Not another OTP scam? The Home Ministry collaborates with telecom companies and SBI Cards to provide a creative solution for one-time password theft

Not another OTP scam? As part of a larger initiative to address the growing risk of cyber fraud and phishing attacks on the banking system, telecom operators, SBI Cards and Payment Services Ltd. (SBI Card), and the home ministry of India are working together to develop a solution that will notify customers about stolen one-time passwords (OTPs).

Two people with knowledge of the situation claim that the government is testing a system that would let banks track a customer’s registered address and the geolocation of the OTP delivery point.

According to an ET article, the consumer may be alerted to a possible phishing effort if there is a difference between the two locations. The aim of the system, which is now undergoing testing, is to monitor the customer’s geolocation using the telecom database and make sure the OTP is being delivered to the right place.
In order to combat fraud, the Reserve Bank of India has argued that every digital payment transaction should have an extra layer of identification. Nevertheless, over time, con artists have improved their skills to either divert OTPs to their own devices via fraud or steal them by tricking gullible bank clients, making two-factor authentication useless against cybercrime.

Two actions may be performed in the event that the OTP delivery location is problematic: either the device will show a warning or the OTP will be completely blocked. A customer’s SIM location may be checked in real-time and compared to the geolocation of OTP delivery, even if the solution’s details are still being worked out with telecom providers. It will be necessary to create capacity to triangulate the data in real-time since banks also have their own data on the dwellings of their clients.

One common red flag scenario, according to a banker, is when a customer lives in Bengaluru and receives an OTP for a place in Uttar Pradesh they have never been to or haven’t called recently. This indicates the customer isn’t going to that location.

The Indian Cyber Crime Coordination Centre (i4C) reports that between April 2021 and December 2023, cybercriminals embezzled up to Rs 10,319 crore. Most of the crimes involved non-state actors and had their origins in China, Cambodia, and Myanmar. ‘Citizen Financial Cyber Fraud Reporting and Management System’ was created by the government under i4C, and from over 470,000 citizen complaints submitted till February 2024, it stopped almost Rs 1,200 crore worth of illegal transactions. The register received 1.12 million complaints about illegal payments worth Rs 7,488 crore in the fiscal year 2023.