They fail because the code is only as trustworthy as the delivery channel. Phishing, SIM swapping, and social engineering can intercept or redirect the factor, which means the bank is no longer verifying the intended customer. In high-risk banking workflows, that makes SMS and OTP a weak basis for account takeover prevention.
Why SMS and OTP Break Down in High-Risk Banking
SMS and one-time passwords fail when the bank treats a shared delivery channel as proof of customer presence. In high-risk financial access, attackers rarely need to defeat the code itself; they target the phone number, the inbox, the session, or the user through phishing and social engineering. That makes the factor vulnerable at the point of delivery, which is exactly where account takeover begins. Guidance from NIST SP 800-63 Digital Identity Guidelines continues to distinguish between authentication strength and channel trust, and NHIMG’s 52 NHI Breaches Analysis shows how often compromised identity material becomes the real control failure.
For financial institutions, the issue is not whether an OTP is “better than a password.” The issue is whether the factor can still be trusted after the attacker has influenced the telecom provider, the device, the browser session, or the user’s decision-making. SMS also creates a false sense of step-up security because it appears frictionful while remaining easy to relay in real time. In practice, many security teams discover that OTP abuse is not a theoretical bypass, but the first signal of a broader identity compromise already underway.
What Happens During an OTP Bypass Attempt
High-risk attackers usually chain weak points rather than brute-force the code. A common path is credential stuffing or phishing, followed by OTP interception through SIM swap, MFA prompt fatigue, or malicious page replay. In other cases, the attacker never touches the customer device at all and instead uses a help desk, telecom carrier, or session hijack to redirect the factor. That is why the control is brittle: it depends on an outside delivery channel staying honest under pressure.
Modern identity guidance increasingly favors stronger, phishing-resistant methods and step-up policies that evaluate risk at runtime. The operational shift is toward possession factors that are bound to the device or application instance, such as FIDO2/WebAuthn, plus transaction-aware verification when the action is unusual. The OWASP Non-Human Identity Top 10 is not a banking standard, but it is useful here because it reinforces a broader pattern: secrets and bearer tokens fail when they are easy to copy, relay, or reuse. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks makes the same point in operational terms, especially where credentials are exposed through weak lifecycle controls.
- Use SMS only for low-risk notification, not as the primary protector of funds movement or account recovery.
- Bind step-up authentication to device trust, session context, and transaction risk.
- Shorten the life of recovery flows, reset links, and approval windows so relay attacks have less time to succeed.
- Monitor for SIM change indicators, impossible travel, repeated OTP requests, and help-desk escalation patterns.
These controls tend to break down when account recovery still relies on human verification scripts, because attackers target the exception path rather than the login screen.
Where the Exceptions and Tradeoffs Matter Most
Tighter authentication often increases customer friction and support overhead, requiring organisations to balance fraud reduction against accessibility and conversion. That tradeoff is real, especially in consumer banking where device loss, travel, and low-connectivity scenarios create legitimate recovery needs. Current guidance suggests that SMS can remain acceptable for low-risk alerts or account notifications, but there is no universal standard that treats it as sufficient for high-value authorisation.
There are also edge cases where OTP is still used as one signal inside a broader risk engine, not as a standalone gate. In those environments, the control is only defensible when paired with phishing-resistant authentication, fraud analytics, and recovery hardening. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Why NHI Security Matters Now both reinforce the same operational lesson: once a factor can be relayed, replayed, or socially engineered, it is no longer a strong trust anchor for high-risk actions.
For regulated financial access, the practical answer is to phase SMS and OTP out of critical paths rather than try to make them “secure enough” through policy language. That becomes especially important when fraud teams and IAM teams do not share telemetry, because then the bank sees authentication as successful even as the attack is already in motion.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Phishing-resistant auth and token replay risks map to modern identity abuse patterns. | |
| NIST SP 800-63 | 4.2 | Defines assurance and channel trust limits for OTP-style authentication. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and access control need stronger step-up for high-risk transactions. |
Prefer phishing-resistant, bound authentication and avoid relayed bearer factors for high-risk access.
