No, OTP is not surefire protection against online banking fraud
One-time password (OTP), a commonly used two-factor authentication, is considered an effective deterrent against criminals trying to steal money from your bank account through online transaction. Not any more.
There has been a large number of cases in which criminals duped bank customers into revealing OTP or accessed it by hacking the smartphone. But now they have found another way to bypass the OTP deterrent — by requesting your bank to change your phone number linked to your bank account. A criminal can just walk into a bank, impersonate you, request a change in your registered mobile number and use the new connection to receive OTPs for transactions.
Impersonation is a quick and simple way to carry out an OTP fraud. Another way criminals can dupe a bank customer is to contact a mobile operator with fake identity proof and get a duplicate SIM card. The operator deactivates the original SIM and the criminals generate OTP on the new number and conduct online transactions.