The Fading Reliability of One-Time Passcodes
Financial institutions have long relied on one-time passcodes (OTPs) as a primary authentication control, particularly through SMS verification. However, this method is becoming increasingly unreliable. Fraudsters now exploit weaknesses in SMS-based verification to carry out account takeover and payment fraud schemes, bypassing what was once considered a standard security checkpoint. The rise of AI driven tactics, combined with automation and human manipulation, allows attackers to target identity verification gaps, recovery workflows, and authentication processes rather than simply cracking passwords.
The Evolution of Account Takeover Tactics
Instead of luring victims into authorized transactions, cybercriminals are now bypassing victims entirely. They hijack digital identities and drain accounts from within. Attackers stick to the basics because the basics work. Synthetic identities, fake accounts, and tried and tested account takeovers remain effective, even in an age of advanced AI threats. Scammers are happy to keep stealing the old fashioned way. Notable examples include the New Godfather malware, which copies and pastes real mobile banking apps into a virtual environment on infected smartphones, marking a significant leap in mobile threat capabilities. Meanwhile, governments globally are intensifying anti-scam measures, introducing new guidelines to banks and telecom providers with penalties for non-compliance. Related vulnerabilities such as CVE-2023-38545 and CVE-2024-24787 have been linked to credential theft and session hijacking in browser and application contexts.
Source: Healthcareinfosecurity
