Our position on the use of SMS in transactional services has been that the right place to begin is with simple transaction notification. It is true that out-of-band 2FA OTP solutions might be attractive, but in practice it might be better to wait for more sophisticated mobile digital signature solutions (such as are used in Turkey, for example) so that encrypted messages can be sent to the handset for digital signing. This completes the entire authentication process in a secure out-of-band way. Why is that important? Well, because SMS does not have that comparable level of security. This means that it can, will and has been exploited by fraudsters. Look at what happened in South Africa.
One of the banks operates a scheme that sends one-time passcodes to the customer’s mobile phone. The customer then uses the passcode to authorise an online transaction. Sounds pretty secure: how would the fraudsters be able to break into the bank systems and get the codes? Well, they didn’t. Like all fraudsters they went for the weakest link. The customer’s SIM card gets falsely declared stolen by the fraudster at the service provider. A replacement SIM card is issued, rendering the customer’s original SIM card void. What this means is that all security messages and codes sent to the customer by Standard Bank are sent to the fraudsters who utilise the customer’s replacement SIM card. Using the bank’s secure OTP, the criminals were able to change and add beneficiaries and transfer money out of the customer’s account using the original information obtained through the phishing compromise.
2FA doesn’t automatically mean security.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto