The Bottom Line
- GCash in-app OTP delivery via push notification rolled out on June 22, replacing SMS-based codes ahead of the BSP’s June 30 deadline under AFASA and Circular 1213.
- In-app OTP addresses remote interception threats: SIM swapping, SS7 exploits, smishing, and real-time phishing harvests. It does not protect against physical device compromise.
- The protection gap for device theft is covered by a separate layer: biometric authentication via GCash’s existing Double Safe feature, which requires facial recognition for high-risk actions.
- BSP Circular 1213 is not being extended. Institutions that miss the deadline face direct liability for customer fraud losses under AFASA.
- Users who have not enabled push notifications on their GCash app will be locked out of receiving authentication codes after the cutover.
Why SMS OTP Was Always the Weak Link
The GCash in-app OTP rollout kicked off June 22, replacing text-based verification codes with authentication delivered directly inside the mobile app, and the timing is not coincidental. The move aligns with the BSP directive under the Anti-Financial Account Scamming Act, which mandates the phaseout of SMS-based OTPs by June 30.
The case against SMS OTP was never really about the code itself. It was about the channel. SMS OTPs have long been exploited through phishing, SIM swap attacks, and social engineering. Under BSP Circular 1213, financial institutions are required to limit authentication mechanisms that can be shared with or intercepted by third parties unrelated to the transaction. A six-digit code sent over a telecom network the bank does not control is, structurally, an interceptable credential. Moving that code inside the app eliminates the exposure point entirely.
The Philippine digital fraud rate stands at 13.4 percent, nearly triple the global average, with Filipinos losing an average of PHP 44,700 per fraud incident. That number is partly a product of how long SMS OTP remained the standard despite well-documented vulnerabilities.
What In-App OTP Actually Changes
Under the new system, users receive OTPs through secure push notifications delivered directly within the GCash app, providing verification that scammers cannot intercept through the telecom network. The code never leaves GCash’s infrastructure to travel through a channel outside its control.
“Our upgrade to in-app OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication to increase the security of their daily transactions,” said Miguel Geronilla, Chief Information Security Officer of GCash.
The architecture here matters. The OTP arrives on a device that is already authenticated to the GCash account. A scammer running a phishing page in real time, or one who has taken over your SIM, receives nothing. The attack surface that has historically driven the bulk of e-wallet fraud in the Philippines shrinks considerably.
The Gap This Does Not Cover
In-app OTP is not a complete answer to account security. It is an answer to one specific class of attack: remote interception.
If someone physically has your unlocked phone, they receive the push notification just as you would. In that scenario, in-app OTP offers no additional protection over SMS, because the attacker is already on the authenticated device.
GCash has existing safeguards that address this gap separately. Know Your Customer verification and facial recognition through its Double Safe feature handle device-level compromise. For high-risk actions such as adding a new payee or initiating large transfers, biometric confirmation is the barrier. That layer is bound to your face or fingerprint, not your device’s notification tray. In-app OTP and biometrics are designed to work together, not as substitutes for each other.
The BSP Deadline Is Not Moving
BSP Deputy Governor Elmore Capule confirmed publicly that the central bank is not extending the June 30, 2026 deadline, stating that institutions have to catch up. Under AFASA, banks and e-wallets that fail to put adequate authentication controls in place are required to reimburse customers for funds lost to fraud. Compliance is not optional, and the liability framework makes that clear.
GCash’s June 22 cutover puts it inside the window. Users who have not enabled push notifications will not receive in-app OTPs and may face disruptions to login, payments, and other security-sensitive actions. It is also worth noting that OTPs from GCash partners, such as those from BPI for cash-in transactions within the app, may still arrive via SMS, since Circular 1213 covers OTPs issued by the institution itself, not those sent by third-party partners.
The practical instruction for GCash users is straightforward: update the app, enable push notifications, and verify the registered device in account settings. The June 30 deadline is this week.
FAQ
What is GCash in-app OTP and how is it different from SMS OTP?
GCash in-app OTP delivers your verification code through a push notification inside the GCash app rather than via text message. Because the code stays within GCash’s own infrastructure, it cannot be intercepted through SIM swapping, phishing pages, or SS7 exploits the way SMS codes can.
Does in-app OTP protect me if my phone is stolen?
Not on its own. In-app OTP closes the remote interception gap. If someone has your unlocked device, they would receive the push notification just as you would. The protection against physical device compromise comes from biometric authentication via GCash’s Double Safe feature, which requires facial recognition for high-risk transactions.
What happens if I don’t enable push notifications before the June 30 deadline?
You will not receive GCash in-app OTPs and may be unable to complete logins, transfers, or other account actions that require authentication. GCash has urged all users to enable push notifications and update their app before the cutover.
Monitor the systems, tools, and digital infrastructure decisions redefining competitive advantage in the Tech section of Hemos PH.
