OTP security in wallet systems: A vulnerability assessment

This study investigates One-Time Password (OTP) vulnerabilities in digital wallet systems, employing penetration testing and manual security evaluations (via Burp Suite) to assess risks across authentication, fund transfers, IVR verification, and token lifecycle management. Critical gaps including OTP bypass (e.g., header manipulation, token reuse), unauthorized beneficiary additions, brute-force attacks on weak pincodes, and expired OTP exploitation, highlight systemic flaws in server-side validation and API security. Classified using CVSS and ISO/IEC 27005:2018 frameworks, these vulnerabilities demonstrate high exploitability and impact, exacerbated by poor usability-security trade-offs. The findings underscore the inadequacy of current OTP implementations against evolving threats like SIM-swapping and phishing, which jeopardize financial safety and regulatory compliance. To mitigate risks, the study proposes multi-factor authentication (MFA), cryptographic token hardening, AI-driven threat detection, and behavioral monitoring to strengthen defenses. Additionally, user education, strict token expiration policies, and adaptive authentication models are emphasized to address human-factor vulnerabilities. These strategies aim to establish scalable, user-centric frameworks that balance security with usability while aligning with industry standards. The research advocates for proactive defense mechanisms, continuous security audits, and adaptive learning systems to safeguard digital transactions, reinforcing trust in wallet ecosystems amid rising cyber threats.