Authentication via SMS – Has it become a thing of the past?
It’s a saying our team always uses, “Security is only as strong as its weakest link!”
By Matt Berryman
When authenticating customers remotely, companies often offer a One-Time Passcode (OTP) delivered by SMS to their customer’s handset. While a clear improvement from static passwords, it’s far from ideal and no longer as secure as once thought.
But, even before a bank can offer OTP via SMS, the first challenge they face is whether or not they have an accurate mobile number for the cardholder. It may be surprising that some companies have accurate mobile numbers for less than half their customer-base, immediately limiting the value of this type of authentication!
With banks’ increasing use of OTPs delivered via SMS for cardholder authentication, fraudsters are becoming increasingly interested. One of the more common attacks is a ‘SIM swap’ where a fraudster uses a combination of social engineering and phishing tactics to persuade the customer’s network operator to issue a new SIM for the cardholder’s current phone number.
Once this new SIM is activated in the fraudster’s handset, it can be hours before the customer notices and, in this time, the fraudster extracts as much money as possible from the customer’s account via fund transfers or online shopping. A similar attack uses malware installed on devices to automatically forward any SMS messages to the fraudster.
More worryingly, in May 2017, O2-Telefonica confirmed to a German newspaper, Süddeutsche Zeitung that some of its customers have been hit by fraud relating to weaknesses in a protocol used to share data needed for passing calls and messages between mobile phone networks. Until recently, these attacks have been theoretical. However, now enterprising fraudsters have worked out how to use this method to view SMS messages sent to handsets giving them access to the OTPs needed to authenticate transactions.
In response to attacks like these, the US National Institute of Science and Technology (NIST) Digital Identity Guidelines were discouraging the use of SMS or voice calls to perform out of band authentication. While that guidance has been removed from the latest draft, it is clear that the useful lifetime of OTP via SMS is coming to a close.
Current OTP via SMS solutions do not appear to be compliant with the current draft of the Regulatory Technical Standards (RTS) for two reasons; 1) the OTP is categorised as the ‘possession’ element with no second element, and 2) paragraph 3 of Articles 6, 7 and 8 state that the elements forming two-factor authentication should not be compromised even if the device is..
To address the first point, the simplest change to the current customer journey would be to prompt the cardholder for a ‘knowledge’ element before OTP could be generated and delivered to the customer’s handset. The second point is impossible to address on feature phones. While content of an SMS can be masked until a smartphone is unlocked, there is no way for an Issuer to enforce that policy amongst their cardholders.
The final decision about whether or not an OTP via SMS is compliant with the guidelines for two-factor authentication has been delegated to the national regulator in each EU member state. CA have heard that countries are coming out on both sides of the debate and so multi-national issuers will also be faced with the challenge of having to comply with different interpretations of the same regulations in their different regions.
But fear not, there are many companies out there that offer innovative, easy, and compliant solutions that satisfy PSD2 requirements; CA Strong Authentication for Payments being one of them.
CA Strong Authentication for Payments is fully-compliant with the latest draft of the RTS for Strong Customer Authentication requirements. It delivers a robust two-factor authentication using ‘possession’ of the device as one factor and the ‘knowledge’ of the PIN or ‘inherence’ of the fingerprint or face as the second.
CA Strong Authentication for Payments can remove the dependence on the bank’s set of mobile numbers by allowing the bank to re-use familiar authentication methods already present within their mobile banking application. For Issuers that don’t have an existing application, CA provides a sample iOS and Android application that enables TouchID and FaceID authentication for newer devices and a static PIN for older devices without biometric capabilities.
This application will receive a ‘push’ notification every time a transaction is performed at a 3-D Secure merchant. This notification wakes the device and alerts the cardholder. Tapping the notification then takes the cardholder to a screen in the mobile banking application displaying details of the transaction pending approval. After reviewing the details, the cardholder can approve the transaction using TouchID/FaceID or entering a PIN on older devices.
This helps Issuers comply with the Dynamic Linking requirements in Article 5 as each authentication request will be presented with details of the transaction amount and payee. Once authentication is complete, a cryptographic signature will be created linking the transaction request with the authentication outcome. This allows Issuers to be certain that when they receive the transaction for authorization that it has not been tampered with en-route.
About Matt Berryman
Matt leads the Payment Security Presales team at CA helping our customers secure e-commerce transactions. Matt has a deep technical background and combines this with a solid understanding of the marketplace and regulatory constraints to advise banks and credit card companies on how to find the balance between customer experience and fraud prevention.