The hidden danger in those annoying passcodes your bank texts you

Rodger Desai
Aug 2, 2017 · 5 min read
Image for post
Image for post

You know the drill by now.

You go to log into your bank account from your computer, but instead of getting in with your username and password, you see this:

Image for post
Image for post
“Using SMS passcodes is such a seamless and convenient experience,” …said no one ever.

The dreaded identification code screen. There’s no denying that the clumsily choreographed dance of texting yourself a one-time passcode (also known as an SMS OTP), waiting for the message, and then going back to your computer to type the passcode in, is an annoyance that we could all do without. And if you’re trying to do the same thing in an app or on a web browser on your phone, the experience is made even more cumbersome by having to fumble back and forth between screens while trying to keep the digits of that passcode fresh in your mind long enough to type it in.

But all of the inconvenience is worth it if it keeps fraudsters from hacking into our bank accounts, right?

Not quite.

On the contrary, the very same SMS passcodes that are supposed to protect us are actually being used to break into our accounts and drain them.

The very security mechanism that is supposed to be keeping your account safe could be putting your financial future in danger.

Known as an SS7 attack, this type of scam has been in the news more and more, but many people are still not aware of the dangers.

Here’s how they do it:

1. First, the fraudsters use social engineering scams (like email phishing) to trick you into giving up your username, password and other personal info.

2. Once they’ve socially engineered you for your username and password, the next piece of information the hackers need to break into your account is that double-edged SMS OTP. Luckily for the bad guys, intercepting that text is no big deal. Through a little bit of fancy footwork, they can easily steal the passcode from your text inbox and just like that, they’re in your bank account. Bye bye savings.

3. To add insult to injury, they can then go a step further and lock you out of your own account by changing your password once they have access. They usually do this as a way to buy extra time while they’re draining your funds. The password change makes it impossible for you to intervene if you happen to realize what is happening and try to reverse transfers.

Variations on this type of fraud are so common and effective that they’re not just limited to your bank accounts. Criminals can get into your other apps that are linked to your bank accounts and steal from you that way too. UGH.

If SMS OTPs are so dangerous, what can we do to protect ourselves?

There’s a simple fix for this problem, and it’s offered by Payfone, a company that is near and dear to my heart because (blatant self-promo alert) I’m one of the co-founders.

In short, we’re revolutionizing the way businesses let their customers log in.

Our technology allows businesses to recognize and authenticate users through their mobile phones, making logging into your account a breeze for you, and impossible for anyone who is not you.

To see what I mean, let’s replay the above scenario with Payfone’s tech enabled:

  1. A bad guy socially engineers you and gets your username and password.
  2. Using this info, the hacker tries to sign into your bank account from their own device.
  3. Your bank sees that someone is trying to access your account from an unrecognized device. With Payfone enabled, the bank sends a text message with an ultra-secure URL to your phone (instead of an easy-to-hack one-time passcode).
  4. Even if the hacker intercepts the text itself (or even worse, if they took over your phone number using a SIM swap attack), they will not be able to access your account because clicking the link from any device other than your actual mobile handset will fail authentication.
  5. The hacker is out of luck and is forced to move onto the next unsuspecting victim. Your hard-earned money is safe!
Payfone Instant Link for Web

It’s worth noting that scammers can actually use SMS messages to trick you into clicking malicious links, so be on the lookout for links that ask you to input additional information. A Payfone Instant Link will never ask you to do anything further than clicking the link. It won’t ask you for your username or password, or for any other details. Other common signs of spoofed messages include misspelled words and URLs that are misspellings of actual website names (like

In addition to keeping scammers out, Payfone’s authentication makes it easier for rightful account owners to get in. Let’s go back to that clunky experience of going between your text messages and your computer to get a passcode. Payfone’s Instant Link chops that down to just two steps: Get the text on your phone, and click a link. That’s it.

And if you think that’s an improvement, what about the awful experience of going back and forth between an app and a text message on your phone to enter an SMS passcode. If you’re using an app that has Payfone enabled, you don’t have to go through any of that pain at all. Thanks to our next-generation matching algorithms and deep integration with mobile network operators, we can simply verify that it’s you trying to access your account using your phone’s unique SIM identifier. We do it all behind-the-scenes so you don’t even have to lift a finger. And unlike other solutions, there is no additional app that needs to be installed.

Doesn’t this sound like something that all companies should use? We certainly think so, and our tech has already been adopted by some of the largest banks, health insurance and tech companies in the U.S., with many more clients coming online soon.

Our dream is for the digital world to be a place where companies can welcome 99% of their users (the good guys) with open arms instead of putting up all kinds of cumbersome barriers just because of a few bad guys.

If you’d like your bank, email provider, ride-sharing app, favorite online retailer or any other website that you use regularly to make logging in easier for you and impossible for scammers, share this article with the hashtag:


to help us spread the word!

Thank you for reading and click here to learn more about what we do and why we do it.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store