AUTHENTICATION

Using SMS OTP as 2-Factor Authentication in Banking and Financial Apps

September 9, 2022
Black mobile phone with a verification code text message visible on the screen, blurry brown background

Authentication via SMS-OTP is considered outdated because of higher overall costs, low user convenience, and insufficient regulatory compliance in specific geographic regions, but primarily for practical security reasons.

Banks and financial institutions should phase out this method and replace it with more secure user authentication, such as authentication via mobile app or hardware token. This post summarizes the main areas that should motivate organizations to move away from authentication via SMS OTP.

Security

Phishing Attacks

The fact that end-users must rewrite the authentication SMS code from a phone to a browser or a mobile app makes the code a perfect target for fraudsters. By convincing the user to give away the SMS code, either using a phishing site or social engineering, attackers can gain full access and take control over the customer's account.

SIM Swapping Attacks

By relying on the SIM cards, banks effectively outsource their security processes to telcos, who have no contractual obligation to have their processes right. As a result, telcos may issue replacement SIM cards to fraudsters due to insufficient KYC/identity checks.

Android Platform Features

Android is a very open platform with many features that can be potentially misused. Banker malware can read the contents of SMS via accessibility services intended for people with vision impairment. Malicious applications can also intercept SMS messages through SMS reading permissions or hide directly behind the SMS messenger apps (a successful tactic of the Joker malware, often found on Google Play).

Insecure Telco Infrastructure

The technological protocol behind SMS is antique, as well as the infrastructure that runs it. SMS messages may travel through the cellular network unencrypted, and they may be stored unencrypted in the telco databases or logs.

Regulatory Compliance

Insufficient 2nd Factor

Some legal frameworks, such as the European PSD2 legislation or "Law No. 7192" in Turkey, made using SMS OTP for authentication in financial services problematic. The way SMS OTP works does not allow a straightforward implementation of several mandatory features. While authentication via SMS OTP is still used by the banks and tolerated by the regulatory bodies, legal frameworks generally follow the recommendations by experts and push banks and financial institutions towards the end-of-life of this authentication method.

User Convenience

Important Data Hidden In Plain Text

Text in SMS messages is not formatted, and hence recognising the important data is complicated. This makes the method harder to use while reviewing the attributes of action to be confirmed. The user can be more susceptible to phishing attacks by blindly rewriting codes in SMS into a phishing site, accidentally approving incorrect operations.

Need to Rewrite Codes

To use SMS OTP, the user has to rewrite the code back to the web application. This introduces unnecessary friction to the user experience and can even result in authentication errors due to typos, forcing the user to repeat the authentication effort.

High Operational Costs

Pay-Per-Message vs. Pay-Per-User

Banks motivate their customers to use digital channels regularly to improve brand loyalty and increase financial products' sales. However, SMS messages are usually charged on a per-message basis, making secure access expensive when customers regularly use digital banking. Using push messages removes the costs (APNs and FCM are free services) and turns the model into per-user pricing.

Learn More About Replacing SMS OTP

We will help you move away from SMS-based authentication towards stronger, cryptography based authentication via a mobile app.

Related articles

CONTACT US

get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
ACCOUNT EXECUTIVE
ondrej.kupka@wultra.com
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.