What is OTP and why you should never share it with anyone
If you’ve been using online services employing layers of security such as online banking or credit card transactions, then you might have already encountered the OTP or One-Time PIN. What is it and why is it important? We’re here to find out.
What is OTP?
The OTP is a set of numbers sent to a user, usually to his or her phone number or email, that is needed to validate access or a transaction, which minimizes the risk of fraud. As the name suggests, it’s only for single use, and it quickly expires.
As an example, the Bank of the Philippine Islands (BPI) uses OTP and sends their clients a unique 6-digit password when they make critical or highly sensitive online transactions. The OTP is sent to the client’s registered mobile number via SMS and will expire 5 minutes after it was sent.
Do note that BPI OTP is a free service and you do not need to enroll or register for OTP.
Never share it with anyone!
The rule is that the OTP is for you and you alone, meaning you’re the only one who should receive it and you should NEVER share it with anyone. Exposing it to other users defeats the purpose of the OTP.
As an analogy, it is like having two different keys to your house — one for the gate and another one for the main door. Even if burglars get hold of the key to your gate, they still need the key to your door to get into the house.
How can attackers get my OTP?
Although OTPs are proven to be effective in minimizing fraud, attackers can still exploit it by using phishing and vishing methods directed to the user.
Attackers will first try to get the user’s info like username, password, and phone number usually via phishing emails that trick the receivers into believing that the email is really from a bank or financial institution. It is followed by a phone call by someone pretending to be an employee of the bank who will then ask the user to update their account or cancel an unauthorized transaction.
Once the information is provided, the attacker will then initiate a transaction using the client’s online credentials to generate an OTP. He will call the user again to confirm and will ask for the OTP as a form of verification. This is the vishing or voice phishing part of the attack.
Thinking that the call is valid, the user provides the OTP, which the attacker then uses to complete an unauthorized transaction.
What should I do to prevent attacks like this?
The key is to make sure that no one else knows about your info such as usernames, passwords, and phone numbers, especially the OTP. Be very suspicious if someone calls you and asks for this info. Do note that BPI will NEVER ask for a client’s OTP via e-mail, phone, SMS, or social media. Again, the OTP is for you and you alone.
What if I receive an OTP even if I’m not making any online transaction?
You should immediately call BPI Phone Banking via 89-100 to report the incident. Receiving an OTP even if you are not making an online transaction may mean unauthorized access of your account.
What if my mobile phone is stolen?
If you no longer have access to the mobile number that you registered with BPI, immediately update your contact details with BPI to avoid the risk of unauthorized transactions.
Keep yourself informed.
Another way of securing your accounts is to exercise your awareness continually. Keep yourself informed about your bank’s security measures, processes, and rules, as well as about new methods that attackers use to gain access to your accounts. It’s also your responsibility to stay informed and make yourself hack-proof.