Today, thanks to regulatory pressures in Europe especially and increased security measures, banks must offer their customers additional levels of authentication such as two-factor authentication (2FA) and multi-factor authentication (MFA). Because it is relatively easy to implement and install the necessary software to deliver it, text (SMS) verification has become the global de facto 2nd factor, and as a result banks are relying on this method above all to authenticate their customers. However, the reality is, SMS should not be the default option for banks. Here’s why:
SMS is one of the most expensive methods for banks to use. Not only are they spending millions of dollars with communications providers and API platforms to securely direct customers to text verification, but when that aspect of the authentication journey goes wrong for any reason, customers often end up calling the customer service number (call center), resulting in even higher costs for the bank. Merchants and card issuers also face an opportunity cost when users can’t complete the required authentication steps.
As the fraudsters know that banks are relying almost wholly on SMS for 2FA transactions, they can continue to weaken the systems in place and take advantage of these methods to reap their own benefits. SIM swap fraud is one of the most common methods being used by fraudsters at the moment, wherein cybercriminals pilfer personal information about a target before ultimately contacting the victim’s provider to claim that their phone has been lost or stolen. Then, they convince telephone providers to authorize and transfer and activate the number on a new SIM provider. The threat actor will then be able to access all one-time passwords and authentication codes sent to the user’s device via SMS.
But it’s not just the SIM swap scheme fraudsters are using to get one-time passwords (OTPs). There are multiple parties involved in the delivery of OTPs, meaning there is a potential attack surface at each of those levels for intercepting OTPs. Attackers also intercept SMS OTPs via malware that sits on the user’s handset and automatically forwards messages on to another user. Because of this, banks should have a clear view of all data sub-processors and ensure they each have appropriate security controls in place (e.g., multi-factor authentication (MFA) to logs and dashboards). Additionally, all telephone numbers should be auto redacted to minimize the impact of data breaches.
SMS authentication is ultimately not very customer friendly and filled with friction. Consider the ~30 seconds of transaction time for the text to go through, as opposed to nearly instant biometric authentication. SMS is far from instant. In addition, users in remote or low-service locations may struggle to receive their texts, meaning SMS authentication is simply unavailable to them. Finally, the quality of the experience can be compromised depending on which device is your preference/default device. Certain generations of Apple Watch without SIM cards, for example, may not even receive the SMS from your bank since it isn’t coming from an iMessage/iCloud account. In that case, customers would need to ensure they have their phone in hand to authenticate themselves.
So, what is the solution? To mitigate the high costs of SMS and provide overall better customer experience, banks should deploy intelligent authentication driven by a business-aligned decision engine, which will let them deliver a range of more secure, dynamic and personalized journeys for customers. There are other passive forms of authentication, which leverage location, biometric and behavioral data to ensure a customer really is who they say they are.
Chris Stephens is the Head of Fraud and Security Analytics at Callsign. He is an experienced financial crime consultant with proven expertise in delivering complex analytical solutions to financial services institutions in the UK, Europe, Asia and the US.