return to news
  1. Why your OTP may not be enough: Report warns of new banking fraud tactics

Business News

Why your OTP may not be enough: Report warns of new banking fraud tactics

SUMMARY

The report says attackers are abusing device compromise, token interception, weak backend validation and flaws in banking application logic to make fraudulent transactions appear legitimate without directly breaching bank systems.

mule accounts online fraud

As digital payments continue to grow rapidly in India, cyber fraud cases have also increased. | Image: Shutterstock.

Cyber threats targeting India's banking, financial services, insurance (BFSI) and payments ecosystem are becoming more sophisticated and increasingly systemic as fraudsters now exploit weaknesses in business logic, mobile devices and onboarding processes, according to a report released on Monday.

Open FREE Demat Account within minutes!
Join now

The Digital Threat Report 2025-26, released by the government in collaboration with cybersecurity firm SISA, said attackers are increasingly taking advantage of flaws in payment applications, mobile onboarding processes and device verification to make fraudulent transactions appear legitimate.

The report said fraudsters are now abusing "device compromise, token interception, weak backend validation" and weaknesses in the logic of banking applications, allowing them to bypass security checks without necessarily breaking into a bank's systems.

It said cyberattacks have shifted from directly hacking systems to manipulating the chain of trust across mobile onboarding, real-time payments, APIs and partner platforms.

Criminals are exploiting gaps between apps, devices and authentication systems, where "no single control owner has full visibility", the report said.

The report cited examples of QR code phishing, fraudulent UPI account onboarding and attempts to fool artificial intelligence-based fraud detection systems.

It said investigators found a common pattern across these incidents.

"The breach did not begin with exploitation of a hardened perimeter. It began with trust that was never revalidated," the report said.

According to the report, many onboarding systems verify individual checks such as a device, OTP or token separately, but fail to confirm whether the entire sequence of actions is genuine. This allows attackers to stitch together legitimate-looking steps to create fraudulent accounts or transactions.

The report also said that emulator checks, device signals and onboarding patterns were frequently treated as adequate verification controls despite being "easily bypassed under adversarial conditions."

It warned that attackers increasingly exploit business logic flaws such as API misuse, insecure object references (IDOR), OTP reuse and race conditions, vulnerabilities that "standard OWASP reviews miss" because they typically emerge only under "real-world parallel or abnormal execution".

The report said many fraud detection systems are built around expected customer behaviour and therefore struggle to identify carefully planned attacks that mimic genuine user activity.

It also said that identity has become the main target for attackers as banks increasingly rely on biometrics, passkeys and continuous authentication.

"A single identity compromise no longer affects one account. It provides broad, persistent, cross-system access," the report said.

The report also warned that cyber threats are evolving faster than traditional security models.

The time between the emergence of a cyber threat and its exploitation has shrunk dramatically, often from years to months or even weeks.

It said six of the seven forward-looking cyber threat predictions made in the previous edition have already "reached full-scale realization", reflecting how attackers are "innovating faster, scaling faster, and exploiting trust faster than many institutional control environments were designed to withstand."

Launching the report, IT Secretary S Krishnan said trusted partnerships between public institutions and industry were becoming increasingly important as cyber threats grew more sophisticated.

“As cyber threats become increasingly sophisticated, trusted partnerships between public institutions and industry are essential to strengthening digital trust," Krishnan said.

"The Digital Threat Report represents a meaningful collaboration among CERT-In, CSIRT-Fin and SISA. This partnership demonstrates how expertise developed in India can contribute both to our national cyber resilience and to advancing cybersecurity knowledge globally," he added.

About The Author

Upstox
Upstox News Desk is a team of journalists who passionately cover stock markets, economy, commodities, latest business trends, and personal finance.

Next Story