Out of band, out of mind

[Dave Birch] Using SMS to provide an out-of-band 2FA scheme for access to online services sounds like a reasonable idea. But it depends on customers to do the right thing, and this is generally a bad idea in security terms. One study of a scheme that required customers to copy a pass code from their phone to a web page (to confirm online transactions) found that customers did not notice when the message included incorrect details. My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won’t do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed. This is a shame, because it may hinder the development of mobile services, such a banking. People are increasingly comfortable with using their mobiles for banking, we all know that. According to TowerGroup, 90% of those who tried mobile banking at Bank of America have remained active with 99% checking balances, 87% looking at transaction history, 10% making funds transfers, and 5% paying a bill. But if they begin to read in the newspapers about mobile security being subverted, those numbers will fall.

Our position on the use of SMS in transactional services has been that the right place to begin is with simple transaction notification. It is true that out-of-band 2FA OTP solutions might be attractive, but in practice it might be better to wait for more sophisticated mobile digital signature solutions (such as are used in Turkey, for example) so that encrypted messages can be sent to the handset for digital signing. This completes the entire authentication process in a secure out-of-band way. Why is that important? Well, because SMS does not have that comparable level of security. This means that it can, will and has been exploited by fraudsters. Look at what happened in South Africa.

One of the banks operates a scheme that sends one-time passcodes to the customer’s mobile phone. The customer then uses the passcode to authorise an online transaction. Sounds pretty secure: how would the fraudsters be able to break into the bank systems and get the codes? Well, they didn’t. Like all fraudsters they went for the weakest link. The customer’s SIM card gets falsely declared stolen by the fraudster at the service provider. A replacement SIM card is issued, rendering the customer’s original SIM card void. What this means is that all security messages and codes sent to the customer by Standard Bank are sent to the fraudsters who utilise the customer’s replacement SIM card. Using the bank’s secure OTP, the criminals were able to change and add beneficiaries and transfer money out of the customer’s account using the original information obtained through the phishing compromise.
2FA doesn’t automatically mean security.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto