The year has not started well for that popular authentication method, one-time passwords (OTPs) sent via SMS. Still widely used during logins and transactions as part of a two-factor authentication (2FA) process, SMS OTP has long been vulnerable to cyber criminals.
In South Africa, forensics consultant, David Klatzow, came out with guns blazing in early March, accusing at least one large South African bank of exposing high-net-worth individuals to large fraud losses by staying with SMS OTP. (Most South African banks have stopped using SMS OTP in favour of Entersekt’s technology.) Klatzow, who became a household name as an expert witness in the Oscar Pistorius trial, stated that banks who use this technology should be held responsible for phishing losses. This set off a heated debate over liability in local newspapers, radio, and social media, pitting frustrated victims and security experts against the banks and mobile operators accused of covering up internal SIM-swap fraud.