Global Financial Protection Map

[Professor]

Echelon 1: "Classic Fields" (SMS OTP is dominant or very common)​

Countries in this category are characterized by maintaining SMS OTP as a standard or very common verification method. This makes the technical side of operations more predictable.

Gulf States:

• Kuwait (KW), UAE (AE), Saudi Arabia (SA), Qatar (QA): A region with high purchasing power where SMS authentication is deeply integrated into user habits and banking processes. The CBUAE directive to completely phase out SMS-OTP from March 2026 makes Kuwait, UAE and the rest of the GCC a transition zone.

Southern Europe:

• Italy (IT), Spain (ES), Greece (GR), Portugal (PT): Large e-commerce markets where the transition to mandatory app use is slower than in the Nordic countries. In Italy and Spain, SMS is still in use, but many banks are actively promoting push notifications. Their status is "transition zone" .

Latin America:

• Brazil (BR), Mexico (MX), Chile: Huge markets with millions of online shoppers. Banking infrastructure relies heavily on SMS as a basic and straightforward verification method.

Balkan:

• Serbia (RS), Croatia (HR), Bulgaria (BG), Romania (RO): Emerging markets where banking systems are being modernized, but SMS OTP is still the standard for many transactions.

Southeast Asia:

• Malaysia (MY), Thailand (TH), Vietnam (VN): Booming mobile economies where SMS is a familiar and trusted channel for receiving verification codes.

Hybrid approach dominates, be prepared to use push notification interception method if SMS OTP fails.

Key markets like India . This is a huge market with millions of users where SMS authentication is still dominant.

In these countries, banking apps are the primary authentication method, but SMS OTP is actively used as a backup option or for customers of certain banks. Working here requires flexibility.

• Western Europe:
• UK, FR, IE: Developed markets dominated by apps but with a very frequent and working SMS fallback scenario.
• Canada (CA), Australia (AU), New Zealand (NZ): Modern financial systems where authentication methods are fragmented; SMS is common enough to remain relevant.

Central and Eastern Europe:

• Poland (PL), Czech Republic (CZ), Hungary (HU): Are in the process of actively moving to apps, but the SMS user base is still huge.
• The Baltics, following the example of Scandinavia, have almost completely abandoned SMS. Today they are on the border with Echelon 3 , and I would recommend not to waste time on them if you are not sure of the method.
• Lithuania (LT), Latvia (LV), Estonia (EE): Technologically advanced countries dominated by apps from Scandinavian banking groups (Swedbank, SEB). SMS is rarely used, mostly as an exception. They are on the border with Echelon 3.

Developed Asia:

• Japan (JP): A unique system that uses a mix of static 3DS passwords, SMS OTPs and apps.
• Hong Kong (HK), Singapore (SG): Advanced financial centers with very strong anti-fraud systems. SMS is available, but geo-filters and behavioral analysis work as aggressively as possible.

These countries have almost entirely switched to confirming transactions through secure banking apps or national digital identification systems. Transactions relying on SMS interception are ineffective here.

• German-speaking countries: Germany (DE), Austria (AT), Switzerland (CH).
• Scandinavian countries: Denmark (DK), Sweden (SE), Norway (NO), Finland (FI).
• Benelux: Belgium (BE), Netherlands (NL), Luxembourg (LU).

The main popular methods of intercepting OTP:

• Phishing
• SIM-swapping
• SMS interception via malware
• Wi-Fi sniffing
• Email Hacking
• Social engineering (via phone call)

I propose to discuss the methods of work, I will be glad to receive additions or criticism.