Don't Ditch SMS, But Change the Way You Use It
Banks are facing a predicament in using SMS messages to help authenticate their customers. On one hand, fraudsters are targeting such systems more. On the other, it is a method customers are accustomed to using.
Banks, like many other industries, rely on SMS-based notifications as part of two-factor authentication protocols, but there is rising pressure for them to use other methods. But should they shelve it altogether? Security experts say that is probably a step too far for now.
In implementing any new fraud measures, banks must always weigh the risk of fraud versus the customer experience, said Yossi Zekri, chief executive of Acuant, an authentication technology provider.
An RSA cybercrime expert walks us through a typical online/mobile banking attack with a new twist: an SMS forwarder that steals authentication codes.June 10
"You have to think about the friction to the customer, along with the overall risk you are taking," he said.
Ditching text messaging and shifting to a new form of authentication would likely confuse customers, security experts say. Instead, financial institutions should take a more nuanced approach, said Rich Rezek, vice president of market development for authentication solutions for the tech vendor Early Warning.
SMS-based authentication "will still remain a tool in the tool kit" since it's inexpensive and simple for banks to set up, and something consumers are familiar with, Rezek said. But banks still must need to take steps to improve how they handle two-factor authentication and SMS.
"As fraudsters start to figure out [an authentication method], then you have to evolve and take the next approach," Rezek said.
Common ways for a criminal to compromise an SMS authenticator include remotely hacking a phone and having the texts forward to a different phone, or to a computer via voice over internet protocol, Rezek said. In that scenario, the bank could utilize technology behind the scenes that observes how users behave and interact with the bank using digital devices, and send alerts when there are signs of fraud. For example, technology could detect if the device interacting with the bank is the one registered or a different mobile device or even a computer.
While fraud targeting SMS verification isn't a widespread threat, it is increasing, according to Rezek.
"It doesn't happen a lot, but when it does it is painful for both the bank and customer," he said.
But it is happening enough that the government is taking notice. For instance, the latest draft version of its Digital Authentication Guideline published late last month, the United States National Institute of Standards and Technology began to discourage companies from using SMS-based authentication in their two-factor authentication schemes. This includes two-factor authentication that uses one-time passwords as well as hard token or push authentication.
Also, Javelin Strategy & Research said in a report published in March on mobile wallets that this SMS-related fraud was becoming more common. "The most immediate threat will come from the interception of SMS-based one-time passwords used for enrollment in a third-party wallet app," Javelin analysts said in the report. "Mobile malware can intercept and redirect SMS texts to a device controlled by fraudsters, or fraudsters could simply log in or call to make changes to the victim's mobile carrier account and institute phone forwarding."
But when deciding to take any fraud measures, banks first should weigh the risk of potential fraud in different scenarios, rather than taking one across-the-board-measure, said Chris Thompson, senior managing director for Accenture's cyber risk and resilience practice.
For example, they may not need to completely phase out SMS-based authentication for individual customers, but an internal systems administrator should not be using this method to access any of the bank's systems for a commercial account, he said.
Fraudsters "probably are more likely to target individuals inside companies and governments that have access to lots of important data," Thompson said. "But ultimately, a bank needs to look at fraud losses and where they occur, and make that determination. There's no one perfect way to authenticate, you always need some combination of factors."
Regarding text messaging, Thompson said there are likely more secure authentication methods to replace it, such as using an application for authentication. (Google's Gmail, among others, offers this authenticating option.) But in that scenario customers then have to download the app, forcing them to take additional measures and log in in an unfamiliar way, which may erode the customer experience, he said.
Zekri says authentication eventually will move to combining a physical element, such as a driver’s license that can be imaged and sent, along with a biometric authenticator.
"If you can combine the physical and the biometric in some way, you'll have a pretty good solution," he said.