CONSUMERS have long been familiar with SMS-based one-time-passwords (OTPs) as a method of authenticating transactions and account activities.
Its duration in the market, however, has exposed itself to new vulnerabilities that were previously unconsidered.
Innov8tif Solutions supports Bank Negara Malaysia’s (BNM) initiative to do away with SMS OTPs, urging for more secure authentication methods.
Malaysia is not the only one considering the switch, with central banks from Singapore and Philippines pursuing similar initiatives as well. This is mostly due to a new wave of hacking attempts targeting financial accounts that have successfully bypassed the need for SMS OTPs and daily transaction limits.
Local companies are now at a crossroads – either to support this legacy system or transition towards better authentication methods.
Are OTPs obsolete?
Not exactly. Let us consider the merits that made OTPs practical in the first place.
Unlike passwords, OTPs are:
- Only generated upon transaction initialisation;
- Only valid for one-time use;
- Only valid for a short duration, usually under a few minutes, and;
- Functions as a barrier against fraudsters beyond account access.
With these factors in mind, the vulnerability does not lie within OTPs as a security measure but SMS as the delivery channel.
Challenges with SMS OTPs
There are many apps today that can automatically retrieve OTP codes stored within SMS, removing the user’s need to switch between apps and memorising the six-digit codes.
However, fraudsters can also leverage this exploit, tricking users into downloading third-party apps from dubious sources. Fraudsters can then retrieve OTP codes from the victim’s phones while remaining undetected.
SMS-based OTPs are also costly to implement, requiring telecommunication infrastructure and services provided by third-party providers.
These also represent additional vulnerability points that can be exploited by cybercriminals.
Besides that, the accountability narrative behind SMS OTPs is flawed: fraud victims are often blamed for sharing OTP codes, even though victims were subjected to social engineering tactics or did not share the OTP codes at all.
Arguably, service providers play a more important role in the combat against fraud by implementing more secure authentication systems.
Finally, SMS-based OTPs are limited by design – they are only able to validate the user’s ownership of the registered mobile phone number, which is relatively easy to spoof.
This also only represents one out of the three total authentication factors:
- What the user owns (eg. mobile phone number, device binding and ID authentication)
- What the user knows (eg. passwords or security questions)
- What the user is (eg. thumbprint recognition or facial recognition)
Overcoming SMS limitations
The truth is: SMS-based OTPs are ancient in innovation terms.
Hardware and software tokens have taken center stage in recent years, and have proven to be a reliable authentication method. These methods also rely on OTPs in one form or another.
However, these methods also have their own sets of challenges. For instance, hardware tokens are just as expensive to implement and distribute, with the devices prone to being misplaced or lost.
Software tokens, on the other hand, require users to download an additional app and are just as vulnerable to social engineering or phishing tactics.
Today, push notifications are the current go-to method – sometimes called passwordless authentication or frictionless authentication.
From the user’s perspective, it is just a simple tap on the screen. However, complicated and cryptographic elements are running in the background to ensure that the transaction is properly authenticated.
Technical details and compliance standards can be found here: FIDO and EMV3DS.
Customer ID authentication (CIDA) ecosystem
To be frank, authentication issues go beyond SMS OTPs and the entire authentication system as a whole.
What Innov8tif wishes to highlight is the industry’s need for a holistic Customer ID Assurance (CIDA) ecosystem. This is due to several key reasons:
- Current CIDA systems are heavily focused on silo-ed technology, not processes. For instance, username and password systems are managed separately from electronic-know-your-customer (eKYC) systems.
- SMS OTPs are not the first nor will they be the last form of secured authentication targeted by regulators. Companies today require solid foundational CIDA systems to make quick adjustments and easily introduce new forms of authentication solutions.
- At its core, CIDA is used for fraud prevention, which consists of unauthorised transactions, unwanted account access, fake account creations and so on. Hence, CIDA needs to facilitate quick updates to overcome increasingly sophisticated fraud techniques.
- A CIDA ecosystem is needed to take advantage of all user authentication factors: What the user owns, knows and is.
- A solid CIDA ecosystem is needed to maintain a balance of account security, user convenience, user acceptance and scalability.
In general, a well-established CIDA ecosystem consists of a solid customer ID database, technologies connected with said database, automated processes and API channels, and a portal that allows companies to interact with the relevant CIDA components.
Within the CIDA framework, solutions like SMS OTPs fall under identity authentication – which is further down the pipeline used to authenticate transactions.
However, a robust CIDA ecosystem should start from the beginning at the identity-proofing stage. This prevents the creation of fake accounts and mule accounts in the first place.
At Innov8tif, we have helped companies implement CIDA from start to finish. We also specialise in eKYC solutions, using artificial intelligence solutions to conduct facial recognition, liveness detection and ID document authentication for all ASEAN member states.
Any other authentication solution is generally built on top of the reliability and results of a robust eKYC system. – Nov 14, 2022
Joe Seah is the chief commercial officer at Innov8tif Solutions, an ISO-certified artificial intelligence company helping businesses to widen their sales funnel, speed-up processes without paper and prevent frauds.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
Main photo credit: Easy Store
