The text factor – the dangers of SMS authentication

In this guest post, Keiron Dalton, Senior Director of Customer Strategy and Innovation at Aspect Software, shares his thoughts on the issues surrounding SMS authentication and what needs to be done to make them safer.


Towards the end of last year, the European Parliament formally adopted the revised Payment Services Directive (PSD2) for online transactions. The following regulations looked to boost the protection of payments by requiring that providers use more sophisticated identity authentication techniques, to defend against the increasing fraud landscape.

The ruling meant that payment services providers (PSPs) are now required to use multiple methods of authenticating someone’s identity before payments can be completed. The rules state the two or more methods of authentication must be independent so they cannot be compromised by one another. For instance, a bank could require a card reader to accompany an account password, to make sure that two separate verification processes protect customer data.

These rules have already brought about some big challenges for banks and PSPs. No longer can online payment portals or apps be based purely on speed with some basic protection for the customer, but they also now need to seriously evaluate how secure their systems actually are, and how they are actively protecting consumer interest. Although these regulations will rightly encourage banks and PSPs to focus more on security when it comes to mobile and online banking, it may compromise both the customer experience and potentially open routes to newer, more sophisticated types of fraudulent activity. Chief among these malicious undertakings – and one that is growing in prevalence – is SIM Swap.


SIM Swap

SIM Swap relies upon the inherent vulnerability of SMS communication, and occurs when someone unlawfully obtains an identical SIM card, which re-directs communications away from the intended recipient and towards the fraudster. No level of multi-factor authentication will be able to provide protection against this kind of attack; if banks use one-time passwords through SMS at any point in the process they are protecting their customers’ payment with an easy to compromise tool. Victims may not find out until it is too late, leaving their accounts vulnerable and open to attack from fraudulent individuals.

The difficulty for payment providers, however, is that SMS authentication is relatively pain-free for customers. Nearly everyone has a phone of some kind, with Ofcom finding that 93 per cent of adults personally own a mobile device, so identity verification through SMS would remove the need for a separate hardware token or card reader.


Banks are between a rock and a hard place

As a result, banks are somewhat between a rock and a hard place. Customers demand security in their transactions, naturally – their data and finances are private and valued, and so they are keen for their PSPs to provide a safe procedure for making payments or transactions. However, the prevalence of high quality user experiences in many facets of modern life (smartphone interface designs, for instance) has made modern consumers increasingly savvy to convenience of different technical processes. Consumers have flocked to the use of apps that enable them to self-serve with companies they frequently interact with, because they are deemed to be easier and faster than face-to-face, or telephone. They are increasingly less likely to tolerate high-friction or low-convenience activities.


The importance of the customer experience is rising

The importance of the customer experience is rising in relation to customer loyalty and profitability, and there is an overall greater expectation for higher convenience when using mobile devices. Now is the time for banks to turn to unobtrusive and advanced technologies to better protect customers. This can be achieved, and has been by at least one bank in the UK, using background checks using mobile data, which can be performed by the contact centre. SIM Swap detection can be run imperceptibly to the customer, and offers an extra layer of identity authentication for complex transactions. Divert and location detection tools are also useful for better protecting customers against fraud, by recognising when SMS messages are being diverted from the intended SIM card and alerting customers through alternate channels. Layering verification in this way offers the best protection to date against fraud. However, no method is future proof and foolproof; hackers are getting more and more aware of how to bypass outdated security measures.

It’s therefore clear that banks need to seriously consider how to best implement the payment procedures demanded by the PSD2 ruling. While SMS authentication is a convenient method of verification for modern customers, without rigorous security tools this practice could leave user data vastly insecure.

It is a business imperative that banks and PSPs establish these safety procedures. Without them in place, they will surely lose business to competitors offering secure and highly convenient payment options.


Keiron Dalton, Senior Director of Customer Strategy and Innovation at Aspect Software

Related reading

Leave a comment