I'm working on a banking application where part of the requirements involve disabling the OTP field and retrieving it from users phone automatically. The point of this is to prevent fraud in the event that a user naively gives out his/her OTP.
This way, the fraudster has to clone the user's phone number to proceed. This worked fine before the SMS retriever API where I automatically read the message from the user's device and verified the sender before sending the OTP to the backend for verification. However, since I migrated the app over to the SMS Retriever API, there has been issues of fraud coming up because the extra layer of verifying the SMS sender is unavailable on the SMS Retriever API.
All the fraudster has to do is send a message to his number on the phone the app is installed, with the hash key he must have gotten from a previously sent message and he bypasses the reason for disabling the OTP field in the first place. Does anyone have a workaround for this or some recommendation?
