listen to this article:

SMS-Based OTP is Just Not Good Enough - Unbound Security Blog

The problem isn’t a new one, yet it seems we have to continue to state the obvious – SMS-based OTP just does not provide good enough security. As this recent headline can attest, massive fraud that resulted in millions being stolen from online bank accounts, it is time for organizations to consider alternatives. First, lets explore the network’s security vulnerabilities.

This particular attack was sophisticated: the attackers knew how to fool fraud-detection measures regarding the location of mobile phones, their device IDs, and more. In order to do this, the attackers stole information from users’ mobiles and set up phone emulators that would appear to the bank to be legitimate. In some of the cases, the attackers even made the phones appear to be new phones registered by a customer. An interesting aspect of this attack was that it appears to have been automated, thus enabling the attackers to steal large amounts of money.

Ways of Bypassing SMS-Based OTP

The above sounds impressive, but in reality, it was much easier than it should have been. This is due to the fact that although these banks utilize multi-factor authentication that “should” prevent exactly this type of fraudulent activity, the multi-factor method used was SMS-based OTP (one-time passwords sent by SMS to the user). Unfortunately, as is well known, SMS-based OTPs provide poor security and indeed the attackers were able to steal them. Now, it’s not clear how this was achieved but what we do know is that there are many ways of bypassing SMS-based OTP.

One of the primary methods is SIM-swapping, where the attacker convinces the phone carrier that the user has replaced their phone and reassigns the phone number to the attacker’s phone. This is not what happened in this particular case, but there are other ways.  For example, SMS communications are not encrypted and so can potentially be intercepted (just to be clear, I have no idea what happened in this case, but I am just pointing out that this is theoretically possible).

Possible Alternatives

Strong multi-factor authentication based on a strong cryptographic secret is a much better mechanism for mitigating such attacks.

One possibility is to use dedicated hardware tokens held by users (like Smartcards), but these have significant usability issues. Another possibility is to utilize a strong cryptographic secret on a user’s mobile device, but if the device is hacked then that key can be stolen. Therefore, a mobile should only be used if it utilizes methods for preventing the theft of the cryptographic secret even if the phone is completely hacked and owned by the attacker.

Fortunately, such methods do exist, such as leveraging secure multi-party computation to protect keys, but first banks and other enterprises need to begin by recognizing that the security weaknesses of SMS-based OTP outweigh the usability advantages. This is especially true when strong solutions that work with users’ mobiles do exist, and so it isn’t necessary to require external hardware devices which are indeed problematic. I hope that enterprises and banks make the move to better technology that can provide higher security without harming usability.