The weaknesses of one-time password OTP (Fang Baoqiao) – EJ Tech

This articleauthorFang BaoqiaoHe is the Honorary President of the Hong Kong Information Technology Industry Association and writes a column for the Hong Kong Economic Times.“Kami Shingo”.

Online shopping has become an integral part of people’s lives. Many online shopping platforms use the 3D Secure transaction system. When paying, users need to enter their credit card information and a one-time password (OTP) sent by a financial institution via SMS (SMS) as an online identity verification. However, this seemingly reliable security measure for many years actually has many loopholes. Recently, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced that they will gradually abandon the use of OTP, which provides an important reference for Hong Kong financial institutions.

The main advantage of OTP is that each transaction generates a different password, which makes it more difficult for thieves to reuse it. However, with the advancement of technology and the development of phishing technology, the security of OTP has gradually been challenged. Criminals can use fake websites that simulate real websites, phishing emails or text messages to trick users into entering OTPs, thereby stealing their personal information and funds. The OTP sending process may also be subject to the threat of interception or eavesdropping. If the user’s mobile phone is invaded by malware or the communication channel is not secure enough, the OTP may be intercepted and used by criminals, thus affecting the security that OTP should provide.

In Hong Kong, OTP is widely used in various financial transactions and online identity authentication. Although this technology plays an important role in improving security, there have been several fraud cases related to OTP. Hong Kong media has reported some online fraud cases involving OTP. Fraudsters used phishing websites to obtain victims’ OTPs and illegally transferred funds from their bank accounts. Some users accidentally downloaded Trojan programs, which caused their online banking mobile application login accounts, passwords, and OTPs to be stolen by hackers, ultimately forcing most financial institutions’ mobile applications (mainly for Android phones) to prohibit users from recording and capturing screens. These cases reveal the limitations of OTP in actual application, especially in the face of increasingly complex online fraud techniques, OTP’s protection capabilities are not strong enough.

In view of the security challenges faced by OTP, the Hong Kong Monetary Authority should take proactive measures to enhance financial security. Currently, many financial institutions in Hong Kong have begun to use Mobile Token to generate a one-time “security code” to confirm designated transactions in online banking. Mobile Token also supports biometric authentication and provides higher security than traditional OTP. Financial institutions should encourage customers to enable the relevant function as soon as possible to reduce the risk of online fraud.

In addition, financial institutions should strengthen security awareness education for customers. By improving customers’ ability to identify phishing and other fraudulent means, the occurrence of fraud cases can be effectively reduced. By letting customers know how to identify suspicious websites and messages, the overall level of network security protection can be improved. Finally, Hong Kong financial institutions should work closely with government agencies and law enforcement agencies to jointly respond to the challenges of online fraud. Through information sharing and coordinated prevention, the behavior of criminals can be more effectively combated to protect the financial system and the safety of citizens.

More articles by Fang Baoqiao:

Support EJ Tech

If you want to submit articles, report information, issue press releases or interview notices,Click here to contact us.