The Bangko Sentral ng Pilipinas (BSP) has set a deadline for digital banking applications to phase out One-Time Pins (OTPs) sent via SMS, effective Tuesday, June 30, 2026. This directive aligns with Section 6 of the Anti-Financial Account Scamming Act (AFASA), designed to protect client financial accounts from unauthorized access.
Security Risks of SMS OTPs
The BSP identified SMS OTPs as a security vulnerability due to the risk of interception and unauthorized sharing by third parties outside the transaction process. Telecommunication companies, including those in the Philippines, rely on Signaling System No. 7 (SS7) protocols to manage call and text information exchange across networks. Often described as the postal system of telecommunications, SS7 enables carriers to determine a recipient’s location, identify the appropriate network for delivering calls or messages, check device availability, and efficiently route communications between different service providers.
Developed in the 1970s, SS7 was built for a limited number of trusted telephone companies. However, the modern telecommunications landscape has expanded significantly, weakening the original trust-based model and making the system more vulnerable to exploitation by unauthorized or malicious actors.
Demonstrated Exploits
In a YouTube video, Veritasium demonstrated how hackers can exploit SS7 vulnerabilities to intercept text messages by tricking the network into thinking a target’s phone is roaming, allowing them to reroute messages—including OTPs—to a number they control. Linus Sebastian (LinusTechTips) raised concerns, stating, “It [SMS OTPs] is the only available option and sometimes that can even be for accounts that should be treated with the utmost of care like a bank account.” An email sent to Wise users also advised them to update their two-step verification method.
Alternative Authentication Methods
BSP Circular 1213 calls for the adoption of stronger multi-factor authentication measures. These include biometric authentication such as fingerprint scanning and facial recognition, behavioral biometrics, passwordless methods like security keys, and adaptive authentication systems designed to detect unusual or suspicious activity.
