If you have noticed your banking app asking for a face scan or fingerprint instead of a text message code, that is not a coincidence. Starting June 25, 2026, Philippine banks and e-wallet operators are no longer allowed to use SMS- or email-based one-time passwords (OTPs) to verify high-risk financial transactions. The Bangko Sentral ng Pilipinas (BSP) made it official, and it affects everyone who moves money digitally in the Philippines.

For everyday users of GCash, Maya, or online banking apps, the change will feel subtle at first: a biometric prompt instead of a text message, a fingerprint scan instead of a six-digit code. For the organizations behind those apps, and for any business relying on similar verification methods to protect its own systems, it raises a harder question: if the BSP had to mandate a ban to protect Philippine consumers from a method most people trusted for years, what other security assumptions in your environment have already expired?

The shift might feel minor on the surface. But it is built on a serious security reality: the six-digit code sent to your phone was never as safe as it seemed. And understanding why matters, because the same vulnerabilities that put your bank account at risk also put your organization's systems at risk.


What the BSP Actually Requires

BSP Circular No. 1213, issued in May 2025, implements Section 6 of the Anti-Financial Account Scamming Act (AFASA), or Republic Act No. 12010. It requires BSP-supervised financial institutions to replace SMS and email OTPs with stronger authentication methods for high-risk transactions, with a deadline of June 25, 2026.

The institutions covered include universal and commercial banks, all digital banks, and select cooperative, thrift, and rural banks: specifically those averaging more than P75 million in online transactions per month. That covers most of the apps and platforms Filipinos use daily, from major banks to digital wallets.

This was not a precautionary upgrade. It was a direct response to a fraud crisis. The Philippines recorded a 95% increase in financial fraud complaints from 2022 to 2023, and by 2024, 13.4% of all digital transactions in the country were flagged as potentially fraudulent, the second-highest rate globally. Phishing alone generated PHP 623 million in losses in 2022, while account takeover fraud added PHP 409 million. GCash users lost PHP 76.49 million in recent years, BPI users PHP 28.47 million, and Maya users PHP 13.99 million. Between 2024 and 2025, phishing websites targeting Filipino users surged 423%, from 731 to 3,824 sites.

AFASA criminalized social engineering, phishing, smishing, and OTP harvesting. The pattern it identified was consistent: attackers were exploiting SMS-based verification as the weakest point of entry. The phishing pages were convincing. The SIM swaps were easy to execute. The OTPs being texted to users were being intercepted, harvested, and submitted before victims realized anything was wrong. BSP Circular 1213 was the regulatory response to that pattern.

Under the directive, high-risk transactions include large fund transfers, payments to new recipients, and significant account changes. SMS OTPs remain permitted for lower-risk activity. Banks are also required to implement real-time fraud detection capable of flagging rapid transactions, new payees, and logins from unrecognized devices before a fraudulent transfer completes.

BSP Deputy Governor Lyn Javier put it plainly: "We are pleased that banks and e-wallet operators are stepping up on both fronts." Many institutions had already begun transitioning ahead of the deadline, a sign that the industry recognized what regulators formalized.


Why SMS OTPs Were Never as Secure as You Thought

When SMS OTPs were first introduced, they represented a genuine improvement over password-only authentication. A short-lived code delivered to a device only you carry felt like a solid second factor. The problem is that attackers, telecom infrastructure vulnerabilities, and phishing toolkits have evolved much faster than the technology itself.

According to the Verizon 2026 Data Breach Investigations Report, the human element is involved in 62% of breaches, with phishing and credential abuse accounting for the majority of initial access vectors. The shift away from SMS OTPs reflects a broader industry trend: authentication methods are evolving because attackers have become increasingly effective at exploiting channels that were once considered trustworthy.

SIM Swapping

The most well-known attack against SMS-based authentication does not require any technical sophistication. An attacker contacts your mobile carrier, impersonates you, and convinces an employee to transfer your phone number to a new SIM card under their control. From that point, every OTP meant for you goes to them instead. SIM swap fraud has been used to drain bank accounts, hijack cryptocurrency wallets, and take over high-value social media profiles. In early 2025, Philippine authorities arrested 38 individuals and seized over 7,900 SIMs already linked to bank and e-wallet accounts. The attack is disturbingly simple because it exploits human processes, not software vulnerabilities.

SS7 Protocol Exploits

Signaling System No. 7 (SS7) is the protocol that underlies global telecom routing. It was built in 1975, long before anyone imagined that criminal organizations or nation-state actors would want to exploit it. Yet that is exactly what has happened. Attackers with access to the telecom backbone can silently redirect SMS messages to a device they control without any involvement from the target. The victim's phone shows no sign of intrusion. The OTP simply never arrives, or arrives somewhere else.

Real-Time Phishing and Adversary-in-the-Middle Attacks

Modern phishing attacks do not wait for you to hand over your password. They relay everything in real time. An attacker sets up a convincing proxy of a bank login page. When you enter your credentials, the attacker forwards them to the real bank site and triggers an OTP request. You receive the code, enter it on the fake page, and the attacker submits it on the real one, completing the transaction before the code expires. In some cases, scammers call victims directly, posing as bank representatives, and talk them into reading the OTP aloud. The entire attack can happen in under a minute. Phishing sites targeting Filipino users jumped 423% in 2025 alone, from 731 to 3,824 active sites.

Malware and SMS Interception

Mobile malware capable of reading SMS messages is widely available and, on some platforms, surprisingly easy to deploy. An app granted SMS read permissions can silently forward every OTP it sees to an attacker's server. The user never knows. The transaction appears legitimate. The funds are gone.

The underlying problem is the same across all of these attacks: SMS OTPs treat the mobile network as a trusted, secure channel. It is not. It was never designed to be.


Why the New Methods Are Actually More Secure

The authentication methods replacing SMS OTPs do not just patch over the weaknesses. They eliminate the attack surface entirely. Here is how each one works and why it holds up better.

Biometric Authentication

Your fingerprint, face, or iris cannot be forwarded over a compromised network, handed to a scammer over a fake login page, or intercepted by malware. When verification is tied to something you are rather than a code you receive, the entire class of OTP attacks becomes irrelevant. A fraudster who knows your password and intercepts your OTP still has no way to produce your fingerprint. Modern biometric systems also include liveness detection, making it significantly harder to spoof authentication with a photo or a recording.

Behavioral Authentication

Behavioral biometrics analyze patterns that are nearly impossible to consciously replicate: the pressure of your finger on a screen, the rhythm of your typing, the angle at which you hold your phone, the speed of your swipes. These signals are invisible to the user but highly distinctive. More importantly, behavioral authentication can run continuously throughout a session, not just at login. If something about how a session is being conducted shifts, because a fraudster has taken over a device or session, the system detects it and can step up verification or terminate the session.

Passwordless Authentication (FIDO2 / Passkeys)

Passkeys and FIDO2-compliant solutions use public-key cryptography instead of shared secrets. When you authenticate, your device generates a cryptographic proof specific to that exact site and session. Nothing leaves your device for an attacker to intercept. Phishing fails because the proof is bound to the legitimate domain: a fake site cannot receive a valid response even if it tricks you into trying. There is no code to steal, no password to guess, no channel to exploit.

Adaptive and Risk-Based MFA

Rather than applying the same verification method to every transaction, adaptive authentication evaluates context in real time: What device is this? Is this a new location? Is this a transaction pattern consistent with this user? Is this payee new? Based on the risk score, the system decides whether to proceed, request additional verification, or flag the transaction for review. Low-risk transactions flow smoothly. High-risk transactions get the scrutiny they deserve.


What This Means Beyond Banking

The BSP directive applies to supervised financial institutions. But the security implications extend well beyond the banking sector.

If SMS OTPs are weak enough to be banned by a central bank for high-risk financial transactions, they are equally weak when used to protect any other high-value system: enterprise portals, government platforms, healthcare records, or any application where the cost of unauthorized access is significant. The same attack vectors the BSP is guarding against, SIM swapping, SS7 exploits, phishing, and malware, apply just as readily to corporate email accounts, HR systems, ERP platforms, and customer databases.

For organizations, this is a practical prompt. Audit where SMS OTPs are still in use across your systems, not just in customer-facing flows but in internal tools, admin portals, and account recovery processes. Evaluate whether high-risk actions are protected by phishing-resistant MFA such as FIDO2 or passkeys. And test your authentication implementations to verify that controls hold up under real attack conditions, not just on paper.


Is Your Organization's Authentication Stack Actually Secure?

The BSP directive is a regulatory floor, not a ceiling. Meeting compliance requirements means replacing SMS OTPs in specific contexts. But it does not answer the broader question: are the other authentication and access controls in your organization's environment actually secure?

That requires a different kind of assessment: one that looks at your systems the way an attacker would.

That means testing your authentication against people who think like attackers: verifying that your implementations cannot be bypassed, your session management cannot be hijacked, and your MFA cannot be defeated before a real threat actor gets the chance to try. It also means building structured channels for ongoing discovery, through vulnerability disclosure and bug bounty programs, so gaps get reported and fixed before they surface somewhere worse.

The transition away from SMS OTPs is a signal that the standard for "secure enough" is rising. Organizations that wait for the next regulatory mandate to find out where their weaknesses are will consistently be one step behind.


The Bar Just Moved

SMS OTPs did their job for a time. They were better than passwords alone, and for years, they were the most practical option available. But the threat landscape has matured, fraud tools have become accessible to non-experts, and the cost of a compromised authentication method has grown alongside the volume of digital financial activity in the Philippines.

The BSP's directive is not a bureaucratic formality. It is a clear signal from the central bank of a country with over 100 million people: the old method is no longer acceptable for protecting high-stakes transactions.

The next question for every organization is not whether their bank has updated its authentication. It is whether their own systems are still relying on security mechanisms that belong to a previous era. That is a question worth answering before an attacker does it for you.

Finding the answer requires looking at your systems the way an attacker would: testing whether your authentication can be bypassed, your sessions hijacked, and your controls defeated under real conditions, not just on paper. Through penetration testing, bug bounty programs, and coordinated vulnerability disclosure, Secuna helps organizations do exactly that. Reach out at [email protected] or visit secuna.io.


Sources: No more SMS, email OTPs for high-risk financial transactions starting June 25, GMA News · Many banks and e-wallets have phased out OTPs for authentication, BSP says, BusinessWorld · BSP Circular 1213: Philippine banks must replace SMS OTPs by June 2026, Authsignal · AFASA Booklet with Implementing Rules and Regulations, BSP · AFASA Explained: What the Philippines' New Anti-Scam Law Means, Tookitaki · Philippines Scams 2025: Second-Highest Global Fraud Rate, ScamWatchHQ · Phishing Sites in PH Jump 423% in 2025, Newsbytes PH · Account Takeover Fraud in the Philippines, Tookitaki · 6 Reasons SMS OTP Is Being Banned Worldwide, Security Boulevard · Protecting SMS OTPs From SS7 and Diameter Attacks, Efani · Biometrics, Smart OTP, Passkey/FIDO2: Passwordless Authentication for Stronger Fraud Prevention, Savyint · What Is OTP Authentication? Risks and Alternatives, iProov · 2026 Data Breach Investigations Report, Verizon