Earlier in the month I had a medical procedure that made me decide to go stay at my parent’s home for rehabilitation. An experience during that stay prompted me to be more vocal on why SMS isn’t a secure method of authentication for banking and payment service or any sort of services that uses two factor authentication (2FA).
The idea behind 2FA is to use multiple attributes to prove a person is indeed who they claim to be. The factors are what you know (pin), what you have (phone). You log into your Stanbic IBTC bank website, the bank send a One time password (OTP) via SMS to your phone. You use your debit card to pay online and you get a OTP to authenticate that transaction.
I found out my cousin bought an Etisalat SIM with a recycled phone number that was tied to the previous user’s bank account. Every time the previous user made a transaction my cousin got those alerts, including the originating and destination accounts (not sure why the bank thought it was a good idea to not “# # ##” those sort of details). To the extent she was able to use those details and number to register on the banks USSD channel and purchase airtime worth N3,000.
This was basically an unintended “Sim Swap” that was initiated by the operator after the previous user for whatever reasons stopped using the number and it became non active. A determined fraudster could have found a way to take advantage of the previous user’s bank details and the phone number to wreck havoc.
A scarier version of this happened when I tried using my dad’s PC to log into my internt bank and because we use the same bank, I discovered he uses the ‘remember me’ feature on his browser. Basically, an attacker could easily log into his account. My dad isn’t alone, majority of Nigerians save their bank and card details on their phone as SMS draft messages, contacts or in the note app. A fraudster could easily send phishing links to smartphone users to gather these information or provide “free” wifi in public places to mine those data.
Next step is to attack the weakest link in 2FA, SMS, which can be socially engineered or strong armed out of your control. One being a “Sim Swap”, I just need to visit the nearest MTN center, impersonate my dad with a fake ID and I’ll be asked for information about the number; when I bought it, 5 most frequent called number and last amount I recharged. A fraudster who knows enough about you could theoretically answer these to get access to your number.
Secondly, an attacker doesn’t need to know your phone number. I could easily intercept my dad’s SMS, by logging in to his internet banking or using his debit card at 3 a.m, and intercepting the OTP code sent to his phone number using a Trojan virus installed on the his smartphone.
Thirdly, an attacker could use off-shelf cell towers known as IMSI catchers or stingrays that intercept text messages within a kilometre radius. It cost $1500 and it’s getting cheaper. Easy to buy on Alibaba and runs on open source software.
For example, there is a MTN cell tower in my area. I could broadcast an IMSI catcher as either a MTN network and if the signal is strong enough, my dad’s phone will connect to it because his phone is set to use automatic network selection and the IMSI catcher isn’t required to authenticate itself to the phone. Thus, making a hacker the man-in-the-middle, capable of intercepting all the incoming SMS/calls.
If that transaction is happening, it can be intercepted. And that means you’re potentially at some level of risk.
Other people think the same too. The US Department of Commerce’s National Institute of Standards and Technology (NIST) called out 2FA systems that uses SMS because of the many insecurities, in the latest draft of its Digital Authentication Guideline.
[Out of band (OOB) verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance.
What NIST is saying is; SMS for all intent and purposes, isn’t secure. The guideline recommends using push notifications to apps on a smartphone for OOB, which is a fair way of how it should work.
Another method is using the Google Authenticator app or similar service that doesn’t require any message to be sent at all by generating a one-time-password codes that changes every few seconds. This is way more effective than using SMS to deliver OTP to a customer’s phone. It’s less convenient, though.
In the future, banking and payment services could easily build similar functionality in app. By leveraging the SIM toolkit as a digital identifier and the Trusted Execution Environment (TEE) as a secure access to the process required to authenticate a user. But all this would require telecom operators to offer an identity service using the SIM (such as GSMA Mobile connect) and the TEE opened to 3rd party access in a non discriminatory and transparent way. Good thing FIDO Alliance, an industry consortium for online authentication, is working to standardize this for natural ID implementations.
But it would take the Apples and Androids of this world together with phone manufacturers and telecom operators to agree on how all this should work and banking and payment services to adopt it. If history has taught us anything when it comes to these guys, it’s that they all think they can win.
I get it, SMS as a security measure for payment and banking is convenient (heck, as a customer I wouldn’t be caught carrying (token) devices for all the banks and payment service I use, even though it’s more secure) but anybody who takes security seriously knows that SMS isn’t ideal for authentication.
That’s why I’d recommend banking and payment services to implement the new FIDO standard, U2F, an open authentication standard that strengthens and simplifies 2FA by enabling users to securely access any banking or online services, with one single device (cost $10). You simply press a button on the token when website/mobile app requests it. It’s the size of a very small key and sits nicely on a keychain. It’s more secure and easier to use (no typing in the code) than OATH.
It’s an open standard backed by leading internet and financial services, including Google, Bank of America and 250 companies in the FIDO Alliance.
I don’t think I’m trying to change how identity and authentication works in Nigeria with a medium post but to spark conversations around it and how they can improve banking and payment services.