Snippet: The year has not started well for that popular authentication method, one-time passwords (OTPs) sent via SMS. Still widely used during logins and transactions as part of a two-factor authentication (2FA) process, SMS OTP has long been vulnerable to cyber criminals.


The year has not started well for that popular authentication method, one-time passwords (OTPs) sent via SMS. Still widely used during logins and transactions as part of a two-factor authentication (2FA) process, SMS OTP has long been vulnerable to cyber criminals.

In South Africa, forensics consultant, David Klatzow, came out with guns blazing in early March, accusing at least one large South African bank of exposing high-net-worth individuals to large fraud losses by staying with SMS OTP. (Most South African banks have stopped using SMS OTP in favour of Entersekt’s technology.) Klatzow, who became a household name as an expert witness in the Oscar Pistorius trial, stated that banks who use this technology should be held responsible for phishing losses. This set off a heated debate over liability in local newspapers, radio, and social media, pitting frustrated victims and security experts against the banks and mobile operators accused of covering up internal SIM-swap fraud.

Related: Listen to two radio interviews with members of the Entersekt team.

In Australia, things have gone from bad to worse in just a few weeks. Early in February, the Australian Communications and Media Authority (ACMA) reported that banking customers in Australia and New Zealand are being targeted with fraudulent SMS messages containing URLs that direct them to fake mobile banking sites. Fraudsters harvest their login credentials by means of a man-in-the-middle (MITM) attack – essentially hijacking the messages between the user and the bank.

In SMS-based 2FA, an Internet banking user must confirm their intended login or transaction by entering an OTP sent to their mobile phone. This authentication method was once believed to protect against MITM attacks – until security professionals realized that text messages can be intercepted by fraudsters just as easily. If a mobile phone is compromised because its user unwittingly downloaded a malicious app (malware) onto it, the fraudster can simply command the malware to monitor text messages – including those containing OTPs – on that phone.

To prove this point, early in March BBC journalists in the United Kingdom used an illegal SIM-swap to obtain SMS OTPs and access an account at NatWest. The “hack hackers” stole a token £1.50.

Android/ down under

Despite a decade of warnings over the vulnerabilities of SMS-based 2FA systems, many financial institutions still use them. Australian telcos urged banks not to use SMS for authentication back in 2012, with seemingly little effect. Now, after the discovery of an industrial-scale malware attack last week, perceptions should start changing quickly. On 9 March, antivirus software company ESET warned that twenty banks in Australia, New Zealand, and Turkey are being targeted in a single, sophisticated attack. The weapon, catchily named Android/Spy.Agent.SI, is disguised as a version of the Adobe Flash Player app, which users are tricked into downloading from infected websites or illegitimate app stores (a reminder never to stray from the Google Play Store and Apple’s App Store). The trojan lurks in the background until the user opens their mobile banking app. It then creates a fake login screen to access the user’s login credentials. Designed specifically to bypass SMS-based 2FA, it then redirects all incoming OTPs to the hacker, and neither the user not the bank will be any the wiser. Until the user checks their bank balance, that is.

In other news…

Also attacking the banking customers of at least six banks in Australia, as well as one in Russia, is Xbot. Discovered by Palo Alto Networks, this trojan has several very nasty tricks up its sleeve, including – you guessed it – cloning the login pages of mobile banking apps and intercepting SMS OTPs. The same approach is used by the SlemBunk trojan, so named by FireEye late last year. It currently imitates the legitimate banking apps of 33 banking institutions in North America, Europe, and Asia-Pacific. Not to be left out, Kaspersky Labs continues to track the emergence of Asacub, which seems to focus on banks in Russia and Europe and spreads through SMS spam.

Meanwhile, Symantec reports that Android.Bankosy has evolved beyond accessing SMS OTPs and is now capable of stealing OTPs delivered via voice messaging through call forwarding.

 Things are moving very quickly. Monetary losses resulting from these attacks are not yet known, but one loss is certain and permanent: the loss of confidence in SMS OTP as a security technique. It’s time for banks to step up their user protection with out-of-band solutions that are impervious to this kind of exploit.

Read more

My colleagues at Entersekt have written several blog posts on one-time passwords over the last couple of years.

Entersekt also has a great white paper on the subject, OTP: Security past its expiration date.

Subscribe to our blog.

Jolette Roodt


Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.