Warning over techniques to bypass bank security layers despite OTP and biometrics

A single lapse—whether a careless operation or an undetected vulnerability—can drain all funds from a bank account in a short time. Even when financial systems include multiple security layers such as one-time passwords (OTP) or biometric authentication, the risk of financial loss remains and can be difficult to predict.

Abnormal transaction pattern reported in Hanoi

Indicators of abnormal transactions were reported in a case involving a customer in Hanoi (N.C.S.). According to the account activity, the customer opened an account via electronic identification on the afternoon of 12 December 2025, then transferred more than VND 5.4 billion into the account. By dawn the next day, the account recorded 11 consecutive transfers totaling VND 5 billion, while the account owner stated he had not carried out any transactions.

All transfers occurred between 1:00 and 2:00 a.m. However, the account owner reported not receiving enough OTP codes to match the number of transactions. Data from the customer’s mobile network operator indicated that only one message was delivered during the relevant period, which conflicts with the principle that each transaction requires separate authentication.

Camera footage also indicated that the account holder did not use a mobile phone during that time window.

Bank’s explanation and questions over biometric verification

In an interview, Mr. N.C.S. said the bank confirmed that a second device was attached to the account and that this device executed the transfers. The biometric information provided, however, consisted of static images rather than dynamic facial authentication as required for high-value transactions.

These details have prompted questions about whether a “twin device” was involved or whether biometric spoofing may have occurred.

Liability and system responsibility

Lawyer Truong Thanh Duc, Director of ANVI Law Firm, said it is not prudent to quickly assign full responsibility to the customer. He noted that when the bank controls the end-to-end process—from account opening, authentication, to transaction processing—ensuring system security is a central obligation.

He also pointed out that the appearance of an unfamiliar device or an abnormal login session from the time of account opening is not within the user’s control.

At the same time, the bank suggested that the OTP may have been compromised, allowing an attacker to take control and carry out the transfers. This scenario is described as common in ongoing fraud cases, where attackers may obtain security information through sophisticated impersonation.

Regulatory review and investigation

The State Bank of Vietnam requested a review and action to protect customers’ legitimate rights, while stating that if there are signs of high-tech crime, the case will be prosecuted. Law enforcement has begun an investigation, but no final conclusions have been announced.

Broader warning on “high-tech” fraud

While the precise cause is still under investigation, the case highlights how digital financial fraud is becoming more sophisticated and harder to detect. Beyond direct system attacks, criminals increasingly use intermediary methods such as impersonation, information theft, or exploiting authentication processes to steal assets.

Common tactics include impersonating reputable organizations or individuals, creating websites or apps with interfaces similar to official channels, and offering investment opportunities with abnormal profits. These schemes are often designed to be highly sophisticated, making it difficult to distinguish real from fake even for experienced users.

Need for stronger monitoring and cooperation

The incident underscores the need to continuously improve security mechanisms and transaction monitoring, and to strengthen cooperation among banks, regulators, and law enforcement. The article emphasizes that transparent information, timely warnings, and increased public awareness of digital financial safety are important to reduce risk.

With rapid digital transformation, fraud schemes are evolving, so proactive account protection is presented as essential to prevent losses at any time. A coordinated protective ecosystem—covering service providers, users, and relevant authorities—is also described as necessary.