The Indian Ministry of Home Affairs, in collaboration with SBI Cards and Payment Services Ltd (SBI Card) and telecommunications providers, has initiated a collaborative effort to address the escalating threat of cyber fraud and phishing attacks within the banking sector. This initiative seeks to mitigate the misuse of stolen one-time passwords (OTPs) by implementing a mechanism to promptly notify customers of any disparities between their registered address and the location where the OTP is being dispatched.
The proposed solution, currently undergoing testing, leverages telecom databases to track the geolocation of customers. Should an incongruity arise, customers will be promptly alerted to the potential phishing attempt. A senior banking official, speaking anonymously, acknowledged that the solution is in its nascent stage of development. However, both the Home Ministry and SBI Card have declined to comment on the initiative.
Previously, the Reserve Bank of India mandated an additional layer of authentication for all digital payment transactions to thwart fraudulent activities. However, cybercriminals have evolved their tactics, successfully deceiving customers into divulging OTPs or rerouting them to unauthorized devices, rendering the second factor of authentication ineffective.
In the event of a discrepancy in OTP delivery location, the solution proposes two courses of action: alerting the customer or blocking the OTP entirely. Developed in collaboration with telecom companies, the solution will authenticate the customer’s SIM location in real-time and cross-reference it with the OTP delivery geolocation. Given that banks possess customer address data, real-time triangulation of information will be imperative. For instance, if a customer resides in Bengaluru and the OTP is directed to an unfamiliar location in Uttar Pradesh devoid of recent communication activity, it may signal fraudulent behavior.
According to the Indian Cyber Crime Coordination Centre (i4C), cybercriminals have illicitly acquired Rs 10,319 crore between April 2021 and December 2023. Most of these crimes have emanated from foreign territories such as China, Cambodia, and Myanmar, often involving non-state actors. To combat such threats, the government has instituted the ‘Citizen Financial Cyber Fraud Reporting and Management System’ under i4C, which has thwarted approximately Rs 1,200 crore of fraudulent transactions based on over 470,000 complaints received until February 2024. In 2023 alone, the registry documented 1.12 million complaints, tallying Rs 7,488 crore in fraudulent transfers, as per government reports.
