From
Ideem— device-bound passkeys and A2A payment authentication for banks, fintechs, and payment platforms.
The phrase "SMS OTP is broken" has been the consensus position of the authentication research community for nearly a decade. NIST started signaling the deprecation as far back as the 2017 third revision of 800-63. And yet, in 2026, banks are still running consumer authentication flows on SMS — and SMS is still where most of the loss is coming from.
The 2025–2026 data is hard to ignore. The cost of staying on SMS OTP has become quantifiable, the legal precedents are accumulating, and the attack economics have improved on the fraudster side fast enough that what was once a sophisticated attack has become a commodity service. This post is the unromantic version of that story, written for the bank security leaders who are going to be making the SMS OTP retirement decision in the next twelve months.
The headline numbers are sobering. The FBI's Internet Crime Complaint Center recorded 982 SIM-swap complaints with roughly $26 million in reported U.S. losses in 2024. In 2023 the same agency investigated 1,075 attacks with losses approaching $50 million. The official numbers almost certainly understate the real exposure — banks routinely settle ATO fraud claims without victims escalating to a federal complaint, and many SIM-swap-enabled losses are categorized under broader ATO or wire-fraud reporting.
The international picture is worse. Cifas, the U.K. fraud-prevention organization, reported a 1,055% year-over-year surge in unauthorized SIM swaps, with nearly 3,000 cases in 2024. Australia documented a 240% increase in people seeking help for phone-porting and SIM-swap fraud in 2024 compared with 2023, with 90% of incidents occurring without victim engagement — the customer learns about the swap when their phone goes dark, not before.
The single biggest legal data point is the March 2025 arbitration award of $33 million against T-Mobile, where the arbitrator found that the carrier's weak customer authentication enabled the theft of cryptocurrency. The number itself is striking, but the precedent is more important: a carrier's authentication weakness has now been judicially priced. Banks that rely on SMS sent through any carrier are now relying on a delivery channel whose security has a documented legal exposure.
SIM-swap attacks in 2026 follow a more industrialized pattern than they did even two years ago. The attacker buys access to a target's data — phone number, last four digits of the SSN, date of birth, sometimes more — from an underground marketplace. Compromised accounts now sell for $300 to $1,000 on dark web markets depending on the bank, the country, and the assumed account balance.
The attacker either pays a corrupt carrier employee — reporting suggests the going rate is roughly $300 per fraudulent swap — or social-engineers a customer service agent into porting the number. The average successful swap completes in under fifteen minutes. With eSIM and remote provisioning, the attack cycle has dropped to under five minutes in incidents analyzed during Q1 2025. From the moment the number is transferred, every SMS OTP that arrives goes to the attacker.
An IPification analysis of 2024–2025 incident data found that 82% of hijacked numbers had banking 2FA codes as the first attack target after the swap. The attacker's interest is rarely the phone itself. It's the SMS that follows.
SS7 interception is a parallel attack vector that does not require porting the number at all. The SS7 vulnerabilities documented by Security Research Labs as early as 2014 have remained viable through 2026 because the underlying telecom signaling protocol is largely unchanged. An attacker with SS7 access — available through cooperative or compromised carriers in some jurisdictions — can intercept SMS in transit without the customer's phone showing any sign that anything has happened.
The reflex response when SIM-swap and SS7 attacks come up is to point at the carriers. The carriers have failed at customer-side authentication. The carriers have neglected SS7 hardening. The carriers are the ones being sued. All true.
The bank doesn't get to delegate the consequences. When an attacker uses a SIM swap to drain a customer's account, the customer's first call is to the bank, not to T-Mobile. The customer expects the bank to make them whole, and increasingly — depending on jurisdiction — the bank is legally obligated to. The fact that the underlying weakness was a carrier authentication failure is interesting to the bank's legal team, but it doesn't put the money back.
For the security leader, the calculus has shifted. A bank that continues to anchor sensitive flows on SMS OTP is not just accepting an industry-standard control. It's accepting a documented exposure with a quantified legal price tag, a maturing attacker economy, and a regulatory direction of travel pointed firmly toward retirement of the technology. That's not a posture the FFIEC, OCC, or any GCC regulator is going to find defensible for much longer.
The technology that replaces SMS OTP for banks in 2026 is passkeys — specifically, passkeys with origin binding (so a phishing site can't get the credential to sign), device binding for high-value flows (so a compromised session on another device can't operate as the customer), and transaction binding for the highest-risk actions (so each high-value transaction is signed individually rather than relying on session-level trust).
The key property each of these adds, that SMS OTP cannot provide regardless of carrier security improvements, is that the authentication is bound to something other than a phone number. The phone number is a brittle, attacker-priced primitive that ought to have been retired from financial services authentication years ago. Banks that retire it through 2026 will be ahead. Banks that retire it under regulatory order in 2027 or 2028 will be behind.
Ideem's Passkeys+ is the bank-grade replacement for SMS OTP, designed for the exact regulatory and risk environment financial services operates in. The platform binds authentication to the device, the origin, and (where the bank's risk policy requires it) the specific transaction — so a SIM-swap or SS7 attack against the customer's phone number simply doesn't grant access to the bank account.
For banks running phased SMS-OTP retirement programs, Passkeys+ supports the gradual approach. SMS can remain available for the customers who haven't enrolled while passkey-enrolled customers are routed to the cryptographic flow. The bank gets the observability to see, in real time, what percentage of authentications are using SMS versus passkeys — and to drive the SMS-dependent population down on a defensible timeline.
The honest answer about SMS OTP in 2026 is that the technology is on the wrong side of every trend that matters — attacker economics, regulatory direction, legal precedent, customer expectation. The banks that retire it deliberately will write the comfortable headlines. The ones that retire it after the next $33 million arbitration will write the uncomfortable ones.
Most orgs running OTP-based MFA have 3–4 exploitable gaps they don’t know about. Our Authentication Assessment takes 2 minutes and shows you exactly where you stand — plus a phased migration roadmap.
Take the Assessment →Built by Ideem
Device-bound passkeys and A2A payment authentication. One SDK. No OTPs, no redirects.
Our 2-minute assessment scores your authentication setup and shows you exactly where the improvements are.
See Your Score →