Why Voice Biometrics is Key to Online Transaction Security in 2025

Online transaction security is now more critical than ever. On January 6^th SC Media reported that a new phishing plugin, PhishWP, has emerged on Russian Cybercrime forums. The WP in the name refers to the plugin’s target, WordPress, a leading provider of online content management systems, used by over 20% of the top 1 million websites as of December 2024.

The WordPress Plugin Exploiting OTP Vulnerabilities

The plugin can be used on the fraudster’s own fake WordPress sites or on compromised legitimate sites and appears to be a legitimate and familiar online payment service. Whilst it is designed to steal card details from unsuspecting shoppers along with device meta data such as IP addresses and screen resolution data, it can also act as a classic Man-in-the Browser go-between passing information for real-time unauthorized use on other merchant sites.

We know this because one of its features is the hijacking of 3D-secure One-time passcodes that are only generated by Issuing banks once a payment process has been initiated. The payment process has been initiated by the fraudsters behind the plugin, not the cardholder, and courtesy of the card details the cardholder provides to the plugin.

The Risks of Traditional OTP Security Measures

The 3D-S OTP is therefore generated by the fraudster’s unauthorized transaction but sent as an SMS message to the mobile registered to the card being used, i.e. the legitimate cardholder’s phone, who assumes it is for the transaction he/she thinks they are doing.

The OTP is time-decayed so it can’t be on-sold like card details can but must be used immediately. It is therefore harvested by the plugin and passed on for use in real-time by sending it to a Telegram account.

Whilst this new threat appears very sophisticated in its features, in reality, it’s just another example of the hijacking vulnerabilities associated with OTP’s. An OTP in the form of textualized knowledge, i.e. a 6-digit string sent in a message, is usable by anyone who has possession or knowledge of that string. And hijacking techniques such as this, along with a myriad of social engineering approaches make this a very real scenario. Add a footprint as large as WordPress and the potential for losses multiply.

The Future of Online Transaction Security

OTPs are only truly secure when they’re coupled to the intended recipient and that requires identity assurance, which only biometric authentication can provide. Without it, an OTP in the wrong hands is no more than a static password.

At ValidSoft, we understand the critical need for robust and user-friendly security solutions in an evolving cyber threat landscape. Our patented See-Say® solution offers advanced voice biometrics for online transaction security, ensuring that authentication is tied directly to the individual, not just their devices or codes. By leveraging our trusted identity assurance technology, organizations can prevent OTP hijacking and other fraudulent activities, providing customers with a seamless and secure experience. With See-Say®, you can protect your transactions and build trust with your users, all while staying one step ahead of cybercriminals.