Credit card and payments giant Visa has announced it will phase out SMS One-Time Passwords (OTPs) as the sole factor for payment authentication in response to the growing threats posed by artificial intelligence (AI).
As part of Visa’s new Security Roadmap for Australia 2025-2028, the multinational payments firm will mandate that partner financial institutions provide their customers with authentication options beyond SMS OTPs. The mandate will come into force from October 2026.
Among the “safer” alternatives to SMS OTPs promoted by Visa include biometric authentication, in-app authentication, app-to-app flows, or passkeys, which, it says, leverage multiple channels or devices to strengthen the identification and verification process.
Visa said the shift away from mobile OTPs – a computer-generated authorisation code sent via SMS – is intended to address the looming threat of AI-driven fraud and scams, which is fast rendering the authentication method ill fit for purpose.
“The rise of generative artificial intelligence and machine learning technologies, combined with the continued growth in eCommerce, has created new opportunities for cybercriminals to exploit the most vulnerable point in the payments’ ecosystem: humans,” Visa said in a statement.
OTPs are vulnerable to numerous threats, not only as a result of lost or stolen devices but also increasingly sophisticated social engineering hacks, which trick users into giving away their OTPs. As well, because SMS messages are remain unencrypted, these messages can also be intercepted and ‘hacked’ – in a similar fashion to a ‘Man in the Middle’ attack.
Visa added: “Cyber criminals today are more organised, more sophisticated and using new technology to target Australians at scale with effective social engineering and phishing tactics.
“By tricking consumers into divulging their unique OTPs, they are then able to authenticate fraudulent payments or gain access to accounts, which can lead to substantial financial and emotional stress.”
Visa’s head of risk for Australia, New Zealand and South Pacific Martyna Lazar added: “Scammers prey on fundamental human needs and heightened emotions – whether that’s companionship, job security or by creating a sense of urgency, panic or concern, and there’s no IT patch that can be deployed for that.”
Among other priorities being pursued as part of Visa’s Security Roadmap, which lays out six key areas to strengthen resilience in Australia’s payment ecosystem, include:
- Preventing enumeration attacks, where fraudsters use automation to test and guess payment credentials
- Continued investment in secure technologies to balance fraud management and improved customer experience
- Shifting to a data-driven risk-based approach, which enhances security and supports sustainable growth
- Ensuring ecosystem resilience against unauthorised payments fraud and scams (authorised fraud) in the era of AI
- Enhancing the cyber security posture of ecosystem participants
- Securing digital payment experiences by integrating best-in-class security protocols
NAB to dump passwords
Meanwhile, NAB chief security officer Sandro Bucchianeri has revealed the bank’s five-year plan to phase out passwords for internet banking.
Speaking with the Sydney Morning Herald, Bucchianeri said the bank will move to replace passwords, which he deemed a “terrible” and outdated security method, with passkey and biometric recognition technologies.
Passkeys, a form of digital credential generated through a cryptographic code, are already in use within NAB’s digital-only subsidiary Ubank.
Passkey authentication leverages the same method typically used by individuals to unlock their devices – including fingerprint, PIN or facial recognition authentication – offering a largely friction-free sign-in process.
Bucchianeri said the transition away from passwords comes in response to a surge in identity and credential threat in recent years, particularly via phishing emails.