Why Zimbabwean banks still use SMS One-Time PINs

Two-factor verification is an important security measure for online and App-based banking, but SMS is one of the least secure options available. Cases of Sim card cloning have been constantly on the rise in Zimbabwe, with CABS being the most affected bank, and often victims are unable to prevent the crime from taking place.

Instead, they are forced to react and try to regain control of their number from a fraudster who has impersonated them and stolen their number. If an attacker has compromised your online banking credentials, they will then be able to access your One-Time PINs (OTP) verification code if they also gain access to your number.

In this situation, the hacker would be able to log into your bank account and access your funds immediately. Some banks in Zimbabwe have begun moving away from one-time PINs sent via SMS in favour of more secure platforms, such as app-based authentication or email OTPs, but others continue to use SMS as the default verification option.

We tried reaching out to some banks about their OTP verification systems, and why they still using SMS as an OTP delivery method considering the threat of SIM Clone fraud, we never got any response.