BSP: Shift from ‘obsolete’ OTPs to more secure methods needed

By Luisa Maria Jacinta C. Jocson, Reporter

THE BANGKO SENTRAL ng Pilipinas (BSP) is seeking to veer away from the use of one-time passwords (OTPs) in favor of more secure and advanced authentication methods.

“Our objective is to make it future proof. You know how technology is. If you say that what we have right now is efficient, then by next week or next year, it may no longer be,” BSP Deputy Governor Elmore O. Capule said in a seminar over the weekend.

“We are encouraging the banks to go on a higher level of protection. While what we have now may be sufficient for now, we want them to continually upgrade,” he added.

The BSP said OTPs as an authentication method are becoming “obsolete.”

Other central banks in the region, like Singapore, have begun to gradually phase out OTPs as a means for bank account logins, amid increasing instances of financial scams such as phishing.

“That’s where we are coming from, we are looking at banks having more sophisticated methods,” Mr. Capule added.

The BSP recently released a draft circular seeking to strengthen the regulatory framework on IT risk management of banks and nonbanks.

Under the draft rules, the central bank is seeking to limit the use of interceptable authentication mechanisms, such as OTPs through short message service (SMS) or e-mail, as these can be shared or intercepted by third parties.

It cited the “increasing prevalence of social engineering attacks aimed at obtaining login credentials.”

“Our basis is it really depends on how sophisticated your system and the bank are. Like if we’re talking about a rural bank or thrift bank, perhaps we will be satisfied with the OTPs,” Mr. Capule said.

“But if you are looking at, let’s say, digital banks, then being a digital bank means your system should be more robust and more advanced. So, we are trying to influence their behavior.”

Mr. Capule said the goal is to eventually veer away from OTPs to adopt more advanced security methods.

The central bank will need to consult with the industry to discuss the transition, he added.

“Of course, we have to listen to them, realistically, how long will it take you to change technology,” he added.

CHALLENGES
Meanwhile, analysts said moving away from the use of OTPs will help strengthen the security of the banking system but noted implementation will be difficult given the lack of technology and infrastructure.

“Transitioning from OTPs to more secure methods like biometric authentication, behavioral biometrics, and passwordless systems could significantly reduce risks,” said Dominic Vincent D. Ligot, founder of Cirrolytix, and AI, technology and research consultant for the IT and Business Process Association of the Philippines.

“However, the implementation of such technologies is not without its challenges. The cost and infrastructure required to deploy these advanced security measures can be substantial, and not all institutions may be equipped to handle such an overhaul promptly.”

Fintech Alliance.PH Founding Chairman and Rizal Commercial Banking Corp. Executive Vice-President and Chief Innovation and Inclusion Officer Angelito “Lito” M. Villanueva said the move to limit OTP is “critical.”

“Relying on SMS or e-mail for OTPs is no longer sustainable, as these methods are inherently susceptible to interception, phishing, and SIM-swapping attacks,” he said.

Ronald B. Gustilo, national campaigner for Digital Pinoys, said the proposed rules are a significant step to address security vulnerabilities in the system.

OTPs offer a basic level of protection but are not foolproof, he added.

“It’s susceptible to interception, which is a weak link, especially when paired with the limited cybersecurity awareness of some users,” Mr. Gustilo said.

Cybersecurity firm Kaspersky reported that the Philippines recorded the highest number of financial phishing attempts targeting business devices in Southeast Asia in 2023.

Earlier data from the BSP also showed that 59.48% of cyber fraud losses among BSP-supervised financial institutions (BSFIs) in 2023 were attributed to account takeovers, identity theft, and phishing.

Overall, cyber fraud losses surged by 212% compared with 2022.

Instead of OTPs, the BSP is pushing to shift to stronger authentication mechanisms such as biometric authentication, behavioral biometrics, passwordless authentication, and AI.

“BSP’s recommendations for alternative authentication methods, such as biometric and passwordless systems, are certainly forward-looking. These methods are harder to replicate or intercept, making them more secure,” Mr. Gustilo said.

However, adopting these methods will be costly and difficult to implement.

“The transition to these methods will require investments in infrastructure, user education, and regulatory support. It is a necessary shift, though, as it ensures the security and trust of the financial system in the long run,” Mr. Gustilo said.

“While transitioning to these advanced methods may require significant investment and user education, the long-term benefits far outweigh the costs,” Mr. Villanueva said.

Among the security features mentioned by the central bank, Mr. Gustilo said biometric authentication would likely be the easiest to implement.

For example, biometric authentication such as fingerprint or facial recognition is already being used as a security measure for mobile devices.

“Biometric authentication is the most realistic and immediate solution for many BSFIs as most smartphones already support these features,” he said.

“Other options such as passwordless authentication could also be implemented relatively quickly, especially for financial institutions that already leverage apps and digital ecosystems.”

Allan S. Cabanlong, regional director for Southeast Asia at the Global Forum on Cyber Expertise, also noted the need to be inclusive when implementing these technologies, citing its availability to the general public.

“For example, what if the user does not have a cellphone capable of doing that, then they have no other option to use OTP,” Mr. Cabanlong said in mixed English and Filipino via phone call.

There are still many consumers that do use devices capable of utilizing biometrics, he added.

Mr. Cabanlong also raised concern about how registration processes would go, as most rely on OTP.

“Assuming there’s no OTP, how would you register new users? What is the authentication method if there’s no OTP? There is still a need for KYC (Know Your Customer) in the registration.”

STRENGTHEN THE SYSTEM
In the meantime, the central bank can also push to strengthen OTP systems.

“Enhancing the security features of OTPs — for instance, by including more transaction details in the messages — can be a useful interim measure,” Mr. Ligot said.

“It could help in ensuring that even if an OTP is intercepted, the lack of contextual data would make it harder to misuse.”

Under the draft rules, the BSP also called for OTP messages to be more personalized and contain sufficient transaction details to allow the customers to accurately identify or verify the transaction.

Analysts said institutions must also put the effort to educate the public on how to be more vigilant against these cyberattacks.

“Ultimately, educating users on the proper management of their digital credentials and the handling of authentication messages is crucial. Awareness and vigilance can significantly mitigate the risks associated with OTPs and other forms of digital authentication,” Mr. Ligot said.

Mr. Villanueva said organizations must adopt “a proactive approach to stay ahead of cybercriminals.”

“This includes continuous monitoring, regular security audits, and fostering a culture of cybersecurity awareness among users,” Mr. Villanueva said.

“By phasing out outdated authentication methods and embracing modern, resilient technologies, we can significantly mitigate the risks posed by social engineering and other evolving threats.”