OTP’s and card scams

If you think your one-time password (OTP) is foolproof, think again.

Apparently, the evil side of digital finance has come up with several ways to intercept OTPs that banks send to a mobile device as a secondary protection for their customers against scammers.

Actually, an OTP is truly an ingenious way to protect online transactions through the internet, as long as the user strictly follows security protocols, i.e., never divulging personal banking details like passwords, credit or debit card numbers, security codes, and yes, OTPs.

OTPs, also regarded as mobile transaction authentication numbers, are the latest security innovations sent by banks through text messaging or SMS. They can, as implied, be used once only, and are time-bound, meaning if not used within a certain number of minutes, will become invalid.

When an online transaction is made by a person, many banks now send a randomized, sometimes alpha-numeric, OTP via text message which needs to be keyed in within a few minutes to validate the purchase, bill payment, or fund transfer.

Well and good if the person’s mobile phone is in his or her hands. But if it has been stolen, or the SIM has been “swapped,” chances are that the online transaction is fraudulent and is being initiated by a scammer.

Stolen phone and SIM swaps

A missing mobile phone, especially one that had been stolen, of a person who uses it for online banking transactions, like buying goods from Amazon, Alibaba, or Lazada, is vulnerable to manipulation by a good hacker.

Until the banks are notified, a cyber criminal may successfully complete purchases or fund transfers on your account. In some cases, it can run to tens of thousands of pesos, and wipe dry all the money available in your bank account.

In the case of SIM swapping, your phone may still be with you, but an attacker – who had already studiously collected your personal information, including phone numbers and bank accounts – may have been able to “steal” your phone SIM number.

This is possible if your mobile phone line carrier has been duped to giving your SIM to the cyber criminal who has masqueraded as you. You lose control of your phone’s IMEI number for a few hours, during which time your OTPs are received and used for transactions.

Unless you report suspicions of somebody else using your mobile phone, there’s no end to the number of transactions and amount of money stolen from you through credit or debit card purchases.

If you suspect some manipulation being done on your phone, be sure to warn your bank(s) to freeze your account(s), and ask your network company or provider to immediately block your SIM number.

A more sophisticated attack on your mobile phone is through Bluetooth hacking. Through another device, an attacker can remotely monitor your mobile phone activities, and eventually plan an attack. The best way to avoid being victimized through this is to use apps only from verified sources. Avoid giving these apps permission for unnecessary functions.

Small transactions

When transacting through card payment in merchant stores, especially if they are small shops, it always pays to keep your debit or credit card in plain sight. What you don’t want to happen is for some unscrupulous person to take a photo of the front and back image of your card.

While banks and card companies have become more vigilant with large transactions, small purchases are often given less attention. What criminals do with the captured card numbers and security code is to test the owner’s financial discipline by transacting small amounts.

If a card owner does not regularly monitor his account, these small purchases could accumulate significantly. In the case of organized crime, the fraud could amount to millions of pesos scammed from multiple card owners.

If you notice a small unfamiliar deposit to your account, this may be a sign that some fraudsters are trying to gain access from your banked money. The criminals try to get your savings and/or checking account details with these small deposits.

If you notice such small deposits, immediately check with your bank to verify the source and to determine if it could be part of a scam. Ask your bank if it has a service that reports transactions on a real time basis through SMS notices.

Otherwise, keep a regular habit of checking your bank transactions. Remember, most banks allow for a limited number of days and up to a certain amount only to honor complaints on unauthorized purchases, fund transfers, or withdrawals.

Pre-paid debit cards

Recently, debit cards have seen a surge in popularity. This is partly due to standard bank practice today to give a debit card to any savings or checking account owner, which in the latter’s case reduces the need to issue paper checks for payments.

Debit cards carry their own risks since unauthorized use means immediate withdrawal of funds from the owner’s account, which banks are less keen to reverse.

Pre-paid debit cards have also become more accepted, especially for those who don’t trust linking online purchases with their primary bank accounts. Many banks now recommend their clients to subscribe to a pre-paid debit card with a Visa or Mastercard status as a way of further securing their bank accounts.

With fund transfer services now more prevalent among online bank account holders, pre-paid debit cards may be loaded with small amounts that fit the user’s needs, either to keep weekly spending within a certain budget, or to lessen risks to scam attacks.

Facebook and Twitter

We are actively using two social networking websites to reach out more often and even interact with and engage our readers, friends and colleagues in the various areas of interest that I tackle in my column. Please like us on www.facebook.com/ReyGamboa and follow us on www.twitter.com/ReyGamboa.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.