Using SMS OTP as 2-Factor Authentication in Banking and Financial Apps
Authentication via SMS-OTP is considered outdated because of higher overall costs, low user convenience, insufficient regulatory compliance in specific geographic regions, but primarily for practical security reasons.
Banks and financial institutions should phase out this method and replace it with more secure user authentication, such as authentication via mobile app or hardware token. This post summarizes the main areas that should motivate organizations to move away from authentication via SMS OTP.
1. Security
SIM Swapping Attacks
By relying on the SIM cards, banks effectively outsource their security processes to telcos, who have no contractual obligation to have their processes right. As a result, telcos may issue replacement SIM cards to fraudsters due to insufficient KYC/identity checks.
Android Platform Features
Android is a very open platform with many features that can be potentially misused. Banker malware can read the contents of SMS via accessibility services intended for people with vision impairment. Malicious applications can also intercept SMS messages through SMS reading permissions or hide directly behind the SMS messenger apps (a successful tactic of the Joker malware, often found on Google Play).
Insecure Telco Infrastructure
The technological protocol behind SMS is antique, as well as the infrastructure that runs it. SMS messages may travel through the cellular network unencrypted, and they may be stored unencrypted in the telco databases or logs.
2. Regulatory Compliance
Insufficient 2nd Factor
Some legal frameworks, such as the European PSD2 legislation or “Law №7192” in Turkey, made using SMS OTP for authentication in financial services problematic. The way SMS OTP works does not allow a straightforward implementation of several mandatory features. While authentication via SMS OTP is still used by the banks and tolerated by the regulatory bodies, legal frameworks generally follow the recommendations by experts and push banks and financial institutions towards the end-of-life of this authentication method.
3. User Convenience
Important Data Hidden In Plain Text
Text in SMS messages is not formatted, and hence recognizing the important data is complicated. This makes the method harder to use while reviewing the attributes of action to be confirmed. The user can be more susceptible to phishing attacks by blindly rewriting codes in SMS into a phishing site, accidentally approving incorrect operations.
Need to Rewrite Codes
To use SMS OTP, the user has to rewrite the code back to the web application. This introduces unnecessary friction to the user experience and can even result in authentication errors due to typos, forcing the user to repeat the authentication effort.
4. High Operational Costs
Pay-Per-Message vs. Pay-Per-User
Banks motivate their customers to use digital channels regularly to improve brand loyalty and increase financial products’ sales. However, SMS messages are usually charged on a per-message basis, making secure access expensive when customers regularly use digital banking. Using push messages removes the costs (APNs and FCM are free services) and turns the model into per-user pricing.
Interested in Your Own Mobile Token App?
Make access to all your digital channels easier for your customers with a highly secure and user-friendly means of authentication and authorizing operations — a simple mobile app for iPhone and Android. Learn more at our website: https://www.wultra.com/mobile-token
