eCommerceNews Australia - Technology news for digital commerce decision-makers
Story image

Visa mandates end of SMS OTPs to tackle AI-driven scams

Mon, 9th Dec 2024

Visa has announced that it will require Australian financial institutions to replace SMS One-Time Passwords (OTPs) as the sole authentication method for payments to combat AI-driven fraud and scams.

In the previous year, scam losses in Australia amounted to AUD $2.7 billion with over 601,000 scam reports. This rise is attributed to the increasing use of generative artificial intelligence and machine learning technologies, which have opened new avenues for cybercriminals to exploit human vulnerabilities, especially during peak holiday shopping and travel seasons.

Martyna Lazar, Visa's Head of Risk for Australia, New Zealand and South Pacific, stated, "Scammers prey on fundamental human needs and heightened emotions – whether that's companionship, job security or by creating a sense of urgency, panic or concern, and there's no IT patch that can be deployed for that."

As part of its Security Roadmap for Australia 2025-2028, Visa mandates that by October 2026, Australian financial institutions must offer more secure authentication options beyond SMS OTP. Potential alternatives include biometric authentication, in-app authentication, app-to-app flows, or passkeys, all of which utilise multiple channels or devices to enhance the verification process.

Lazar added, "Cyber criminals today are more organised, more sophisticated and using new technology to target Australians at scale with effective social engineering and phishing tactics. By tricking consumers into divulging their unique OTPs, they are then able to authenticate fraudulent payments or gain access to accounts, which can lead to substantial financial and emotional stress. The threat landscape is rapidly evolving, and it takes continuous investment from Visa, together with financial institutions, merchants and consumers, to drive adoption of new secure technologies and stay ahead of these fraudsters."

This new requirement is part of a broader strategy which includes measures to prevent enumeration attacks, maintain secure technologies for fraud management and customer experience, and utilise a data-driven risk-based approach. The strategy also aims to secure the ecosystem against unauthorised payments fraud in the era of AI, enhance the cyber security posture of participants, and maintain secure digital payment experiences.

Lazar advised Australian consumers to be particularly vigilant against scams during the holiday period, which often sees an uptick in online shopping and travel arrangements. She warned, "Scammers will often try to get you to act - or click - without thinking by creating a false sense of urgency. Remember, your bank or government provider won't ask you for personal information, passwords or payment details via SMS. Don't click on hyperlinks in the SMS, don't reply or call the sender on that number, and don't provide personal info. If you think you've been targeted, contact your financial institution immediately to protect your account and report the scam."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X