A text message containing a one-time password (OTP) often serves as the final step before an online banking transaction is completed.
However, the same code has also become a target for scammers, who trick victims into revealing OTPs through phishing links and fake customer service calls.
Due to these risks, the Bangko Sentral ng Pilipinas (BSP) is urging banks and financial institutions to adopt stronger authentication methods that do not rely solely on SMS-based OTPs.
Under BSP Circular No. 1213, financial institutions supervised by the central bank are required to implement phishing-resistant multi-factor authentication (MFA) as part of enhanced cybersecurity measures.
The circular forms part of the implementing rules of the Anti-Financial Account Scamming Act (AFASA). which aims to curb the growing number of banking scams in the country.
For years, OTPs sent via SMS have served as a second layer of protection for online banking and digital payment transactions. However, regulators say the method has limitations, particularly as cybercriminals develop more sophisticated ways to intercept or manipulate the codes.
In phishing attacks, scammers may trick victims into entering their OTPs on fake websites or sharing the codes through phone calls or messages.
In SIM-swap attacks, criminals take control of a victim’s mobile number, allowing them to receive OTP messages intended for the account holder.
What could replace them?
To reduce these risks, the BSP circular encourages banks to move toward stronger authentication technologies.
One option already familiar to many consumers is biometric authentication, such as fingerprint or facial recognition. Several mobile banking apps already allow users to log in or approve transactions.
Another emerging alternative is the use of passkeys, which rely on encrypted credentials stored directly on a user’s device.
Some financial institutions may also adopt hardware security keys, small physical devices that generate encrypted authentication signals when connected to a computer or smartphone.
Beyond authentication methods, Circular 1213 also requires financial institutions to strengthen their fraud detection and monitoring systems.
Banks must deploy tools capable of identifying suspicious activity in real time, such as unusual login locations, abnormal transaction behavior or potential account takeover attempts.
The circular also calls for improved customer account protection measures, including better processes for identifying suspicious or fraudulent accounts often used by scammers as “money mule accounts.”
Are we on the way?
Meanwhile, telecommunications providers, like PLDT via Smart Communications, are also stepping up efforts to reduce SMS-based scams.
The telco has introduced Smart Safe, a network-level security feature designed to block malicious links and attempts before they reach users’ devices.
Smart Safe works by detecting suspicious domains and filtering scam-related content at the network level, protecting subscribers from clicking on harmful links often used in phishing attacks.
For consumers, the shift may eventually mean fewer SMS verification codes and more transactions approved through fingerprints and facial scans.
While the transition may take time, due to financial institutions that have yet to upgrade their systems, regulators like BSP believe that stronger authentication technologies will play a key role in protecting users from increasingly sophisticated online scams.
