View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Analysis
September 18, 2020

Why we should not rely on SMS OTPs as the global default solution

By Chris Stephens

When carrying out high-risk and confidential transactions online, SMS one-time passwords (OTPs) have swiftly become the go-to step-up authentication factor. However, Chris Stephens, head of banking solutions at Callsign, believes there is a strong case to suggest that banks should consider alternative and more intelligent methods

One-time passwords are relatively easy for businesses to implement, and the solution certainly works for the majority of their users, who typically possess a mobile phone and are familiar with the user experience.

Hence, companies use SMS OTPs to authenticate both customers and employees. Many banks are resorting to this method to quickly comply with the PSD2 Strong Customer Authentication (SCA) regulation.

When considering this solution, organisations should take into account other important elements that might have been previously neglected, for instance hidden fees and security vulnerabilities.

Recently, Google announced that it is steering away from SMS OTP-based authentication and in the UK, both the Financial Conduct Authority (FCA) and UK Finance have said that in the longer term, banks ought to reduce their dependence on its use. Alternative forms, such as employing the secure binding of a device to achieve possession and the use of behavioural biometrics as an inherence factor, have been recognised by the European Banking Authority (EBA).

With the industry becoming increasingly aware of the downside of SMS OTPs and the deadline for SCA for e-commerce extended to September 2021 due to Covid-19, is now the best time for banks and wider businesses to look elsewhere for more intelligent methods of authentication?

SMS as default solution

Criminals are well aware of organisations’ reliance on SMS for two-factor authentication transactions, so they continue to abuse and weaken the systems in place and exploit these methods for their own advantage.

Fraudsters commonly practise SIM-swap fraud – whereby they obtain personal information about the victim to then contact the target’s mobile operator claiming that their phone has been lost or stolen. Since customers are no longer able to easily visit stores during the current pandemic, operators are reliant on channels that are more open to this type of manipulation to service their customers.

After the cybercriminal has gained the confidence of the mobile operator, a number transfer is then authorised, and the number is activated on a new SIM card. By doing so, the fraudster is granted access to the victim’s number and is able to retrieve all one-time passwords and authentication codes that are sent to that number. And this is a growing problem: in March 2020, Europol revealed that SIM-swap scams were on the rise across Europe, after an investigation had led to the arrest of 12 suspects associated with the theft of more than €3m ($3.3m).

That said, it is critical to note that SIM-swap fraud is not the only option fraudsters have to intercept OTPs from their victims during Covid-19 and in the longer term.

Look out for fraudsters 

In addition to the growing numbers of SIM-swap attacks, malware and remote access applications on mobile devices provide further streams for fraudsters to steal SMS  OTPs.

For instance, individuals are socially engineered to download remote access apps, such as TeamViewer or hidden surveillance apps. These either give fraudsters remote access to the victim’s device, allowing them to directly read their messages, or silently record all their texts and phone calls and forward them to another device.

Here the victim’s private messages, including OTPs, are intercepted by the fraudster in the same way a SIM-swap attack does. However, in this instance the victim is unaware as the fraudster has direct access to the victim’s device.

Finally, several parties are involved in the delivery of OTPs, so each one provides another chance for messages to be captured. Then on top of that, taking into consideration the underlying vulnerabilities in the SS7 network and the attack surface, the potential for mass compromise becomes quite large.

Therefore, banks need to adopt a clear view of all data sub-processors, and ensure they each have suitable security controls in place, for example multi-factor authentication, audit logs and dashboards. Similarly, all telephone numbers need to be auto redacted to minimise the impact of data breaches.

Beware of hidden fees

Intercepted OTPs not only lead to fraud losses, but unforeseen costs can also quickly add up. In addition to the transparent costs of SMS OTPs, for example cost per text, there are numerous hidden fees that are tricky to budget for. These are typically a by-product of the issues mentioned earlier – strategically, this forces businesses into a reactive mode that is difficult to manage.

For instance, where drop-offs occur in an authentication journey, such as when SMS texts are not received, banks need to be ready to handle a significant boost in calls to their customer service helplines and their associated fees – or the customer takes another card out of their wallet, which is worse for the bank.

Furthermore, customers may ultimately choose to abandon transactions as they are fed up with a customer journey that adds too much unnecessary friction. These abandonments lead to a decrease in interchange fees for banks, and a potentially reduced customer base for merchants.

User experience 

On top of this, SMS is not a universal solution for everyone. For example, SMS OTPs are not accessible to all customers, including those living in remote or lowservice locations, who may not be able to receive SMS alerts. This experience is not very customer-friendly, considering it requires approximately 30 seconds of transaction time for the text to be delivered, as opposed to the almost instantaneous transactions that can be achieved with other authentication approaches, such as biometrics.

Mobile adoption is only going to rise, and the growth of transactions on these devices is unlikely to slow down any time soon. This sits alongside ever-changing customer needs and expectations as users seek hyper-personalised online experiences as the new norm.

Even though SMS OTPs are mobilefirst, they do still require the user to move to an alternate platform to complete the transaction, which can be extremely frustrating for the customer. Understandably, in the worst-case scenario, a friction-filled experience could lead to users abandoning transactions. For these and other existing security reasons, the EBA is recommending that banks adopt other options.

Behavioural biometrics 

Each of us possesses their own unique behaviour when swiping across a screen, which is found through the analysis of the data signals captured from hardware sensors when the user interacts with their device.

These signals are then used to develop user features including finger movement, hand orientation and wrist strength. Artificial intelligence and machine learning’s combined capabilities are used to analyse this information to derive a bespoke model of that user’s swipe behaviour. This method takes just milliseconds to confirm whether the customer is who they say they are or a fraudster, allowing the bank to seamlessly carry out appropriate security actions immediately.

Furthermore, behavioural biometrics is not only a good approach for positively identifying a specific customer, but also effectively identifies bad actors – for instance, when criminals use technologies such as bots or remote-access trojan software to control transactional flows without the customer’s knowledge.

This form of technology works on both high- and low-end devices, and stops a fraudster before they can even begin using a victim’s device, by protecting them against both blind attacks, where the fraudster has never observed how the user swipes their phone, and over-the-shoulder attacks, where the fraudster has been able to observe the victim’s swipe movements.

The algorithms quickly detect both types of fraudulent attack with an accuracy rate of 98%, and detect the genuine user more than 90% of the time. This ability to prevent criminal access, even when the attacker has observed behaviour, provides an added level of security that other traditional methods, such as a PIN or password, cannot.

Remain relevant 

The organisations that will manage to maintain a competitive edge and become most successful will be those who are able to deliver hyper-personalised journeys.

In our new digital age, due to the impact of Covid-19, consumers are increasingly seeking to bank with or sign-up to services that offer a bespoke service and meet their daily needs and expectations. However, singlepoint solutions, such as SMS OTPs, provide businesses with limited flexibility to meet these requirements.

A holistic approach empowers organisations to take back control of their fraud and authentication management. As a result, teams will be equipped with greater intelligence around the identity of the customer and the flexibility to amend customer journeys in real time. By being more strategic, they will be able to adopt a more proactive outlook that provides greater control and insights over where their IT spend should be allocated, and consequently become less reliant on single-point solutions.

It is important to remember that this not only upgrades security measures, but also creates more obstacles for fraudsters to pinpoint and penetrate the weak spots in an organisation’s network.

A hyper-personalised solution that leverages intelligent authentication will enhance the customer experience and Net Promoter Score, as users now have more options and say over how they authenticate.

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Electronic Payments International