Defunct SMS OTP still reigns at Australian banks

An investigation into online banking security measures in Australia revealed that SMS OTP is still very popular there, despite increasing global awareness of this authentication method’s vulnerabilities. In fact, starting from the next edition of its Digital Authentication Guideline, the United States’ National Institute of Standards and Technology (NIST) will no longer allow SMS OTP as a form of 2FA.

As can be seen from the table below, the password/OTP combination is the most popular security measure protecting online banking at Australia’s biggest banks, whether the OTP arrives via SMS or is generated on a token. However, after attacks from malware like MarcherAndroid/Spy.Agent.SI and Android.SmsSpy.88.origin, which all managed to bypass SMS OTP, these institutions will urgently need to rethink their security.