SMS - A welcome invitation for fraudsters

Entersekt Editor|31 July 2014
SMS - A welcome invitation for fraudsters

It is no secret that one-time passwords (OTPs) have outlived their expiration date. These one-off strings of digits have proven to be neither secure nor convenient, especially when generated and dispatched to the customer’s mobile phone via the SMS channel, which is one of the most popular OTP delivery methods used by banks around the world. 

The SMS channel is one of the most vulnerable but, for more than a decade, banks have been using mobile text messages to deliver OTPs to their customers. This is largely because most of their clients carry a mobile phone, which allows banks to avoid having their customers carry a specialized hardware token.

Back in 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor.” He warned that its use in authentication was “probably going to leave customers vulnerable to frauds that exploit their credulity or naivety.” Which is exactly what happened. In the wake of phone porting scams defrauding Australian consumers, even the mobile network operators that benefit financially from SMS-based authentication solutions declared the technology unsafe for online banking.

The SMS channel is not considered secure for several reasons. First, the security of SMS relies on the security of cellular networks, and with the attacks against GSM and 3G networks, the confidentiality of text messages cannot be assured. 

In addition, many phones are susceptible to trojans like Zeus, Zitmo, Citadel and Perkal, which leverage open access to SMS on mobile phones specifically to intercept OTPs. In 2012, an estimated 6,300 malicious programs appeared each month, according to Kaspersky Labs. These were mainly SMS trojans designed to raid bank accounts.

Let’s not forget about mobile SIM swaps or SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers, which exploit insecure SMS networks and erode misplaced trust in the channel.

Aside from the SMS OTP delivery method not being secure, costs associated with SMS are high. A single SMS can range from $.10 to $.20. Transactional costs also come into the equation for on-premise implementations that require a third-party service provider, such as an SMS gateway provider or mobile network operator. These costs are variable, based on geography and message volumes, and can be unpredictable.

The good news is that, while SMS is not secure enough for delivering OTPs, the mobile device itself can be used to authenticate financial transactions. Leveraging the ubiquity, computing power and connectivity of the mobile device not only provides anywhere, anytime banking, but allows banks to authenticate and secure customer interactions of all kinds. 

Deploying industry-standard X.509 digital certificates to mobile phones and tablets allows them to be uniquely identified, transforming them into second factors of authentication. These devices can be used with complete confidence to confirm a user’s identity when logging into an online banking portal or mobile application. Credit and debit card and call center interactions can also be authenticated in this way.

For financial institutions intent on providing a secure and convenient method for customers to transact using a mobile device, there are new solutions available today that can virtually eliminate all types of man-in-the-middle attacks and enable mutual authentication and secure communications between your customer's mobile phone and your financial institution. 

There is no reason banks should still be putting their customers at risk with the use of the SMS delivery channel.  

For more information, please download Entersekt’s white paper, OTP: Security Past its Expiration Date.


About the author

Entersekt Editor

Entersekt Editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.