Mostbet has announced the introduction of an updated account security system. The changes affect authorisation, transaction control and user data storage. The update was a response to an increase in attempts to gain unauthorised access to gaming accounts in South Asia. According to industry reports, in 2025, the number of incidents involving compromised accounts on betting platforms in the region increased by 34% compared to the previous year. The new measures are primarily aimed at the Indian audience, which is the platform’s largest market in terms of volume.

Two-Factor Authentication and Login Controls – What Is New?

The main innovation is mandatory two-factor authentication (2FA) when logging in from a new device or region. When an unusual login is detected, the system blocks the session and sends a one-time code to the linked phone number or email address. The code is valid for 10 minutes, after which it is cancelled. This is crucial for India, because a significant proportion of users log in from multiple devices, and previously, changing gadgets was not a reason for additional verification.

At the same time, the ‘Trusted Devices’ feature has been launched. Users can explicitly specify smartphones and PCs from which they will be able to log in without 2FA. This solves the problem of balancing security and convenience. No one wants to enter a code every time they open the app on their smartphone.

An account activity log will also be added soon. Users will be able to see the history of all logins, including the device, IP address, geolocation, and time. If an unfamiliar session appears in the list, it can be forcibly terminated directly from the app without contacting support.

New access management tools:

• 2FA via SMS or email – activated automatically when logging in from an unfamiliar device;
• List of trusted devices – allows you to disable 2FA for your personal smartphone;
• Session log – complete login history with the ability to forcefully terminate any session;
• Login notifications – push or SMS for each authorisation, including trusted devices (configurable).

Transaction Verification and Data Protection: Under the Hood

The second major set of changes concerns transactions. Mostbet has implemented a payment behaviour analysis algorithm. The system tracks the typical activity profile of each user – usual deposit amounts, frequency of replenishments, methods used – and automatically flags transactions that are out of context. For example, if an account is usually topped up via UPI for ₹2,000-5,000, and then a request is made to withdraw ₹80,000 using an unfamiliar method, the transaction is sent for manual verification.

This is not a block, but a verification. In most cases, it takes up to 30 minutes and does not require user involvement. But if the request is deemed suspicious, the security service contacts the account owner via the verified contact provided during registration.

The encryption scheme has been updated at the data storage level. Users’ personal data is now stored using AES-256 with key rotation. AES-256 is a symmetric encryption algorithm that is considered the standard for protection in the banking sector. Key rotation means that in the event of a hypothetical leak of one key, access to the data array is not completely opened.

What has changed in transaction and data protection:

• Behavioural payment analysis – the system compares each transaction with the historical account profile;
• Manual verification of suspicious withdrawals – up to 30 minutes without blocking the account;
• AES-256 with key rotation – encryption of personal data according to banking standards;
• Verification via official contact – communication with the security service only through the data specified during registration.

For Indian users, the update package is relevant for one specific reason: UPI and PhonePe are payment methods linked to real bank accounts, and compromising a gaming account potentially means not only the loss of the gaming balance, but also access to financial data. The new security scheme covers the most common attack scenarios – session hijacking when changing devices and unauthorised withdrawal of funds using an atypical method.