From OTPs to dynamic 2FA: Rethinking device intelligence for Asia’s scamverse

Across Asia, scams are increasingly starting with something deceptively simple: a text message, a fake app download, or a phone call that convinces a customer to “verify” an account or approve a payment. Through these tactics, fraudsters are gaining control of victims’ devices within minutes, intercepting OTPs, accessing banking apps, and moving money in real time.

For banks, this is changing the nature of fraud itself. It’s no longer only about stolen identities, compromised credentials, or fake accounts. Increasingly, the real challenge is determining whether the customer’s device, app, and behavior can actually be trusted in the moment.

At the same time, instant payments and mobile banking have become part of everyday life across the region, dramatically shrinking the window banks have to detect suspicious activity before money moves. As scams become faster, more personalized, and increasingly device-driven, banks are shifting away from static authentication methods like passwords and one-time passwords (OTPs) toward more dynamic, risk-based approaches that evaluate the device, session, and user behavior in real time.

The growing risks of mobile-first banking

That shift is becoming increasingly important across Asia, where rapid Android adoption and mobile-first banking have dramatically increased exposure to scams and malware.

Android dominates much of Asia’s mobile market, accounting for 93% of devices in India, 88% in the Philippines, 83% in Indonesia, and 67% in Thailand, according to StatCounter. Its affordability and broad accessibility have helped drive financial inclusion across the region, but it has also expanded the attack surface for fraud. Fraudsters are increasingly exploiting Android Package Kit (APK) sideloading, fake apps, accessibility abuse, mobile banking Trojans, and remote-access malware to compromise customer devices.

In India alone, APK fraud has nearly tripled over the past year. BioCatch customers have repeatedly reported scams disguised as Know Your Customer (KYC) or banking updates, fake traffic fines known locally as Regional Transport Office (RTO) electronic challans, wedding invitations, reward offers, and government schemes. Distributed through SMS, WhatsApp, and Telegram, these malicious apps can give fraudsters access to a victim’s device, credentials, OTPs, or even full remote control of the phone.

In the Philippines, scammers have convinced victims to download fake government apps. BioCatch data also points to widespread APK fraud campaigns in Indonesia disguised as Taspen pension-fund notifications, wedding invitations, shipment-tracking alerts, fake pinjol (online loan) apps, and billing notices.

Sharp growth in instant payments

As fraud attacks become more sophisticated, the rise of real-time payments is raising the stakes even further.

Thailand has become a powerful example of how quickly real-time payments can reshape consumer behavior. According to the Bank of Thailand, digital payments have increased tenfold since 2019. Using PromptPay, Thai consumers now make an average of more than two transactions per day.

India’s growth with the Unified Payments Interface (UPI) has been even more dramatic. The platform now accounts for nearly half of global real-time payment volumes and 85% of India’s digital payment transactions. Over the past decade, UPI transaction volumes have surged nearly 12,000-fold.

That scale is transformational, but it is also changing the fraud equation. When real-time payments become the default rail for consumers, merchants, and mule networks, fraud moves just as quickly. Thailand reported THB 2.8 billion in losses from money-transfer scams in June 2025 alone, and THB 6 billion during the second quarter of 2025. India recently reported an estimated $2.5 billion lost to digital fraud.

Regulatory pressure is growing

As fraud becomes faster, regulators across Asia are pushing banks toward more device-aware, risk-based, and real-time fraud controls.

India’s UPI ecosystem already relies heavily on device binding, while the country’s mobile banking guidelines require banks to detect device tampering, remote-access activity, and other signs of compromise. The Reserve Bank of India’s 2025 authentication guidelines go even further, explicitly supporting risk-based checks that incorporate behavioral and contextual signals, including device attributes, location, user behavior, and transaction history.

Elsewhere in the region, regulators are taking similarly aggressive steps. Singapore now requires cooling-off periods after digital-token activation or access from a new device to protected accounts. Thailand has introduced one-device-only mobile banking models, secure device enrollment, and facial verification for higher-risk activity. In the Philippines, anti-scam regulations explicitly reference device fingerprinting, rooted or jailbroken devices, emulators, geolocation monitoring, bot detection, and behavioral anomalies.

The future of fraud prevention is contextual

For banks, meeting these new fraud and regulatory challenges requires moving beyond traditional controls like device fingerprinting alone. Effective fraud prevention now depends on a broader, more contextual view of trust — one that combines persistent device identity, device and app integrity, network reputation, and behavioral intelligence into a single layer of digital trust. That is the approach behind BioCatch’s Device IQ.

At the foundation is a persistent device ID that helps banks recognize, bind, and trust known devices over time, not only during login, but across onboarding, payments, account servicing, and other high-risk customer journeys.

The second layer focuses on pre-login threat detection. Before a login screen is even presented, DeviceIQ assesses whether the device and app environment can be trusted by looking for signs of manipulation, emulation, rooting or jailbreaking, and runtime interference. This is becoming increasingly important as regulators across APAC expect banks to identify high-risk devices and suspicious session conditions before customers can access sensitive functions.

The third layer is network intelligence drawn from roughly 1.7 billion unique devices globally. Instead of relying solely on a bank’s internal device history, this broader network view can help identify whether a device has previously been linked to mule activity, scams, or account takeover attempts elsewhere.

When overlaid with behavioral intelligence, these signals give banks stronger intent and anomaly detection across onboarding, account takeover, malware-enabled fraud, scams, and mule detection. Applied through risk-based authentication, this approach can help banks meet growing regulatory expectations.

There is also a meaningful customer-experience benefit. Banks can more accurately distinguish genuine device upgrades from risky new-device events. At one large U.S. financial institution, BioCatch identified 60% of legitimate device upgrades, helping reduce unnecessary step-up authentication checks and associated costs.

That balance between security and trust will become increasingly important as scams continue to evolve across Asia’s digital economy. Passwords and OTPs still play a role, but they are no longer enough on their own. Banks increasingly need to understand the full context behind every interaction — the device, the app environment, the network, and the customer’s behavior — to make smarter trust decisions in real time.

Key takeaways:

Fraud is moving closer to the device. Scams increasingly involve fake apps, APK sideloading, malware, remote access and manipulated sessions.
Real-time payments have shortened the fraud window. Banks need to detect risk before money moves.
Regulators are pushing device-aware controls. Device binding, tampering and emulator detection, and behavioral monitoring are becoming core expectations.
Fraud controls are strongest when persistent device identity, app integrity, network reputation, and behavioral signals are unified.
Better controls also reduce friction. Trusted-device recognition and genuine device-upgrade detection help banks avoid unnecessary step-up checks.
In Asia’s scamverse, fraud prevention now depends on understanding the trustworthiness of the device, app, session and intent — not just the identity behind the transaction.