Banks are confronting a difficult reality: the one-time password, once treated as a reliable safeguard, is no longer sufficient to protect accounts in an environment shaped by automation and deception.
Schalk Nolte, CEO of Entersekt, made clear that the industry has long understood the limitations. “This is not new,” he said, noting that warnings about one-time passwords (OTPs) date back more than a decade.
What has changed is not the core weakness, but the intensity of its exploitation. “The major difference that we’re seeing now simply is the scale of the attack rather than the sophistication,” Nolte said. Bots can cycle through stolen credentials and repeatedly attempt logins until they can intercept or elicit a code.
A control that may have been adequate in a lower-volume threat environment now faces continuous pressure. The same vulnerabilities persist, but they are exercised far more frequently.