Snippet: This concept – an event or sequence of events likely to occur at the birth of artificial intelligence – has been widely debated ever since. Its consequences set the imagination racing. Our approach to almost everything will, after all, have to be discarded to make way for an entirely new paradigm.

The Hungarian-American polymath, John von Neumann, once posited that, “the ever accelerating progress of technology ... gives the appearance of approaching some essential singularity in the history of the race beyond which human affairs, as we know them, could not continue.”

This concept – an event or sequence of events likely to occur at the birth of artificial intelligence – has been widely debated ever since. Its consequences set the imagination racing. Our approach to almost everything will, after all, have to be discarded to make way for an entirely new paradigm.

As smart as we are at Entersekt, we are not in the business of engineering an artificial intelligence. The singularity does, however, spring to mind when I consider how decisively a popular approach to authentication has been superseded by events. I’m talking about one-time passwords (OTPs) delivered via SMS to authenticate sensitive banking transactions. (They are also known as mTANs.)

Entersekt has the privilege of working with financial institutions across the globe. In all the territories in which we are active, we now see the same message resonating powerfully: OTP-based authentication has been defeated too often to offer any guarantee of protection. Digital banking security must move on, and fast.

We have known this a long time. Our home market, South Africa, often experiences new forms of account takeover fraud before they hit other territories. South African banks were among the first to introduce SMS-delivered OTPs and learned about their vulnerabilities before their peers in Europe and the United States did.

The following attack types have successfully bypassed SMS-based OTP authentication systems in countries around the world and resulted in fraud losses of at least $100 million:

  • SIM swaps
  • Number porting
  • Dual or twin SIMs
  • Man in the middle
  • Malware on the mobile

Even laymen these days know that users of digital systems should be authenticated by means of at least two of the following three factors: something only the user has, meaning a physical device or token; something only the user knows, like a PIN or password; and something the user is, which involves matching a biometric record.

The purpose of an SMS containing an OTP was to prove that the user was in possession of a particular mobile device, something only the user has. With the attacks mentioned above, an SMS no longer provides that certainty. You simply do not know whether it got to the intended recipient.

SMS OTP has been so severely compromised that Entersekt recently released a fresh set of best practices to its customers, raising awareness of these attacks and detailing how our Interakt and Transakt products should be configured to better protect end users.

For more information, download our white paper, OTP: Security past its expiration date.

Subscribe to our blog.


Dewald Nolte

Dewald Nolte

Chief Strategy Officer

Dewald co-founded Entersekt in 2008. He’s responsible for setting and executing our product strategy and positioning in the market. Having been involved in several projects further afield than Entersekt, including the A-Darter missile program for Denel Dynamics, his technical ability is as impressive as his solid business acumen.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.