Using the telecom database, the system will verify a customer's registered address against the geolocation of the OTP delivery. If there is a discrepancy, the customer will be alerted, potentially thwarting a phishing attempt.
The challenge of OTP fraud
OTP fraud has evolved significantly, with fraudsters developing sophisticated methods to steal OTPs by deceiving customers or rerouting them to their devices.
This undermines the effectiveness of OTPs as a second factor of authentication. Due to these emerging threats, the Reserve Bank of India has been advocating for additional layers of security.
In cases where the OTP is sent to a location far from the customer's registered address—such as an OTP meant for Bengaluru being sent to Uttar Pradesh—the system will either issue an alert on the customer's device or block the OTP delivery altogether. This proactive approach aims to intervene before any fraudulent transactions occur.
Impact and prevention measures
According to the Indian Cyber Crime Coordination Centre (i4C), cybercriminals siphoned off approximately Rs 10,319 crore between April 2021 and December 2023. Many of these crimes were perpetrated by non-state actors originating from countries such as China, Cambodia, and Myanmar.
In response, the government established the Citizen Financial Cyber Fraud Reporting and Management System under i4C, which has so far prevented around Rs 1,200 crore of fraudulent transfers based on over 470,000 citizen complaints received as of February 2024.