More and more Uzbeks abroad are facing a problem: after changing their phone or reinstalling/updating a banking app, the system requires identity verification again, but this can only be done inside Uzbekistan. Users abroad also complain that banks send payment confirmation codes only to phone numbers and do not duplicate them via email, causing serious inconvenience. Kursiv Uzbekistan investigates what to do in such situations and which systemic solutions are being developed to balance security and convenience.
Core issue: fighting fraud
The inability to verify identity abroad through banking apps did not arise by accident. It is a direct consequence of stricter cybersecurity measures amid rising fraud.
Responding to Kursiv Uzbekistan, the Central Bank (CBU) explained the issue as follows:
«An analysis of the sharp increase in payment card fraud cases in Uzbekistan in 2024 revealed that fraudsters, gaining the trust of citizens and obtaining confirmation codes, illegally withdraw funds and access mobile banking apps while being abroad.» (From the appendix to CBU letter No. 39-15/135 dated October 14, 2025)
As a result, starting September 2024, initial registration and login from a new device in banking and payment-service apps were restricted and must be done only from within Uzbekistan.
The CBU emphasizes that this requirement does not apply to users already registered in apps. Citizens who already have an account may continue using mobile banking abroad on the same device.
If access is lost, customers may contact their bank, the CBU noted. Banks may apply technical measures within their internal procedures to resolve such cases.
How verification abroad should work
Davron Abdullayev, Deputy Head of the Central Bank’s Cybersecurity Center, told Kursiv Uzbekistan that both the CBU and commercial banks have created 24/7 call centers to support customers.
«If a client has a special situation, they call the call center, explain the issue, switch to a video call with bank staff and identity verification becomes possible,» he said.
Kursiv Uzbekistan did not independently verify how effective this method is or which banks actually use it, but Abdullayev stressed that all financial institutions must provide such a solution.
He added that restrictions were necessary because most fraud cases originated abroad and many citizens suffered losses.
What will change in the future
Abdullayev noted that the Central Bank is conducting large-scale anti-fraud work. To study global best practices and develop strategy, international consulting firm KPMG was engaged.
A deep analysis of Uzbekistan’s banking sector and cybersecurity infrastructure is underway. KPMG will propose solutions aligned with international standards. The work, including review of documents and procedures, will be completed next year, after which recommendations will be implemented.
SMS codes: unresolved questions
According to the CBU, protective mechanisms are constantly being improved. Currently, one-time passwords (OTP) sent via SMS work only on the user’s mobile device.
This policy is understandable, but many travelers struggle to receive SMS codes abroad. Economist Botir Kobilov raised the issue on Telegram.
He criticised the practice of sending codes only to +998 numbers without email alternatives. When asking why email isn’t used, he says he was told: «No one uses email in Uzbekistan.»
Abdullayev argues users should enable SMS roaming so codes work abroad. Kobilov disagrees, noting that telecom disruptions happen, for example, SMS and mobile internet were temporarily unavailable in Russia’s roaming network starting October 6.
«Bank access cannot rely on SMS alone. Email and/or push notifications must be added urgently,» Kobilov wrote.
Expert opinion
Kirill Levkin, project manager at MD Audit, Softline Group, believes Uzbekistan’s hard geoblocking approach is the key mistake.
Security efforts have reduced convenience and partially blocked access to financial services, he says. Global banking instead uses adaptive authentication.
«Systems evaluate risk in real time — location, device, user habits. If login comes from an unusual country, don’t block — add biometric checks, video verification, or push-signature instead,» Levkin says.
He outlined modern solutions that can increase security without cutting off users:
Strong identification: keys, certificates, multifactor login
- Use FIDO2/WebAuthn: cryptographic keys stored on device, no password theft risk.
- Register multiple devices or hardware tokens (e.g., YubiKey).
- Certificates stored on SIM/eSIM can confirm identity securely from abroad.
Smart recovery: video-KYC
- Video-based identity checks with document recognition.
- Consular or notary verification abroad for long-term travelers.
Secure biometrics & device attestation
- Biometrics stay on device, not sent to server.
- Device attestation checks phone integrity and keys, ensuring trust even after device change.
Moving beyond SMS
- SMS is vulnerable (SIM-swap, interception).
- Switch to push-signatures or TOTP/HOTP inside the app.
- Hardware tokens or FIDO signatures for high-risk transactions.
- If SMS remains, use international gateways — but not as the primary method.
Predictive security
- UEBA systems analyze behavior patterns and trigger step-up authentication for anomalies.
- Combined with SIEM/SOAR for instant threat response.
- New devices can enter a temporary «sandbox» with limited functionality for 48–72 hours.
User-friendly UX
- A travel mode feature to notify banks of trips and ease geo-restrictions with enhanced monitoring.
- A clear «I’m abroad» button in the app with document checklist and video verification.
- Limited access at first: balance viewing and preset payments allowed, full access after full verification.
The trade-off between protection and accessibility
Uzbek banking practices show how well-intended security policies can unintentionally create digital inequality. Citizens abroad may lose access to their accounts simply due to their location.
As Levkin emphasized, the solution is adaptive cybersecurity — focusing on risk analysis and trust, not blanket bans. Cryptographic keys, MFA, video-KYC, and behavioral analytics can provide strong security while preserving access anywhere.
The Central Bank’s partnership with KPMG shows recognition that anti-fraud systems must evolve.
Earlier, Kursiv Uzbekistan reports how fraudsters take out loans in the names of Uzbek citizens and pocket the money.
