Aspect Warns Banks of SMS OTP Vulnerability

Natwest appMobile banking is increasingly popular, but the use of SMS for one-time passcodes is open to SIM Swap fraud. 

Mobile banking customers are at risk of financial fraud if banks continue to use SMS alone to send one-time passcodes (OTPs) to mobile devices, in order to authenticate transactions. So says Aspect Software, which acknowledges that this type of two-step authentication has been popular due to its ease of use and lack of disruption for the customer, but now says it leaves mobile banking customers too exposed to the risk of SIM Swap fraud.

“This weekend, BBC Radio 4’s Money Box programme demonstrated just how easy it is for criminals to permeate mobile banking security processes, and potentially transfer large sums of money from a customer’s account,” said Keiron Dalton, senior director of customer strategy & innovation at Aspect. “Genuine contact centre recordings from an online banking customer in the UK exposed the concerning simplicity of how someone was able to verbally convince an agent working for a mobile network operator to ‘swap’ the customer’s registered SIM card to one in their possession. Any OTPs generated from online or mobile transfers initiated by the fraudster would then go to their new SIM card, enabling them to authenticate and complete the transaction process.”

According to guidelines from the European Banking Authority (EBA), banks and payment service providers (PSPs) must use at least a two-factor authentication for complex transactions such as payments. But Dalton strongly recommends that if SMS is used as part of this, the provider must deploy extra context checks, such as divert detection, location-based checks using GPS, and SIM Swap detect via the contact centre.

“The industry is of course nervous about making the customer journey any more complex or time-consuming, especially since mobile banking apps in particular are designed to fit into modern, busy lifestyles and be quick and easy to use. But context checks to detect SIM Swap attempts can be performed in the background, causing no disturbance to the seamless user experience many banking customers in the UK are used to today,” Dalton said.

He advised: “Many banks and PSPs should be re-thinking their current online and mobile security processes, as well as reviewing the user journey when using such services. They should also pay attention to any increased risk surrounding channel choice when it comes to authentication processes; is a quick and easy mobile banking app better than a secure one?

“Banks need to work to retain the ease-of-access approach that has become such a key component of modern banking, but also take responsibility for the protection of their customers. I believe that in fact we may see the Big Four and others working together alongside mobile network operators to ensure this happens.”

Note: Since this post was published, Aspect Software and Noble Systems merged, in 2018, to form Alvaria.