Jakarta, INTI – The One-Time Password (OTP) system, which has long been used for authentication, is now considered insecure. Cybercriminals are becoming increasingly sophisticated in stealing OTPs using various methods such as phishing, smishing, and SIM swapping. Data from VIDA shows that 97% of companies in Indonesia have experienced an account takeover (ATO) incident in the past 12 months, with 84% of these incidents related to SMS OTP vulnerabilities.
Why Are OTP Codes No Longer Secure?
According to Pratama Persadha, Chairman of the Cybersecurity Research Institute CISSReC, OTP codes have many weaknesses that attackers can exploit. Here are some common techniques used to steal OTPs:
- SIM Swapping
- Attackers deceive mobile operators into taking over the victim's phone number. Once the number is transferred, all OTPs sent via SMS can be received by the attacker.
- Phishing and Man-in-the-Middle (MITM) Attacks
- Hackers steal OTPs before victims can use them through phishing, where victims are directed to fake websites that mimic legitimate services.
- Malware
- Some advanced malware can read and automatically transmit OTPs to the attacker's server, enabling unauthorized access to victim accounts.
Niki Luhur, Founder and CEO of VIDA Group, also highlighted that SMS OTP as an authentication method has been in use for decades and is no longer effective against modern digital threats. In fact, fraud tools like malware can be purchased for as little as IDR 500,000 and used to scam hundreds of victims.
Safer Alternatives to OTP
As security threats increase, various alternative authentication solutions have been developed to protect users from digital attacks. Here are some methods that are considered safer than SMS OTP:
- Cryptographic-Based Authentication (WebAuthn/FIDO2)
- This technology allows users to access their accounts using security keys or biometric authentication. This method is more difficult to hack because it does not rely on networks vulnerable to attacks.
- Push Notification Authentication
- Replaces OTPs with direct authentication requests sent to apps like Google Authenticator or Microsoft Authenticator. This method is safer as it does not involve SMS transmission, which is susceptible to hacking.
- Phone Token and Face Token
- VIDA has developed the VIDA Phone Token, which replaces SMS OTPs with cryptographic keys linked to the user’s device, eliminating the risk of SMS OTP interception.
- VIDA Face Token uses facial biometrics and liveness detection to ensure that only authorized users can access their accounts.
Conclusion: Time to Switch to More Secure Authentication!
SMS-based OTP codes have become a dangerous security vulnerability. Companies and individuals must transition to more secure authentication systems such as WebAuthn, Push Notification Authentication, or biometric-based methods to prevent increasingly sophisticated cyberattacks. Don’t let your data and accounts be vulnerable to hackers! Have you switched to a more secure authentication method yet?
To stay updated on the latest technology event, visit : INTI 2025