Rethinking one-time password security in the banking industry

By Wayne Nyarko

(email: [email protected])

 For years, one-time passwords (OTPs) have been a cornerstone of digital banking security in Ghana. Whether delivered via SMS or generated through mobile apps, OTPs have provided customers with a simple and familiar way to verify transactions. In a market where mobile banking and mobile money services are deeply integrated into daily life, this additional layer of protection has played an important role in securing digital financial transactions.

However, the threat landscape is changing rapidly. OTPs are no longer as secure as they once were, and Ghana’s financial sector is increasingly exposed to the risks associated with relying on them as a primary authentication method.

The Numbers Tell the Story

Recent figures from the Bank of Ghana highlight the scale of the problem:

• Ghana recorded 16,733 fraud cases across banks, Specialized Deposit-Taking Institutions (SDIs), and Payment Service Providers (PSPs) in 2024, representing a 5% increase from 2023.
• The total value at risk rose to GH¢99 million in 2024, up from GH¢88 million in 2023.
• Fraud within the PSP sector alone reached 15,673 reported cases in 2024, with the value at risk increasing to GH¢19 million.
• Cyber and technology-related fraud losses climbed from GH¢8.9 million in 2023 to nearly GH¢10 million in 2024.
• Identity theft losses increased almost tenfold, rising from GH¢0.6 million to GH¢5.7 million, largely due to weaknesses in identity verification processes.

These figures demonstrate that while digital financial services continue to grow, fraud prevention mechanisms are struggling to keep pace with increasingly sophisticated attacks.

OTPs Are Becoming Easier to Exploit

The challenge lies not in the concept of OTPs themselves, but in how easily they can now be compromised.

Fraudsters in Ghana have become more sophisticated, relying heavily on social engineering tactics to manipulate customers into revealing their OTPs.

By impersonating bank officials, telecom agents, or mobile money representatives, they create urgency and fear claiming an account has been compromised or a transaction requires immediate verification. In moments of panic, customers unknowingly disclose the very code intended to protect them.

According to Ghana’s cyber incident data, online fraud remains the country’s largest cybercrime category, with 1,217 reported online fraud cases recorded in recent CSA data.

Community reports and fraud complaints shared online also show how OTP scams are increasingly tied to impersonation calls and fake SIM swap alerts. Victims are often pressured into sharing authentication codes under the guise of “protecting” their accounts.

SIM Swap Fraud Is a Growing Threat

SIM swap fraud has become one of the most dangerous weaknesses in OTP-based security systems.

The Bank of Ghana reported that approximately GH¢4.6 million was lost to SIM swap fraud in 2023, involving at least 15 recorded cases.

In a SIM swap attack, criminals fraudulently transfer a victim’s phone number onto a SIM card they control. Once successful, they receive all SMS messages and OTPs linked to the victim’s banking and mobile money accounts.

The risk is particularly severe in Ghana because mobile numbers are deeply connected to financial services, including mobile banking, wallets, and payment platforms.

Investigations cited by cybercrime researchers and media reports also suggest that some SIM swap schemes involve insider collaboration, forged identification documents, and weaknesses in SIM replacement procedures.

Mobile Money Has Expanded the Attack Surface

The rapid growth of mobile money services has significantly increased digital financial inclusion in Ghana, but it has also created new opportunities for cybercriminals.

Platforms operated by companies such as MTN Ghana, Vodafone Ghana, and AirtelTigo have transformed how millions of Ghanaians transact daily.

In 2024 alone, Ghana’s mobile money ecosystem processed transactions exceeding GHS 570 billion, creating an enormous digital transaction environment for attackers to target.

Cybercriminals understand that controlling a single phone number may provide access to:

• Mobile money wallets
• Banking applications
• Debit card verification systems
• Email recovery processes
• Social media accounts

This interconnected ecosystem makes SMS-based OTP authentication increasingly risky as a standalone defence mechanism.

Traditional Banks Are Equally Vulnerable

Even traditional banks are not immune.

As banks accelerate digital transformation initiatives, OTPs remain one of the most widely used authentication tools. However, relying heavily on SMS-based verification exposes institutions to phishing, account takeover, and identity theft attacks.

The 2024 fraud data showed that forgery and document manipulation accounted for 67% of the total value at risk within banks and SDIs, with losses surging from GH¢7.47 million to GH¢53.5 million.

These trends indicate that fraudsters are targeting not only customers, but also weaknesses in institutional verification processes.

What Comes Next?

Banks in Ghana must begin transitioning toward stronger, multi-layered authentication systems.

Biometrics

Biometric authentication such as fingerprint and facial recognition is already being integrated into mobile banking applications. Unlike OTPs, biometric credentials cannot easily be intercepted, forwarded, or manipulated through social engineering.

Device-Based Authentication

Banks are increasingly using trusted-device recognition to identify unusual login attempts. If a customer suddenly logs in from an unfamiliar phone or location, additional security checks can be triggered automatically.

Behavioural Analytics

Behavioural analytics represents another promising layer of defence. These systems analyse user behaviour patterns such as typing speed, swipe gestures, navigation habits, and login timing to detect suspicious activity in real time.

If a transaction deviates significantly from a customer’s normal behaviour, banks can apply additional verification steps before approving access.

Customer Education Remains Critical

Technology alone will not eliminate fraud.

Many successful attacks occur because customers are deceived rather than because systems are technically hacked. Financial institutions and regulators must therefore continue investing heavily in public awareness campaigns.

A critical message must remain consistent and that is, “No legitimate bank, telecom provider, or mobile money operator will ever ask for your OTP”.

Public education is especially important as phishing attacks become more personalized and convincing.

Telecom Providers Must Strengthen Controls

Telecommunications providers also have a major role to play.

Improving SIM replacement procedures, enforcing stricter identity verification standards, and enhancing fraud monitoring systems can significantly reduce the success rate of SIM swap attacks.

Given the central role mobile numbers now play in Ghana’s financial ecosystem, telecom security has effectively become financial security.

The Future of Banking Security in Ghana

OTPs are unlikely to disappear entirely anytime soon. They remain familiar, convenient, and relatively inexpensive to deploy.

But the reality is clear. In today’s fraud environment, OTPs alone are no longer sufficient.

For Ghana’s banking sector, the future lies in adaptive, intelligence-driven authentication systems that combine biometrics, device recognition, behavioural analytics, and real-time fraud monitoring.

Ghana has established itself as one of Africa’s leading digital financial markets. Maintaining public trust in that ecosystem will require continuous innovation, stronger collaboration between banks and telecom providers, and a proactive approach to cybersecurity.

Because in modern banking, trust is no longer built only on convenience, it is built on security.

 

 

The post Rethinking one-time password security in the banking industry appeared first on The Business & Financial Times.

Read Full Story