Is it the end of SMS Security Codes?
There have been many articles and product demos focused on demeaning SMS One-Time-Password (OTP) recently, while promoting new technologies like bio-metrics (fingerprint, facial recognition & etc.) for ELECTRONIC & MOBILE BANKING. Mostly, focusing on removing SMS, as the channel of code delivery.
YES, it is true. SMS has its weakness.
HOWEVER, none of these articles manage to discard the main reason that SMS was considered a good security measure in the 1st place.
- Simplifying the facts:
a. Separate Channel for Delivery:
MOBILE BANKING mostly requires internet access for it to work. The same channel is used to send security data and authentication. If this channel is hacked, there goes everything (data transmission, authentication and all).
- If a mobile banking solution uses SMS as the delivery medium of security codes, the SMS channel act as a second separate channel. YES hack-able, but separately…. Extra effort; and YES it counts.
b. Complex Algorithm:
Is it not also hack-able? Harder probably, but who’s to say? Some say that the complexity of bio-metrics pattern makes it hard to be duplicated.
- The transmission of these translated patterns into 101001 is what is copied, not the actual pattern algorithm.
- Just like other solutions, it can be sniffed and hacked.
- An OTP, on SMS or not, is used once and usually within a limited time (eg: 2mins), making reuse, and untimely use harder.
c. Accuracy of Authentication:
Bio-metrics accuracy is still debatable.
The usual consumer concern would be:
How accurate is it?
What if there are sudden changes?
The usual expert answer would be:
The proximity level of this authentication method can be scaled down to 70% accuracy… or something like that.
In which I would like to ask:
· To who’s measurement is that 70%? Can system ABC by company ABC and system DEF by company DEF be measuring a different scale of 70%?
· How can ‘check and balance’ be done on these differences and variation?
A simple OTP code would just be matching the input to the code stored in DB, an actual measurable type of check and balance.
Other than an actual check and balance, is actually NO CHECK AND BALANCE at all.
d. Device readiness and affordability:
Electronic and MOBILE BANKING, obviously on end-user’s mobile device, does not come equipped with bio-metrics scanner like finger print. Only high-end devices have this feature, which will limit clients, to be from this smaller group of users. Now, add the fact that not ALL of this “small group” of audience will be doing banking on their mobile. Results: Dramatic loss of potential clients.
2. The approach:
The solution should address the concerns in a combined coverage.
3. How security companies should approach this:
Continue to improve security on current technology flow and protocol by testing these security methods (new and old) and its vulnerabilities fairly. At the same time, test the new possible methods of a replacement, which should run parallel, instead of total elimination.
Every time I am being proposed by new methods by these security vendors, all these concerns come to mind. I feel that many security vendors are mostly trying to up-sell their new techs, as a way to create new revenue streams or expand its potential clientele rather than finding a real new improvement. Please do comfort me with proper & measurable justification for me to incorporate it in the design of future solution(s).
Disclaimer: I am a solution designer and not a security expert. This is a personal opinion and is no way intended to discredit anyone or any solution(s). The view is to provide a different perspective than the direction of the current trend and remind us on other aspects of possible improvement.