The rapid rise in debit and credit card fraud within the United States has become a significant threat to

study presents a robust authentication framework designed to reduce unauthorized access and transactional

fraud. The discussion draws on a comprehensive review of current fraud trends, limitations of existing

authentication models, and a conceptual OTP-integrated security architecture adaptable to banking

infrastructures. The paper also considers technical feasibility, user experience implications, and regulatory

compliance. Findings offer practical insights and implementation strategies to support U.S. financial

institutions in mitigating fraud risks while maintaining accessibility and usability for consumers.

Based One-Time Password (TOTP), Authentication

According to the Federal Trade Commission (FTC), over 390,000 cases of credit card fraud were reported in

2023 alone, and for the first time, total reported fraud losses in the U.S. surpassed $10 billion, representing a

14% increase over the previous year (Federal Trade Commission, 2023). This aligns with growing concerns

that account takeover fraud is outpacing malware as a dominant threat in the financial sector (Hoffman, 2022).

Reinforcing the urgency of this issue, the Nilson Report projects that global card fraud losses will exceed

$403.88 billion over the next decade, with the United States bearing a disproportionate share of 42% in the

global card fraud losses, despite accounting for only 25% of transaction volume (Marek, 2025). The report

attributes this disparity to reluctance among U.S. merchants and card issuers to adopt stricter fraud prevention

technologies, a vulnerability increasingly exploited by international criminal actors.

Together, these findings underscore the systemic weaknesses of current authentication systems and highlight

While the adoption of encryption technologies and fraud monitoring systems has advanced in U.S. financial

institutions, the continued reliance on single factor authentication (SFA) remains a significant vulnerability.

Methods such as static passwords, PINs, and CVV codes offer no contextual validation, are easily phished or

stolen, and are frequently reused across multiple platforms (Aibangbee, 2023; Brown et al., 2021). These

weaknesses allow attackers to exploit even minor credential leaks to gain unauthorized access to user accounts.

The risk is further amplified by the fact that many e-commerce platforms such as Amazon, Walmart, and some

ride-hailing or subscription-based services do not require OTP-based two-factor authentication prior to

payment settlement. This lack of enforcement enables fraudulent transactions to be processed without

additional user verification, exposing debit and credit card credentials to misuse and increasing financial

liability for the issuing banks in the event of chargebacks or unauthorized claims.

The problem is further compounded by the lack of real-time response mechanisms in most SFA systems.

authentication, adoption across U.S. banks remains inconsistent. Many institutions continue to delay or limit

implementation due to perceived user friction, cost, or legacy infrastructure limitations. This disconnects

between regulatory expectations and practical implementation has created a gap in the security posture of

digital banking systems.

What is urgently needed is a secure, scalable, and user-friendly solution that enhances authentication without

introducing bureaucratic bottleneck. OTP-based Two-Factor Authentication (2FA), which introduces a

dynamic, time-sensitive credential alongside the user’s primary login information, offers a practical approach

to closing this security gap. However, its widespread adoption requires not only technical adaptation but also

organizational commitment and customer education.

 Identify implementation challenges, user adoption factors, and regulatory considerations.

The proposed research holds practical and strategic value for financial institutions, cybersecurity professionals,

and policymakers. By addressing a critical vulnerability in card-based transaction systems, this study seeks to

contribute to the development of a more secure banking environment. The implementation of OTP-based 2FA

is not only technologically feasible but also aligns with industry best practices and emerging regulatory

standards, including those set forth by the Federal Financial Institutions Examination Council (FFIEC, 2021).

The outcomes of this research are intended to guide future policy formulations, technical upgrades, and

customer security education initiatives.

Criminal tactics range from phishing and credential stuffing to more advanced man-in-the-middle attacks and

data breaches. In many instances, fraudsters bypass weak authentication protocols by exploiting stolen or

reused login credentials(Liu et al., 2022; Mutemi & Bação, 2024). The FTC’s Consumer Sentinel Network

Data Book notes that financial fraud involving cards is now more prevalent than identity theft or check fraud,

demonstrating a shift in threat priorities within the financial sector (Federal Trade Commission 2023).

fraud reports filed in 2024 alone, card-related fraud particularly involving credit cards, bank transfers, and

payment apps has outpaced both identity theft and check fraud. The data indicates a seismic shift in fraud

vectors within the U.S. financial system.

The map below illustrates the ten states with the highest reported total fraud losses in 2024, based on data from

more damaging fraud events per case.

This geographic distribution of losses highlights both high-volume and high-impact regions, underscoring the

need for state-specific fraud prevention frameworks. It also supports ongoing calls for the implementation of

secure multi-factor authentication, especially in card-not-present environments, to curb fraud exposure.

As U.S. payment systems continue to digitize, protecting consumers through enhanced authentication

protocols, anomaly detection models, and consumer education will be crucial to reversing this trend and

restoring confidence in card-based transactions.

Single-factor authentication (SFA) methods, such as passwords, PINs, or static security questions, rely on a

single form of verification, typically something the user knows. This model, while easy to implement and use,

Jakobsson, 2020). The U.S. Federal Financial Institutions Examination Council (FFIEC) and National Institute

of Standards and Technology (NIST) have both issued recommendations for financial institutions to move

beyond SFA and adopt stronger authentication frameworks (Authentication in Internet Banking: A Lesson in

Risk Management, 2023).

Further compounding the limitations of SFA is the ongoing rise in fraud report categories linked to credential-

based attacks. According to Appendix B2 of the 2024 Consumer Sentinel Network Data Book, categories such

as Identity Theft and Imposter Scams have seen substantial increases over the past three years, closely

associated with weak or compromised authentication mechanisms.

Figure 2: Year-on-Year Growth Trends in Credential-Based Fraud Categories (2022–2024).

provides a comparative analysis of annual growth trends, highlighting areas of accelerating fraud activity and

shifts in consumer risk exposure.

followed by a further 9.49% increase in 2024. This steady rise reflects ongoing vulnerabilities in personal data

Imposter scams, which are strongly associated with social engineering tactics, grew by 20.68% in 2023 and an

additional 18.62% in 2024, marking it as the most persistently aggressive fraud category. These scams often

While credit bureau and information furnisher-related complaints also rose significantly in 2023 (14.52%),

growth tapered in 2024 to just 2.56%, suggesting either improved dispute resolution mechanisms or saturation

fastest-growing and highest-impact fraud vectors.

technical integration, regulatory support, and end-user acceptance each of which warrants careful consideration

in any proposed implementation framework(Mekterović et al., 2021; Vanini et al., 2023).

into the transaction processes of non-compliant U.S. debit and credit card systems. The goal is to enhance

security during remote and card-not-present (CNP) transactions by requiring an additional, time-sensitive

credential that can only be used once and is contextually bound to the transaction.

Authentication Phases:

 Fallback and Recovery: Secure recovery methods in case of mobile number change or device loss.

unique, time-sensitive OTP linked to the specific transaction.

trusted device.

more resilient and secure payment environment.

The diagram clearly illustrates the data flow between each stage of the authentication process, with directional

arrows indicating the logical sequence of interaction. It includes the outcome of the authentication check,

either Access Granted or Access Denied as final steps in the process. These conclusive states enhance the

clarity of the model and reflect the complete decision path based on verification results, completing the

authentication lifecycle without requiring further explanation in the flowchart. This structured 2FA model

significantly reduces the risk of unauthorized access due to credential theft or reuse, supporting a more secure

and resilient authentication environment.