CBK Monitors Loopholes In Theft Of OTP Sent To Clients
Category: Kuwait

The Central Bank of Kuwait (CBK) has set five guidelines to modify and update telephone numbers of bank customers to avoid deficiencies and loopholes in some banks that allow unauthorized parties to change phone number to receive secret codes for customers, reports Al-Qabas daily.

In light of the evolution of payment methods, which have become mainly dependent on smart phones, the banks have consequently developed their automated systems to accept and implement various payment processes associated with the use of their customers.

It depends mainly on the customer’s registered telephone number to verify his or her identity by sending a One Time Password (OTP) code on their mobile number to accept or reject the operation after entering the number during online payments on withdrawals and deposits carried out on their accounts – in accordance with directives of the Central Bank of Kuwait in this regard. 
Although handling of the OTP or code sent from the banks to the telephone numbers of registered customers has proven to be effective and reduced the risks associated with transactions performed by bank customers on the internet, there is still a risk associated with the mechanism for updating and modifying registered personal telephone numbers of the customers amid coordination with representatives of banks in this regard through the Union of Banks of Kuwait and exchange of correspondences via e-mail on 18 and 23 October 2018, which included a list of responses by banks on the mechanism of updating and modifying the personal phone numbers of customers of each bank.

In view of the shortcomings and gaps in some banks, unauthorized parties may be allowed to change the phone number and receive the secret codes of customers to deal with their accounts.

For this reason, it requires adherence to a set of controls on the amendment and update of personal phone numbers of bank customers. These controls include accepting modification and update of the personal phone number of a customer when he visits a branch on the condition that the modification should be done by two employees in a way that could guarantee sharing of (double monitoring) responsibilities in carrying out the transaction.

It is not allowed to accept update through phone call except the interactive voice response (IVR). In case the customer uses personal mobile phone, which is already known to the bank for update, it can only be done if the customer presents the OTP.

If the customer uses personal mobile phone unknown to the bank or via the bank’s website on a personal computer for update or modification of personal phone number, it should be done through the application of double entry criteria and submission of OTP. In case of modifying the phone through the bank’s ATM, it requires sending OTP to the former phone number of the customer, and the latter will enter the OTP to enable him apply the modification.

28 Jan, 2019 466
Posted Comments
@ www.kuwaitlocal.com All Rights Reserved
@ www.kuwaitlocal.com All Rights Reserved