Using SMS OTP as 
2-Factor Authentication in Banking and Financial Apps

Authentication via SMS-OTP is considered outdated because of higher overall costs, low user convenience, insufficient regulatory compliance in specific geographic regions, but primarily for practical security reasons. 

Banks and financial institutions should phase out this method and replace it with more secure user authentication, such as authentication via mobile app or hardware token. This post summarizes the main areas that should motivate organizations to move away from authentication via SMS OTP.

Security

SIM Swapping Attacks

By relying on the SIM cards, banks effectively outsource their security processes to telcos, who have no contractual obligation to have their processes right. As a result, telcos may issue replacement SIM cards to fraudsters due to insufficient KYC/identity checks.

Android Platform Features

Android is a very open platform with many features that can be potentially misused. Banker malware can read the contents of SMS via accessibility services intended for people with vision impairment. Malicious applications can also intercept SMS messages through SMS reading permissions or hide directly behind the SMS messenger apps (a successful tactic of the Joker malware, often found on Google Play).

Insecure Telco Infrastructure

The technological protocol behind SMS is antique, as well as the infrastructure that runs it. SMS messages may travel through the cellular network unencrypted, and they may be stored unencrypted in the telco databases or logs.

Regulatory Compliance

Insufficient 2nd Factor

Some legal frameworks, such as the European PSD2 legislation or "Law No. 7192" in Turkey, made using SMS OTP for authentication in financial services problematic. The way SMS OTP works does not allow a straightforward implementation of several mandatory features. While authentication via SMS OTP is still used by the banks and tolerated by the regulatory bodies, legal frameworks generally follow the recommendations by experts and push banks and financial institutions towards the end-of-life of this authentication method.

User Convenience

Important Data Hidden In Plain Text

Text in SMS messages is not formatted, and hence recognizing the important data is complicated. This makes the method harder to use while reviewing the attributes of action to be confirmed. The user can be more susceptible to phishing attacks by blindly rewriting codes in SMS into a phishing site, accidentally approving incorrect operations.

Need to Rewrite Codes

To use SMS OTP, the user has to rewrite the code back to the web application. This introduces unnecessary friction to the user experience and can even result in authentication errors due to typos, forcing the user to repeat the authentication effort.

High Operational Costs

Pay-Per-Message vs. Pay-Per-User

Banks motivate their customers to use digital channels regularly to improve brand loyalty and increase financial products' sales. However, SMS messages are usually charged on a per-message basis, making secure access expensive when customers regularly use digital banking. Using push messages removes the costs (APNs and FCM are free services) and turns the model into per-user pricing.

Interested in Your Own Mobile Token App?

Make access to all your digital channels easier for your customers with a highly secure and user-friendly means of authentication and authorizing operations - a simple mobile app for iPhone and Android. Leave us your e-mail address, and we will contact you shortly.