Banks expose themselves to account takeover and transaction fraud because a stolen or relayed OTP proves only that a code was received, not that the session, device, or transaction is trustworthy. Once the attacker controls the channel or the user is socially engineered, the code becomes a weak hurdle rather than a real assurance step.
Why This Matters for Security Teams
SMS OTP is often treated as a low-cost second factor, but for transaction approval it only confirms that a code reached a phone number. It does not bind the approval to a trusted device, a verified session, or the specific payment details. That leaves banks exposed to phishing, SIM swap abuse, message interception, and real-time relay attacks, especially when the attacker can pressure the user into reading back the code.
This matters because transaction authentication is supposed to reduce fraud at the moment value moves, not merely slow down login abuse. Current guidance from the NIST Cybersecurity Framework 2.0 and bank security programs increasingly treats channel binding, device binding, and step-up risk checks as more reliable signals than a one-time SMS code. NHI Management Group’s research shows why weak authentication assumptions become costly at scale, especially where secrets and identity controls are already under strain. In the real world, fraud teams usually discover the weakness after an approved transfer has already cleared, not during a controlled test.
How It Works in Practice
When SMS OTP is the only transaction control, the bank is relying on possession of a message channel rather than proof of user intent. That creates a gap between authentication and authorisation: the customer may have received a code, but the bank still has no strong evidence that the device is uncompromised, the session is legitimate, or the transaction details have not been altered.
Operationally, this breaks down in several common ways:
- Phishing pages proxy the login session and forward the OTP in real time.
- SIM swap or number porting gives the attacker control of the SMS channel.
- Malware on the phone can read, overlay, or forward messages.
- Social engineering can convert a valid OTP into attacker-led approval.
- Transaction details can be changed after the code is generated if the OTP is not cryptographically tied to the payment.
Modern fraud controls usually add more context: device fingerprinting, behavioural signals, out-of-band confirmation, signed transaction data, or step-up methods that are harder to relay. Where risk is high, banks increasingly look for stronger possession or cryptographic proof, not just a delivered text message. That aligns with broader identity risk lessons captured in NHI Management Group research, including the Ultimate Guide to Non-Human Identities and the Schneider Electric credentials breach, which underscore how stolen or over-trusted credentials can turn routine access into direct impact. These controls tend to break down when legacy payment rails cannot bind the authentication event to the exact transaction because the OTP is validated independently of the request context.
Common Variations and Edge Cases
Tighter transaction authentication often increases user friction and support cost, so organisations must balance fraud reduction against abandonment, accessibility, and legacy compatibility. There is no universal standard for this yet, but current guidance suggests that banks should reserve SMS OTP for lower-risk scenarios and avoid treating it as sufficient for high-value transfers or first-time payees.
Some edge cases still matter. SMS may remain a fallback when smartphone app adoption is low, but fallback paths should not become the primary fraud barrier. For customers without reliable app access, banks can use layered controls such as device registration, risk scoring, call-back verification, or step-up verification on high-risk events. The key is to avoid a single channel becoming the only proof of legitimacy.
Two practical signals should drive the policy: whether the OTP is transaction-bound, and whether the bank can detect relay or takeover attempts in real time. If neither is true, SMS is a weak assurance step rather than a control. NHI Management Group data also shows why this mindset matters across identity systems: only 5.7% of organisations have full visibility into their service accounts, and 80% of identity breaches involved compromised non-human identities. That is a reminder that identity proof without binding, visibility, and lifecycle control creates blind trust, not assurance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Addresses authentication mechanisms that should be stronger than SMS OTP alone. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Highlights over-trusted credentials and weak identity assurance patterns. |
| NIST AI RMF | Supports governance of risk when automated decisioning or fraud scoring informs approvals. |
Use AI RMF governance to validate fraud models and escalation rules that supplement transaction auth.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
