Preventing Account Takeover Fraud: The Fall of SMS OTPs and the Future of Network-Level Authentication
The rise of mobile banking in the 2010s cemented one-time passwords (OTPs) as the global standard for identity verification. However, the telecom infrastructure behind them was built on decades-old signaling protocol and never designed for secure, encrypted communication.
Hackers quickly learned to exploit this weakness, and by 2020 cybersecurity firms were documenting large-scale breaches where attackers intercepted OTPs in transit without ever touching the user’s phone. What began as an extra layer of protection has turned into a direct avenue for theft.
According to Juniper Research, over $366 million will be lost to account takeover fraud in 2025, rising to $423 million by 2029. Despite efforts to stem the tide, current fraud mitigation techniques and the real-time signals used are not sufficient deterrents.
The Structural Flaws of OTPs
The issues with OTPs go beyond network vulnerabilities. They’re fundamentally designed for ease of use, not resilience, exposing them to a variety of weaknesses:
- Network interception: Attackers exploit SS7 flaws or man-in-the-middle tactics to read OTPs mid-transit
- SIM swapping: Criminals trick mobile carriers into transferring a victim’s number to their SIM, rerouting OTPs and draining accounts.
- Phishing: Users unknowingly share OTPs on fake websites or calls; because codes aren’t tied to a session or device, they’re easily reused.
- Delivery failures: SMS delays, roaming restrictions or blocked messages can prevent users from receiving their OTPs, often pushing them to use less secure backup methods.
- Lack of context: OTPs don’t validate device, behavior or location, allowing attackers to mimic legitimate logins undetected.
Unfortunately, SMS OTPs still protect over 75% of mobile banking sessions, underscoring how dependent the industry remains on a fragile system. Over the past year, for instance, a SIM-swap attack drained $38,000 from a customer’s account at a large U.S. bank, sparking class-action scrutiny. Exposed API keys enabled mass SIM swaps and crypto thefts targeting high-value users of a major U.S. telecom. And in the UK, unauthorized SIM swaps rose to 3,000 cases, a tenfold annual increase.
It’s no surprise that regulators from the FCC to Ofcom have since urged financial institutions to reconsider SMS-based two-factor authentication altogether.
The Shift to Network-Centric Authentication
The industry is now moving toward silent, network-based verification using standardized application programming interfaces (APIs) that leverage real-time carrier data. Projects such as GSMA’s CAMARA initiative — a global telco API alliance — and platforms such as Network as Code make this possible, offering secure, frictionless authentication without relying on SMS.
Key network APIs in the fight against fraud include:
- SIM Swap/Device Swap: Detects the recent number or device changes and triggers stronger authentication.
- Number Verification: Confirms device ownership silently, avoiding delivery risks.
- “Know Your Customer” Match and Device Location: Validates subscriber data and detects anomalies using network signals.
These APIs enable passive authentication, a security that operates invisibly in the background while maintaining user experience. They also align with compliance frameworks like PSD2 and FFIEC, supporting risk-based authentication and reducing exposure to regulatory penalties.
The Road Ahead
The decline of SMS OTPs is more than just a technical shift — it’s a turning point for digital trust. As financial institutions replace legacy methods with API-based network intelligence, authentication will become proactive and painless, ushering in a safer, more resilient future for the digital economy.
About Nokia
Nokia is a global leader in connectivity for the AI era, providing the critical network infrastructure the world relies on.
Every day, we’re powering our customers with advanced connectivity across fixed, mobile and transport networks, delivering the performance and security they need to meet the demands of an AI-enabled future.
About the Author
Alex Walling serves as Nokia’s Head of Business Development for Network as Code, where he leads go-to-market strategy and enterprise adoption for Nokia’s global network API platform. Drawing on deep experience in the API economy, Alex helps partners across industries, from financial services to automotive, leverage 5G network capabilities like real-time location, identity verification, and differentiated connectivity. Before Nokia, Alex was Chief Strategy Officer at RapidAPI, where he helped scale the company’s enterprise footprint across Fortune 500 customers.
