Are your SMS One Time Passwords putting your business and users at risk?
Four Star’s SMS Solution
May 3, 2021
Are your SMS One Time Passwords putting your business and users at risk?
What is SCA and why does it matter?
Strong Customer Authentication (SCA) is a Payment Services Directive 2 (PSD2) requirement that has the two-fold objective of making online transactions more secure and reducing the threat of fraudulent activities (European Banking Authority recital 95). SCA is an essential requirement of PSD2 that aims to combat the increasing security risks relating to electronic payments in the EU which threaten to undermine the development of a secure environment for e-commerce to prosper.
Under PSD2, and as reiterated in the Regulatory Technical Standards (RTS), SCA is defined as an authentication based on the use of two or more elements categorised as knowledge, possession, and inherence. These elements are required to be independent to one another, in that the breach of one does not compromise the reliability of the others. They also must be designed in such a way as to protect the confidentiality of the authentication data.
SCA requires consumers to provide at least two of the following elements
- Something they know: This knowledge requirement can be a password, PIN, or an answer to a security question
- Something they have: This possession requirement can include a mobile device that has been evidenced by a One-Time Password (OTP) or through a signature generated by a device (hardware/software token)
- Something they are: This inherence requirement includes biometrics such as fingerprint scanning and face geometry.
Why your SMS OTP’s are not compliant
Under PSD2, possession is defined as ‘something only the user possesses’ with a device such as a mobile phone being used as evidence of possession (EBA, 2019). This is provided that there is a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device. Evidence in this context could be provided through the generation of a One-Time Password (OTP) whether generated by a piece of software or by hardware, such as a push notification or a text message (SMS). In relation to an OTP being delivered via SMS, the possession element would not be the SMS itself but rather the SIM-card that is associated with the respective mobile number.
According to the European Banking Authority (EBA), OTP’s are only SCA compliant when there is enough certainty that the person receiving the OTP is also in possession of that mobile device, more specifically the SIM card.
Vitally, it is not the OTP that classifies as the ‘something a person has’ component but rather the SIM that qualifies this as SCA compliant. The OTP is simply used to confirm that the individual has the SIM in their possession.
The risks of One-Time Passwords
One-Time Passwords are one of the most popular forms of SCA that can be sent to a user’s phone number and then entered before completing a transaction. This does not mean that they come without risk however as they simply do not offer enough security by way of verifying a user’s identity. These OTP’s are often easily intercepted if the SIM card has not been checked at the mobile phone network level to ensure the possession of the mobile number has not been compromised. Without this check, fraudsters can intercept these OTP’s through an attack known as SIM-Swap fraud.
The dangers of not actively checking a user’s SIM card
If a business does not check a user’s SIM card to ensure their continuity of possession, they run the risk of exposing their users to the increasing threat of SIM-Swap attacks. More specifically, a fraudster has the ability to steal a person’s mobile phone number through impersonating that user’s identity and having the victim’s phone number transferred onto a device in the fraudster’s possession. This provides the attacker with access to OTP’s which have not yet been validated. This also enables access to password-reset capabilities which can be devastating for both the victim and the business by way of hefty financial penalties.
Businesses need to be aware that the compliance element to satisfy SCA is not the OTP contained within an SMS but rather the SIM card associated with the mobile phone number. If companies are not actively monitoring their user’s SIM card, and not validating OTP requests, they are exposing themselves to non-compliance and do not align with current EBA rulings. By validating your users SIM-card, you are protecting your business against large fines and you are shielding your users against SIM-Swap fraud which is on the rise across Europe.
Phonovation can guarantee protection against these attacks in the Irish market
Phonovation’s innovative FinTech solution complies with PSD2 to protect your business and users against SIM-Swap fraud by providing real-time data on the status of a mobile SIM via a secure connection into the mobile network. Our patented Mobile ID service, introduced in 2014, was the first to be offered globally and has successfully eliminated SIM-Swap fraud in the Irish banking sector.
Our Mobile ID solution converges mobile and client networks to ensure that financial institutions, FinTech, and KYC companies can validate and authenticate identity directly at the mobile phone network level.
To find out more, contact us through sales@phonovation.com or call us on +353 (1) 284 30 11.
