5 Authentication Methods Banks Are Still Using That Fraudsters Figured Out Years Ago

The fraud industry moves faster than the compliance calendar. Banks adopt authentication methods, validate them against the threat landscape at the time, build them into core infrastructure, and then—because ripping out core infrastructure is expensive and politically difficult—keep using them long after the threat landscape has moved on.

What follows is not a list of theoretical vulnerabilities. These are authentication methods actively being exploited at scale, today, against real customers at real institutions. The fraudsters who figured them out aren’t particularly sophisticated. They’re just paying attention.

1. SMS One-Time Passcodes

SMS one-time passcodes (OTP) became the default second factor for online banking because it was genuinely better than nothing. It added a possession factor to a knowledge factor, and for a time that combination meaningfully raised the cost of account takeover.

That time has passed.

SIM swapping—convincing a carrier to transfer a target’s phone number to an attacker-controlled device—is a documented, commoditized attack that is available as a service on criminal forums for a few hundred dollars. The carrier social engineering required to execute it has been refined through years of practice. Once a SIM swap succeeds, every SMS OTP sent to the victim’s number goes to the attacker.

SS7 network attacks offer a more technical route to the same outcome, intercepting SMS messages in transit through vulnerabilities in the telecommunications signaling infrastructure that carriers have been aware of—and largely failed to remediate—for over a decade.

SMS OTP also fails entirely against real-time phishing. A victim who is live on a phone call with a fraudster impersonating their bank will, when asked, read the OTP they just received directly to the attacker. The second factor is defeated not by technical exploitation but by social engineering the customer into handing it over.

2. Knowledge-Based Authentication

Knowledge-based authentication (KBA)—security questions, identity verification challenges, “what was the name of your first pet”—was obsolete before most banks finished deploying it.

The data that KBA challenges are supposed to protect is not private. Mother’s maiden name, high school attended, first car, childhood street—this information exists in data broker databases, social media profiles, and the breach records that have been aggregating on criminal marketplaces for years. For a target with any social media presence, a motivated fraudster can answer most KBA challenges using open-source research in under ten minutes.

The assumption that personal history questions represent a secret the account holder uniquely possesses has not been valid for years. KBA provides a compliance checkbox and meaningful security theater. It provides almost no actual security.

3. Static Passwords

Static passwords are the original authentication vulnerability and remain the most productive attack surface in financial services fraud. Credential stuffing—taking username/password combinations from one breach and systematically testing them against banking login pages—works because most people reuse passwords across multiple services, and breach databases containing billions of credentials are freely available to anyone who looks.

Banks implement rate limiting, CAPTCHA, and anomalous login detection. Fraudsters route stuffing attacks through residential proxy networks that distribute the attempted volume across thousands of IP addresses and introduce human-like timing. The cat-and-mouse dynamic has been running for fifteen years.

4. Device Fingerprinting as a Primary Control

Device fingerprinting is a useful signal. It is not an authentication control. The distinction matters because a significant number of fraud platforms treat device recognition as though it carries authentication weight it cannot actually bear.

Device fingerprints are reproducible. The attributes that constitute a fingerprint—browser version, screen resolution, installed fonts, time zone, hardware characteristics—can be spoofed by commodity tools that are standard equipment for organized fraud operations.

Anti-detect browsers purpose-built for fraud exist as commercial products, actively marketed and regularly updated to evade fingerprinting detection. Using device fingerprint as a primary or high-weight authentication signal in 2025 is using a control against a threat actor who has specifically invested in defeating it.

5. Security Questions as Account Recovery

Account recovery is where authentication programs go to die. An institution can implement robust primary authentication—strong passwords, TOTP, hardware keys—and then offer account recovery through security questions, creating a low-assurance bypass into every account in the portfolio.

Security questions fail for the same reasons KBA fails: the answers are not secrets. They fail with additional severity in the recovery context because recovery flows are typically less monitored, less friction-tolerant (customers locked out of their accounts are frustrated and compliant), and more likely to be targeted by fraudsters who have already failed against primary authentication.

The security question is not a fallback. It is a backdoor.

The Common Thread

None of these methods failed because the underlying concept was flawed at inception. SMS OTP added a genuine factor. Static passwords made sense before credential databases existed at scale. Device fingerprinting catches unsophisticated fraud.

They failed because the threat adapted and the authentication infrastructure didn’t. Fraudsters invest in defeating the controls that stand between them and money. When a control can be defeated reliably and cheaply, it gets defeated at scale — regardless of whether the institutions relying on it have updated their threat models.

The authentication stack that stopped fraud five years ago is not the authentication stack that stops it today. The fraud industry already knows this. The question is how much longer the banking industry takes to act like it does.