Why Banks Need to Stop Using SMSs and Push Codes

Most banks today use SMS as their second authentication. SMS is not solely widespread in the BFSI. Other sectors also rely on this authentication for many operations, such as restoring access, approving some actions, confirming device linking and so on.

For customers, their SIM card becomes a life key now that it is linked to all daily digital services, such as email, Google account, Apple ID account, Facebook, Twitter, and so on. It’s not a big deal if customers use SIM cards for access to social media. Only when customers use SMS to manage their

However, when customers use SMSs to manage their financial life, that's where problems arise.

To be clear, a modern "hacker" is not a lone individual wearing large spectacles. "Hacking" is a well-organized high-tech criminal enterprise with top executives, brain centers, performers, informers, and other personnel. The primary purpose of this company (like with other businesses) is to make money and expand.

Managers who are "hacking" realize that "real money" is kept in banks. Customers of a bank do, in fact, have remote access to manage and move money across accounts. As a result, all these hackers require is a tool to acquire access on behalf of a legitimate consumer. They are subjected to security checks here.

Assume that a bunch of hackers obtained (from someplace) the necessary credentials to gain access to a customer's account. It doesn't matter if it's payment card information, logins, or passwords for remote banking, or an account from a FinTech provider. They must pass a second authentication factor in order to transfer money. If a bank or FinTech provider uses SMS or push codes to offer services, they must be aware of this.

Three cases where SMS codes present a security risk

Let's take a look at how an SMS code may be intercepted and transmitted to the "hackers."

Hacker groups generate viruses and malware in this type of hacking. Spam, infected sites, bogus program repositories, keygens, activators, "hacked" purchased software, and other methods will be used to distribute this virus to client devices.

This virus gets access to the victim's SMS content after being installed on a customer's smartphone (particularly one based on Android).

When we speak of SMS, we are referring to a technology that was developed in the 1970s. The world had changed, and the security dangers had changed as well. It's amusing to think that lucrative SMS security risks started in 2017, just around the time they became the de-facto norm as a second authentication factor. Today, you can intercept any SMS in the globe with technology that costs under $1500. Independent researchers discovered a flaw in the SS7 protocol, making it conceivable. SMS messages are sent using this protocol. Googling "SS7 attack" can yield a wealth of information.

By the way, this sort of assault targeted a major German bank. You can also learn more about this event.

There are two key strategies in this mechanism: SIM switching and social engineering.

• SIM switching is a pretty easy process. A wicked individual, generally with the assistance of a mobile network provider accomplice, replaces a sim card with a new one that contains the same phone number. That is all there is to it. The "key to your life" is in the wicked person's possession after this manipulation.

The customer will see that their sim card has been exchanged. Resetting your digital services and moving all of your cash from your bank account, on the other hand, takes only 10 minutes.

Of course, when a sim card is replaced, the mobile network operator can notify the bank. "IMSI check" is the name of this service. It is not free. Customers' risks are not something that many banks are willing to pay for.

• Conversation with a consumer is what social engineering is all about. When a malevolent individual contacts a consumer and says anything along the lines of "Hello, this is your bank's security service." Have you made this shady transaction in order to move all of your funds? No? Please tell me the one-time-password in the SMS message you just got if you want to decline." As soon as the consumer says the code, you can imagine what will happen. There are a variety of social engineering strategies available. We've heard of customers who moved all of their money to an ATM by hand, without using any codes. But the point is that if a client has something to say, it will be said by the nasty individual.

Okay, we quickly and superficially discussed how "hackers" can intercept confirmation codes. We must understand that a portion of each stolen dollar (or rupiah, or baht, or yen, or won, or ringgit) will be spent on developing these mechanisms, such as developing more advanced malware, sending more spam, implementing SS7 interception within various ingress points, and hiring psychologists for social engineering scripts, among other things. "By design," SMS texts are not secure.

The Legal Aspects of OTP SMS Messages

A couple of additional thoughts concerning legal perspectives worth mentioning.

1. The majority of the time, a one-time password is not related to the transaction's information, as we've seen. This implies that a password used for one transaction can be used to confirm another. You can't verify that you confirmed a transfer of "$10 to Alice" but not "$1000 to Eva" as a client. It may be a major issue.
2. At the same time, as a client, you have the option of going to your bank and requesting that they "return your money for this specific transaction." "I have not verified this operation, you conducted it instead of me, since you knew the confirmation code before me, you invented it," you might answer if they ask why. And the mobile network provider was well aware of the situation. The SMS message aggregator was aware of this. This code was sent to me, but I did not use it. 

This implies that SMS message codes are also not safe from a legal standpoint.

What about the use of push codes?

The internet, not cell networks, is used to send push codes. On the surface, it appears that they are more secure on a mobile phone. Actually, it's not true.

1. Techniques. It's as simple as stealing SMS messages to steal push notifications from smartphones.
2. Technology. The owner of the smartphone platform — generally Google or Apple – sends push alerts. If you read Google and Apple's developer agreements closely, you'll notice that transmitting personal information "including bank passwords" through push notifications is strictly prohibited. This implies that third parties will be able to see push stuff, such as SMS messages.
3. Social. Push codes are as simple to type as SMS texts. There's no difference. However, push has one advantage: SIM changing is not possible.

From a legal standpoint, there is no distinction between SMS messages and push codes.

As a result, these two technologies have the same level of security.

PayConfirm - A More Secured, User-friendly Authentication Solution 

It is critical to give a better user experience to your clients in this era of digital transformation. When connecting with your services, the customer has the option of using the Internet or a mobile app, a kiosk, or face-to-face interaction. The most important goal is to provide an opportunity that is both straightforward and secure. Without a doubt, forcing your customers to utilize antiquated methods to confirm transactions, such as SMS OTP (one-time password), push notifications, hardware or software OTP generators, static PINs, or even scratchcards, is unworkable.

PayConfirm is an omnichannel solution, allowing you to authenticate any digitally produced transaction with a single tap. It's simple and safe, and you can do it directly from your mobile app. Whether the transaction was made through the Internet, on a mobile device, or at a kiosk, it will be validated on your mobile app with the greatest degree of security.

PayConfirm may be simply integrated into a banking mobile app or used as a standalone application.