Banks must ditch SMS one-time passcodes – and fast

By Frans Labuschagne, United Kingdom and Ireland country manager, Entersekt 

The rise of SIM swap fraud and the number of headline-making vulnerabilities exposed in recent weeks, putting over one billion mobile users at risk, provide overwhelming evidence that the technology is outdated

When the news broke in mid-September that over one billion mobile phone users are potentially at risk from a SIM card vulnerability that is currently being exploited by cybercriminals, it came as no surprise to me. Rather, I found myself despairing that so many financial institutions are still, despite numerous warnings, persisting with one-time passcodes (OTPs) sent – and therefore easily intercepted by bad actors – via SMS messages.

The so-called SimJacker flaw, identified by researchers at AdaptiveMobile Security, is yet another alarming example that lays bare how at-risk SIM cards and SMS messages are to hackers. This latest glitch has been exploited for two years by “a specific private company that works with governments to monitor individuals”, according to AdaptiveMobile Security.

“SimJacker has been further exploited to perform many other types of attacks against individuals and mobile operators,” continues the researcher’s report, “such as fraud, scam calls, information leakage, denial of service and espionage.”

Since Entersekt’s inception, in 2010, our position has been that SMS OTP is not secure, and the revelation about SimJacker further emboldens that position. There was more evidence to strengthen our case only two weeks before the SimJacker flaw was discovered, when a server containing an unprotected database of over 419 million phone numbers linked to Facebook accounts was exposed.

The leak of phone numbers could potentially open a huge number of users to SIM swap-type fraud. Organised crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name.

Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.

If more proof was needed to ditch SMS OTPs, earlier in the year Metro Bank became the first major financial institution to be named as a victim of hackers who were able to steal OTPs by hijacking customers’ text messages. It is understood that other banks have also been damaged by cybercriminals exploiting flaws in a set of protocols established over 40 years ago, called Signalling System No7 (SS7). Developed in 1975, SS7 is used by telecoms companies to coordinate how they route calls and SMS messages around the world. The age and open nature of SS7 makes it vulnerable to cybercriminals pretending to be network providers. It was clear when Metro Bank was called out in February that SIM swap fraud was on the rise, meaning OTP texts were no longer enough protection. That was almost eight months ago.

At the time, back in February, a National Cyber Security Centre (NCSC) spokesman said: “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication.” The NCSC’s understated verdict was: “Text messages are not the most secure type of two-factor authentication.”

The truth is security experts have known about SMS technology flaws for some time and have regularly warned organisations about them. Indeed, as long ago as 2015, in the Strong Authentication Requirements for internet payments, as issued by the European Banking Authority (EBA), SMS-based authentication was listed as a method “to be avoided”.

Regulatory bodies in the financial industry are slowly beginning to heed these black-and-white warnings, as SMS OTPs’ risks to consumer security overtake the cost benefits. In spite of all this, digital banking security has a long way to go. It is business critical for organisations using SMS OTPs to move on – and fast – if they want to avoid falling prey to the inevitable risk inherent in relying on such out-of-date methods.

Financial institutions should be providing customers with the services they want and what’s good for them, and not sacrificing one over the other. Moreover, risk-based “Band-Aid” approaches to security, such as risk-based algorithms, are problematic because they fail to provide a complete security solution.And, if breached or the wrong decision is made, it can often end up costing orders of magnitude more than an up-to-date cyber defence.

There is good news, though: while SMS may not be secure enough to deliver OTPs, the mobile device itself can be used to authenticate financial transactions. Leveraging the ubiquity, computing power and connectivity of the mobile device not only provides the potential to bank anywhere, anytime, but allows banks to authenticate and secure interactions of all kinds at speed.

In order to protect against SIM swap attacks, it is advisable that service providers make strong user authentication available and users elect to use it. This will combine knowledge factors like a password or PIN with either a strong possession factor like a mobile phone, FIDO keys, or an inherence factor such as facial or fingerprint recognition biometrics. These can all be facilitated through any mobile phone less than a decade old.

It’s important for financial institutions to be aware that there are a range of alternatives to SMS OTPs, including digital signing and biometric enablement. A secure mobile app, for instance, creates a secure channel between the user and the bank, rather relying on the telecom’s provider.

Essentially, the customer makes a connection to the bank and then uses their mobile device as authentication which opens a completely separate, secure connection to the bank. The user will receive a pop-up notification asking: “Is this you making the transaction?” The customer will then answer “yes” or “no” with one click on their smartphone. Because it is a secure and separate channel, it means it can’t be intercepted and is not vulnerable to SIM-swap fraud.

Most experts in the cybersecurity industry can’t understand why in late 2019 banks are still using SMS OTPs to fight financial fraud. They have been rendered ineffective, inconvenient for users, and are susceptible to SIM swap or number-porting attacks, fake caller IDs, and call forwarding scams operated by dishonest customer service representatives at mobile carriers. Worse, OTPs do not guarantee protection from phishing attacks and malware-enabled account takeover fraud. Banks need to move with the times, ditch the SMS OTPs and invest in alternative cyber security solutions – before it’s too late.