With this week’s news that a long known flaw in the SS7 mobile network communications protocol has been used to undermine SMS one-time passwords (OTP) and facilitate bank fraud, another viable threat has been added to the list of considerations FIs must make when aligning risk with authentication choices.  So the question now becomes, has the list of known weaknesses become too long and subsequently too expensive to combat?  Is retirement in the near future for SMS OTP?

Here’s what SMS OTP is up against:

Vulnerability #1

Interception in the browser can be facilitated by malware or remote access without the accountholder being aware.

Vulnerability #2

Interception by mobile malware is a functionality that has become practically ubiquitous among all types of mobile banking malware (and part of a $221 billion dollar risk factor in the U.S. alone).

Vulnerability #3

Social engineering, where consumers are convinced by criminals to walk through a false scenario and relay a one-time password sent to their mobile devices.

Vulnerability #4

Mobile account takeover, where criminals obtain access to a consumer’s mobile phone account to have text messages redirected (and which nearly doubled in occurrence between 2015 and 2016).

Vulnerability #5

SS7 redirects have recently proven to be a very real concern when criminals managed to have SMS OTPs rerouted with assistance from a rogue telecom provider.

Now, managing for risk with authentication should always be considered on a scale.  If security alone was the only consideration we would have dumped passwords long ago, but it’s not.  And this SS7 redirect threat isn’t exactly a knockout blow, but with the list of vulnerabilities getting longer it would seem that SMS OTP is that much closer to hitting the canvas. 

It is as it has ever been.  With every new attempt to institute a protection there are subsequent efforts to overcome the steps we take.  For every champion, a challenger.  And it is only a matter of time.


About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Senior VP of Research and Head of Fraud & Security. As SVP of Research, he oversees the firm’s operations and ensures that Javelin’s research content provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to media outlets such as American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!