Why SMS OTPs Are No Longer Enough for Payment Security

What Two Students in 1971 Revealed About Your Payments Security Today

The 1971 prank showed how phone networks could be manipulated. Decades later, different telecom weaknesses allowed fraudsters to intercept SMS codes used to approve payments, pushing the industry beyond OTPs.

Homam Saeed
Homam Saeed

Digital Lead

In a UC Berkeley dorm room in 1971, engineering student Steve Wozniak and his friend Steve Jobs, who had not started college yet, were experimenting with a digital version they created of a device known as a “blue box,” which phone enthusiasts used to manipulate telephone networks at the time.

And, as two young men with free long-distance calling naturally would, they decided to prank-call the Pope.

The plan almost worked. Wozniak called the Vatican pretending to be Henry Kissinger, but someone there grew suspicious and figured it out before the call reached the Pope.

It was a prank, but it exposed a serious weakness. Phone networks could be manipulated by people who understood how the system worked.

When the Final Security Layer Failed

More than four decades after the blue box, criminals found a new way to exploit a phone network weakness for money.

Attackers sent convincing emails that looked like they came from German banks. Several customers followed the links and entered their account details. This was a classic phishing scam.

By mid-January 2017, the attackers had already used those stolen details to enter the victims’ online bank accounts and prepare the transfers. They were close to the money, but one final barrier remained.

German banks required an OTP sent to each customer’s phone before they approved a transfer. The code was meant to confirm that the real account holder controlled the account.

So the attackers went after the mobile network. They exploited a weakness affecting O2 customers in Germany and redirected the OTP messages through a foreign network to phones they controlled.

An OTP can be valid and still be stolen. The risk appears while the code is travelling through the mobile network.
An OTP can be valid and still be stolen. The risk appears while the code is travelling through the mobile network.

The banks sent the codes, but the customers did not receive them. The attackers did. The layer meant to stop the theft became the approval step that let it happen.

Are We Really as Safe as We Think?

That is the real lesson for payments.

Security does not only fail when the checkout is broken. It can fail when attackers target the systems around the payment, the customer, the device, the mobile network, or the approval method itself.

That is why SMS OTPs are under pressure. They confirm a transaction through a channel merchants do not control, and criminals have learned how to exploit that gap.

Mobile networks use SS7 signalling to route calls, deliver text messages, and exchange information between telecom operators. Telecom engineers designed the system in the 1970s for a smaller, trusted telecom environment.

That trust later became a weakness.

In 2016, exactly a year before the attack on German banks, researchers publicly demonstrated how they could use SS7 to redirect text messages sent to another person’s phone. This included OTPs used by banks and online services to confirm payments and logins.

Once attackers gained access to telecom signalling infrastructure, they could target a phone number and manipulate message routing so incoming SMS codes were delivered elsewhere. The customer would never receive the OTP, while the attacker could use it to approve the transaction.

The demonstration made the risk clear. Even a valid OTP can fail if the channel carrying it is exposed.

The Industry Is Moving Beyond SMS OTPs

Across MENA, regulators are moving financial institutions toward stronger customer authentication.

SMS asks the network to confirm who you are. Biometric approval puts that trust in the customer’s verified device.
SMS asks the network to confirm who you are. Biometric approval puts that trust in the customer’s verified device.

The direction is clear. SMS OTPs should not be the only approval layer for high risk payment activity. Banks and payment institutions are being encouraged to use stronger controls, including in-app based approvals, device binding, biometric checks, secure PINs, and risk based monitoring.

In Saudi Arabia, SAMA’s cybersecurity framework also makes clear that SMS OTP should not be used as the only authentication factor. In the UAE, this change is reflected in recent Central Bank guidance for licensed financial institutions. In Kuwait, Central Bank guidance has pushed banks toward mobile app generated security codes and registered device checks.

These controls do not remove every risk. But they reduce dependence on a single SMS message, which is exactly the layer attackers have learned to target. 

Where Payment Security Is Moving

The next generation of payment security does not depend on sending another code. It moves approval closer to the customer, their app, and their registered device.

Payment approval moves closer to the customer, using a verified device and biometrics instead of a code sent across the mobile network.
Payment approval moves closer to the customer, using a verified device and biometrics instead of a code sent across the mobile network.

In-App Authentication

With in-app authentication, customers receive a payment request inside their bank or wallet app.

They can review the merchant and amount before approving the payment directly through the app. This keeps the approval away from SMS and makes it harder for criminals to intercept or redirect it.

Local payment systems are also moving more payment activity into trusted apps. Aani in the UAE supports instant payments, QR payments, Request to Pay, and transfers through participating financial institutions. BenefitPay in Bahrain also gives customers app based ways to scan, authenticate, and confirm payments.

Biometric Authentication

Biometric authentication allows customers to confirm a payment using their fingerprint, face scan, or device PIN instead of entering an OTP.

Visa Payment Passkey and Mastercard Payment Passkey move payment approval toward the customer’s device, using fingerprint, face scan, or device PIN instead of SMS codes.

Tap Payments and Mastercard introduced a global first, Click to Pay with Payment Passkey for secure eCommerce transactions.

These methods help confirm that the right customer is approving the right payment from a trusted device. MENA’s local payment schemes are moving in the same direction, helping make payment authentication safer for everyone.

What This Means for Merchants

Merchants cannot control mobile networks or decide how a customer’s bank approves a payment. But they can choose a checkout setup that keeps authentication inside secure, compliant payment flows.

  1. Work with a payment provider that supports 3D Secure, issuer led authentication, and stronger approval methods when banks, schemes, or regulators require them.
  2. Never ask customers to share an OTP, security code, or banking credential by phone, email, WhatsApp, or live chat.
  3. Use secure payment pages and keep your website, checkout, and payment integrations updated.
  4. Monitor unusual activity, including repeated payment attempts, sudden changes in order value, or multiple payments from the same device.
  5. Make security clear to customers, but avoid adding unnecessary steps to every payment.

Merchants should treat stronger authentication as a trust and compliance issue, not only a fraud issue. Stronger authentication helps protect customer trust, reduce account takeover risk, and keep checkout aligned with changing bank, scheme, and regulatory requirements.

Talk to Tap Payments about building a secure checkout that supports local payment methods, 3D Secure, and stronger authentication requirements across MENA.

Visit our website and chat with our payment experts today!

Payments Academy

Homam Saeed

Digital Lead