Zimbabwe and regional technology news and updates


FNB has a simple solution to SMS One-Time Password (OTP) hacks

FNB OTP, One-Time Password SMS hacks

As has already been recounted and explained here countless times, One-Time Password (OTP) hacks are simple but brutally effective. With a bit of social engineering, you just make one mistake and someone will proceed to empty your bank account, hijack your WhatsApp or other social media account and proceed to do damage. FNB Bank has a simple but effective solution that can stop these types of One-Time Password (OTP) hacks dead in their tracks.

South Africa leads when it comes to SIM swapping scams. For years hackers would fraudulently find a way to have someone’s SIM card replaced and proceed to empty that person’s attack or do other sorts of mischief. It was during the period that FNB established something very important, something Zimbabwean banks ought to understand as well.

While OTP verifications done via SMS are persuasive evidence, they are not conclusive evidence that you are interacting with the rightful owner of the account.

In comparison, most services including WhatsApp and Zimbabwean banking apps treat an SMS verification as foolproof and proceed to open the entire door to whoever has been authenticated this way. That is very foolish in my humble opinion.

How FNB does it?

When you install the FNB app on your phone and log in for the first time, an SMS OTP is sent to your phone just like with any other banking app. If you successfully verify the OTP you are able to log in and access some functions but not all functions. A lot of functionality requires you to verify your device further before you can access them. This applies to all risky transactions such as ordering a new bank card.

There are three ways to verify your app, all of which are designed to further verify that you are the authorised user and not some hacker who is trying to gain access to someone’s account.

The first method is “usage over a period of time”. Normally this takes about 7 days. Using this method of verification, you log into your app and proceed to do unprivileged transactions such as buying prepaid electricity tokens and buying airtime. 7 days after you do this your device will automatically be verified.

This is an igneous way to make sure that whatever damage a hacker could do is limited. By restricting you to safe transactions it means that if you are a hacker you can only do transactions that will potentially lead to your address/arrest. Also during that 7 day period you, the legitimate user will have time to discover any unauthorised transactions and thus prevent the rogue app from ever being verified. The assumption is that if after a week no one has said anything it means everything is as it should be.

Another way to verify your device is to use an already verified app. You generate a QR code on the verified device which you then scan using the FNB Bank app on the unverified device which instantly verifies the new device. Again this prevents some hacker somewhere from doing extensive damage by just tricking you to send them to the OTP. They need physical access to your device as well. It’s especially useful when you upgrade your phone for example.

The final method to verify your device is using GPS. I could not find information about how this method actually works but I can speculate on how such a method could be used to verify your new device. The FNB Bank app can access your location and if you are conducting the transaction at your usual place of residence you would be granted access. If you are using your new device from somewhere else you will have to wait the usual 7 days.

Too much power in the hands of users

Technology confuses even the most tech-savvy people sometimes as even they fall for some social engineering traps. What hope does the common man have? What about my grandfather who lives somewhere in the remote mountains of Nyanga? He can barely read text messages on his phone let alone understand the significance of OTP messages.

Leaving the entire security of an account in the hands of such a man is simply negligent in my opinion. Opening the doors wide to someone’s account simply because they have the right OTP is a fundamentally flawed concept. Those tasked with security at banks and other apps need to come up with a better design otherwise they are just shirking what is rightfully their responsibility.

I can think of another way that banks can use in Zimbabwe. If you want immediate verification for your banking app, you need to enter the OTP and visit the nearest bank branch with your device otherwise wait 7 days. This will effectively stop these kinds of attacks or see a reduction in their numbers.

Again educating people is not going to work. There will still be some people who will fall victim. They need to be protected and not berated.

Quick NetOne, Econet, And Telecel Airtime Recharge

6 thoughts on “FNB has a simple solution to SMS One-Time Password (OTP) hacks

    1. Seems counterintuitive but biometrics are never a good solution for a lot of reasons. Biometrics are no better than OTP.

  1. What stops a thief from forcing you to verify their device, and destroying your device soon after, leaving tied up or dead? The solution will just change he modus operandi of attackers.

    Alternatively, a non tech savvy person could be told by a POS operator that they need to scan the QR code on their app to “verify” the transaction. Many will probably oblige. Some POS operators have been found to be complicit in card cloning.

  2. Account security is a shared responsibility of account holders and the bank, not just the bank. It is the banks duty to educate the account holder. Most do not adequately do this, they just say hey we have a new app – go to Google Play / Apple store. Or, hey we have a new bot – WhatsApp this number, and they leave it at that.

    On the other hand, even when users have been educated, they actively ignore what they have been told. Hence false POP scams are still being executed successfully to date.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.