Centre, SBI team up with telcos to combat OTP scams

India’s Ministry of Home Affairs, SBI Cards and Payment Services Ltd (SBI Card), and telecom operators have joined forces to develop an innovative solution aimed at combating the rising threat of cyber fraud and phishing attacks in the banking sector.

Sources familiar with the matter revealed that the government is currently testing a solution that enables banks to monitor both the registered address and geolocation of a customer where a one-time password (OTP) is being delivered. If any inconsistency is detected between the two locations, customers will be alerted about a potential phishing attempt.

“The solution is in its testing phase; it’s early days, but the concept is to track the customer’s geolocation via telecom databases and ensure that the OTP is being sent to the correct area,” a senior banker told the Economic Times.

The Reserve Bank of India wanted to implement an additional layer of authentication for digital payment transactions to counter fraud.

However, fraudsters have developed sophisticated methods to either steal OTPs from unsuspecting bank customers or divert OTPs to their own devices through fraudulent means, rendering the second factor of authentication ineffective in combating cybercrimes.

In case of any discrepancy in the OTP delivery location, we can take two steps — either issue an alert on the device or block the OTP altogether, an official explained.

While the specifics of the solution are still being refined in collaboration with telecom companies, real-time verification of a customer’s SIM location can be cross-referenced with the geolocation of OTP delivery. Banks also possess customer residence data, necessitating the development of capabilities to triangulate the data in real time.

“For example, if a customer resides in Bengaluru but the OTP is being delivered in a location in Uttar Pradesh where they have never been or made recent calls from, indicating they are not travelling there; this would raise a red flag,” the banker elaborated.

According to the Indian Cyber Crime Coordination Centre (i4C), cybercriminals siphoned off as much as Rs 10,319 crore between April 2021 and December 2023. The majority of these crimes were traced back to China, Cambodia, and Myanmar, involving non-state actors.

Under i4C, the government established the ‘Citizen Financial Cyber Fraud Reporting and Management System,’ which has successfully prevented fraudulent transfers totalling about Rs 1,200 crore from over 470,000 citizen complaints received until February 2024.

In calendar year 2023 alone, the registry received 1.12 million complaints amounting to Rs 7,488 crore in fraudulent transfers, as disclosed by the government body in February. First Post