How banks protect OTP

Mutt

Mutt

Professional
Messages
1,369
Reaction score
912
Points
113
Banks use multi-layered mechanisms to protect one-time passwords (OTPs) to prevent them from being intercepted, forged or misused, especially in the context of 3D-Secure (3DS) and PSD2 requirements in Europe. An OTP (One-Time Password) is a temporary code sent via SMS, email or a banking app to confirm transactions or access an account. In the context of carding, protecting OTPs is critical, as carders often try to intercept these codes to bypass 3DS when using Non-VBV, Auto-VBV or Non-MCSC bins. For educational purposes, I will describe in detail how banks protect OTPs, including the technical aspects, technologies used and anti-fraud measures, and explain why these mechanisms make carding difficult.

1. How OTP works in the context of 3D-Secure​

  • Purpose of OTP: OTP is used within 3DS (Verified by Visa, MasterCard SecureCode, Amex SafeKey) to verify the identity of the cardholder in online transactions, ensuring compliance with Strong Customer Authentication (SCA) requirements under PSD2.
  • Process:
    • The user enters card details on the store's website.
    • The payment gateway (e.g. Stripe) initiates 3DS by forwarding the request to the issuing bank.
    • The bank analyzes transaction parameters (IP, device, amount) through Risk-Based Authentication (RBA).
    • If Challenge flow is required, the bank sends an OTP to the registered phone number, email or app, and the user enters it on the 3DS page.
  • OTP Features:
    • Temporary: lasts 5-10 minutes.
    • Unique: tied to a specific transaction.
    • Disposable: cannot be reused.

Why OTP protection is important: Carders using stolen card details do not have access to the owner's registered contact details, so banks employ sophisticated measures to protect OTPs from being intercepted or counterfeited.

2. Technical mechanisms of OTP protection​

Banks use a combination of technologies and procedures to protect OTPs, minimizing the risk of fraud. Key methods include:

a) Encryption of transmission channels​

  • Mechanism:
    • OTP is transmitted over secure channels using HTTPS/TLS 1.2 or 1.3 for web interfaces and end-to-end encryption for SMS or push notifications.
    • Banking apps (eg Revolut, N26) use symmetric encryption (AES-256) and asymmetric encryption (RSA) to protect data.
  • How it protects:
    • Intercepting OTP via Man-in-the-Middle (MITM) attacks is virtually impossible without access to the encryption keys.
    • SMS traffic is encrypted at the operator level (for example, via the SS7 protocol with additional protection).
  • Technical details:
    • HTTPS uses certificates signed by trusted CAs (Certificate Authorities), making it difficult to counterfeit a 3DS page.
    • Example: An OTP sent via an app is encrypted using a key that is only available to the owner's device.
  • Impact on carding:
    • Carders trying to intercept OTP via MITM (e.g. on open Wi-Fi) cannot decrypt the data without the private key.
    • Phishing sites that imitate a 3DS page are detected by browsers (Google Safe Browsing) or antiviruses.

b) Linking OTP to a specific transaction​

  • Mechanism:
    • The OTP is generated with a unique Transaction ID that links the code to a specific transaction.
    • The bank checks the entered OTP and Transaction ID before authorization.
  • How it protects:
    • Even if a carder intercepts the OTP, he will not be able to use it for another transaction.
    • OTP has a short validity period (5-10 minutes), which limits the time for attack.
  • Technical details:
    • OTP is generated using algorithms such as HMAC-based One-Time Password (HOTP) or Time-based One-Time Password (TOTP).
    • Example: OTP 123456 is linked to Transaction ID txn_789. If the carder enters the OTP for another transaction, the bank rejects the request.
  • Impact on carding:
    • Carders cannot reuse the stolen OTP as it is invalid for other transactions.
    • The short duration of action requires a quick interception, which is difficult without access to the owner's device.

c) OTP delivery through secure channels​

  • Mechanism:
    • The OTP is sent to the registered phone number, email or via the banking application linked to the account.
    • Banks use two-step verification to change contact details (for example, SMS code + biometrics).
  • How it protects:
    • Carders cannot forward OTP to their number/email without access to the owner's account.
    • Push notifications in apps (like Revolut) are harder to intercept than SMS because they require access to the device.
  • Technical details:
    • SMS are delivered via secure operator protocols (for example, SS7 with additional encryption).
    • Push notifications use APNs (Apple Push Notification Service) or FCM (Firebase Cloud Messaging) with end-to-end encryption.
  • Impact on carding:
    • Carders attempting to redirect OTP via social engineering (e.g. number change) face additional checks (passport, biometrics).
    • SMS interception requires complex attacks on the operator's infrastructure, which is only available to highly skilled attackers.

d) Biometric authentication​

  • Mechanism:
    • Many banks are replacing or supplementing OTP with biometrics (fingerprint, facial recognition) via apps.
    • Example: In a bank app (Monzo, N26), the user confirms the transaction with a fingerprint instead of entering an OTP.
  • How it protects:
    • Biometrics are tied to the physical device and unique characteristics of the user, making them inaccessible to carders.
    • Devices (iOS, Android) use hardware security modules (Secure Enclave, Titan M) to store biometric data.
  • Technical details:
    • Biometrics integrates with 3DS 2.0 via API, where the bank requests confirmation via the app.
    • Example: User receives a push notification requesting biometric verification instead of OTP.
  • Impact on carding:
    • Carders cannot forge biometrics without physical access to the owner's device.
    • Even if the device is compromised, biometric data is protected by hardware encryption.

e) Device Fingerprinting​

  • Mechanism:
    • Banks and payment gateways (e.g. Stripe) collect unique device characteristics (browser, OS, screen resolution, fonts) via JavaScript SDK (e.g. stripe.js).
    • The device fingerprint is matched with the card owner's registered device.
  • How it protects:
    • If an OTP is requested from a new or suspicious device (e.g. via VPN or Tor), the bank may reject the transaction or request additional verification.
  • Technical details:
    • Example of a print:
      JSON: 
      {
"device_id": "device_123456",
"browser": "Chrome 120",
"os": "Windows 10",
"timezone": "UTC+3",
"ip": "104.28.12.45"
}
    • If the device does not match the owner's history, the bank blocks the OTP or requires alternative authentication (e.g. a call).
  • Impact on carding:
    • Carders using virtual machines or Tor Browser create fingerprints that do not match the owner's profile, resulting in a denial.

f) Monitoring suspicious activity​

  • Mechanism:
    • Banks monitor OTP request attempts, identifying anomalies:
      • Multiple OTP requests in a short period.
      • Requests from suspicious IPs (e.g. VPN, Tor).
      • Geolocation mismatch (IP from Russia for a map from the USA).
  • How it protects:
    • If anomalies are detected, the bank blocks the card or temporarily suspends access to the OTP.
    • The user receives a notification about suspicious activity (SMS, email, push).
  • Technical details:
    • Anti-fraud systems use machine learning to analyze patterns (for example, Stripe Radar analyzes 1000+ signals).
    • Example: If a carder requests OTP 3 times in a row from the data center IP, the bank blocks the card and notifies the owner.
  • Impact on carding:
    • Carders attempting to obtain OTPs through phishing or interception risk having their cards blocked after a few attempts.

g) Blacklists and cooperation​

  • Mechanism:
    • Banks exchange data on fraudulent IPs, devices and cards through payment systems (Visa TC40, MasterCard SAFE reports).
    • IPs or devices associated with OTP interception attempts are added to blacklists.
  • How it protects:
    • Suspicious IPs (eg VPN, Tor) are automatically blocked when requesting OTP.
    • Cards associated with fraud are disconnected from the 3DS.
  • Technical details:
    • Banks use APIs to exchange data with payment systems.
    • Example: IP 104.28.12.45 associated with NordVPN is blacklisted after several failures.
  • Impact on carding:
    • Carders using known VPNs or devices are quickly blocked by global blacklists.

h) Limit the number of attempts to enter OTP​

  • Mechanism:
    • Banks limit the number of attempts to enter OTP (usually 3-5).
    • Once the limit is exceeded, the transaction is declined and the card may be temporarily blocked.
  • How it protects:
    • Carders trying to guess the OTP or use an intercepted code are limited to a small number of attempts.
  • Technical details:
    • The 3DS system tracks attempts via Transaction ID and blocks access after the limit.
    • Example: After 3 incorrect attempts to enter the OTP, the bank sends a notification to the owner and suspends transactions.
  • Impact on carding:
    • Guessing the OTP is almost impossible due to the short validity period and limited number of attempts.

3. Impact on carding and Non-VBV/Auto-VBV/Non-MCSC bins​

OTP protection makes carding using stolen cards extremely difficult:
  • Non-VBV bins:
    • In Europe, PSD2 requires SCA and banks send OTP for 3DS which carders cannot obtain without access to the owner's phone/email.
    • Example: Carder uses Non-VBV bin (479126, ESL FCU) to make a purchase in a European store. Stripe initiates 3DS and the bank sends an OTP to the cardholder's phone, making the transaction impossible.
  • Auto-VBV bins:
    • Auto-VBV bins can pass Frictionless flow (without OTP) for low-risk transactions, but banks analyze IP and device. If VPN is used, the bank asks for OTP (Challenge flow).
    • Example: Carder uses Auto-VBV bin (440393, Bank of America) with NordVPN. Bank detects VPN via GeoIP and requires OTP, which carder cannot obtain.
  • Non-MCSC bins:
    • Similar to Non-VBV, Non-MCSC bins require OTP for 3DS in Europe, and delivery channel protection (SMS, push) prevents interception.
    • Example: Non-MCSC bin (523236, Santander) causes OTP to be sent via a biometrically protected app.
  • Card Testing:
    • Carders test cards through small transactions ($1–$5) in hopes of bypassing 3DS.
    • Banks detect such attempts through monitoring (multiple OTP requests) and block the card.
    • Example: Carder tests 10 cards. After 2-3 OTP requests, the bank blocks the card and notifies the owner.

4. Practical examples​

  • Scenario 1: Phishing for OTP:
    • The carder sends a fake SMS, impersonating a bank, asking to enter the OTP on a phishing site.
    • Result: The bank uses HTTPS/TLS for the 3DS page, and phishing sites are blocked by browsers (Google Safe Browsing). The owner receives a notification about suspicious activity.
  • Scenario 2: SMS interception:
    • The carder is trying to intercept SMS by hacking the telecom operator (SS7 attack).
    • Result: SMS are encrypted at the operator level, and banks are switching to push notifications protected by end-to-end encryption.
  • Scenario 3: Social Engineering:
    • The carder calls the bank, posing as the owner, to forward the OTP.
    • Result: The bank requires additional data (SSN, passport, biometrics), and suspicious calls lead to the card being blocked.
  • Scenario 4: Using VPN:
    • The carder uses a VPN to match the IP region of the card, hoping to get the OTP.
    • Result: Device Fingerprinting detects device non-compliance and monitoring blocks multiple OTP requests.

5. OTP Security Limitations​

  • SS7 vulnerabilities: The SS7 protocol used for SMS has known vulnerabilities that allow messages to be intercepted. However, such attacks require a high level of access to the operator's infrastructure and are rare.
  • Phishing: Users with low digital literacy may submit OTP to a phishing site, but banks educate customers and use alerts for suspicious activity.
  • Compromised devices: If the owner's device is infected with malware, the OTP may be intercepted. However, hardware security modules (Secure Enclave) and biometrics minimize this risk.

6. Conclusion​

Banks protect OTPs with channel encryption (HTTPS/TLS, end-to-end), transaction-specific binding, secure channel delivery (SMS, push, apps), biometrics, Device Fingerprinting, activity monitoring, and blacklists. These measures make it extremely difficult for carders to intercept or counterfeit OTPs, especially when using Non-VBV, Auto-VBV, or Non-MCSC bins. In Europe, PSD2 strengthens the protection with mandatory 3DS, and outside the EEA, anti-fraud systems (Stripe Radar) complement the security by analyzing IP, device, and behavior. Bypass attempts (phishing, interception, social engineering) are resource-intensive and high-risk, making carding less effective.

If you want to dive deeper into other aspects, such as how SS7 attacks work or how to set up custom rules in Stripe Radar to protect OTPs, let me know!
 
You must log in or register to reply here.

Similar threads

Mutt
3D-Secure (OTP) Bypass Methods
Replies
0
Views
61
Mutt
Mutt
Mutt
How banks counteract fraudsters' adaptation
Replies
0
Views
55
Mutt
Mutt
Mutt
How banks analyze risks
Replies
0
Views
44
Mutt
Mutt
Mutt
How banks protect themselves from SIM swapping
Replies
0
Views
51
Mutt
Mutt
Mutt
Integration 3D-Secure via API
Replies
0
Views
38
Mutt
Mutt
Back
Top