With this week’s news that a long known flaw in the SS7 mobile network communications protocol has been used to undermine SMS one-time passwords (OTP) and facilitate bank fraud, another viable threat has been added to the list of considerations FIs must make when aligning risk with authentication choices. So the question now becomes, has the list of known weaknesses become too long and subsequently too expensive to combat? Is retirement in the near future for SMS OTP?
Here’s what SMS OTP is up against:
Vulnerability #1
Interception in the browser can be facilitated by malware or remote access without the accountholder being aware.
Vulnerability #2
Interception by mobile malware is a functionality that has become practically ubiquitous among all types of mobile banking malware (and part of a $221 billion dollar risk factor in the U.S. alone).
Vulnerability #3
Social engineering, where consumers are convinced by criminals to walk through a false scenario and relay a one-time password sent to their mobile devices.
Vulnerability #4
Mobile account takeover, where criminals obtain access to a consumer’s mobile phone account to have text messages redirected (and which nearly doubled in occurrence between 2015 and 2016).
Vulnerability #5
SS7 redirects have recently proven to be a very real concern when criminals managed to have SMS OTPs rerouted with assistance from a rogue telecom provider.
Now, managing for risk with authentication should always be considered on a scale. If security alone was the only consideration we would have dumped passwords long ago, but it’s not. And this SS7 redirect threat isn’t exactly a knockout blow, but with the list of vulnerabilities getting longer it would seem that SMS OTP is that much closer to hitting the canvas.
It is as it has ever been. With every new attempt to institute a protection there are subsequent efforts to overcome the steps we take. For every champion, a challenger. And it is only a matter of time.