Android ghost SMS-OTPs

With Android 4.4 (KitKat) and later releases, users can experience reception of SMS-OTPs at odd times, without having intiated any login. The events are not visibile in the Mideye Server or central system logs. These are actually old flash/pop-up SMS that are cached in the phone operating system and re-appear at seemingly random times, often hours or days after the initial reception.

When receiving an OTP as a flash/pop-up SMS, the user is given two alternatives: Cancel or Save. If none of these is selected, and the user instead presses the Home button, the message dissappears but remains cached in the operating system. It may then re-appear again later. If the phone is configured to use a messaging app, e.g. Hangouts, the OTP message may also automatically be converted from flash/pop-up to ordinary inbox SMS. It will then be given a timestamp that corresponds to the time of re-appearance, not the initial time of reception. Hence, the timestamp will not match server logs and central system OTP delivery logs.

The get rid of the problem, re-start the phone (power-off/power on) to clear the cache. Preferably, select the default Android messaging app for SMS instead of Hangouts or other messaging app. When receiving OTPs, make sure to always select Cancel or Save.