Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

TECHNOLOGY

Breaking down the compliance limitations of SMS One-Time Passwords

Published On :

By Frederik Mennes, Director Product Security at OneSpan

Banks and payment service providers have several methods of authenticating someone attempting to log onto an online payment account. One of these is SMS. An SMS message with a one-time password (OTP) is sent to the user’s mobile phone, who then enters this OTP into the payment application. This method can also be used to confirm a payment, in which case the SMS will contain key information such as the amount and beneficiary.

To provide an additional layer of security, the OTP often works alongside a static password that the user must also enter into the payment application as part of a two-factor authentication system. The SMS OTP represents a possession factor (“something only the user has”), while the static password represents a knowledge factor (“something only the user knows”).

The compliance of authentication systems based on SMS has caused plenty of discussion in recent times, particularly since the introduction of the revised Payment Services Directive (PSD2) and the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC). One common question is whether SMS OTP can meet the Dynamic Linking requirements of PSD2, which stipulate how to authenticate payments.

As remote authentication is a key consideration in today’s digital world, let’s take a closer look at SMS OTP compliance in relation to two key use cases: account login and dynamic linking.

Authenticating account login

The question of whether SMS OTP complies with the SCA requirements for payment account login was addressed by the European Banking Authority (EBA) in an Opinion published in 2019, and also via the EBA’s Single Rulebook Q&A tool.

The Opinion clarifies that SMS – more specifically the SIM-card in the mobile device that receives the SMS – can be considered a valid possession element. This implies that one-time passwords (OTPs) delivered via SMS can be used to construct a strong authentication mechanism when combined with a second factor (e.g. a password or PIN). In other words, SMS OTP does indeed comply with the SCA requirements of PSD2.

Frederik Mennes

Frederik Mennes

However, this does not automatically mean that using SMS OTP is the best option for account login, as SMS is subject to a plethora of security vulnerabilities. For example, SMS messages can be intercepted/altered by exploiting vulnerabilities of the underlying SS7 protocol, and by malware residing on mobile devices. In addition, SIM swap attacks allow hackers to take over a victim’s mobile phone number and receive SMS messages intended for the victim. Europol recently announced a string of arrests across Europe after a group of hackers used this method to steal more than $100 million.

Attacks against the authentication mechanisms of online banking systems exploiting these vulnerabilities are well-known and have been around for many years, which banks must keep in mind when deciding whether to adopt SMS OTPs.

This is all fairly clear. But one thing the EBA’s Opinion does not discuss is SMS OTP in the context of dynamic linking. This raises the all-important question: does SMS OTP meet PSD2’s dynamic linking requirements?

Addressing dynamic linking

The dynamic linking requirement stipulates that payment information needs to be protected. Since the content of SMS messages is not protected, one would expect that SMS does not meet the dynamic linking requirements of PSD2. However, until recently the EBA had not offered a clear opinion on the subject.

Now, for the first time since PSD2 came into force, the EBA has officially made a statement about the compliance of SMS OTP in relation to dynamic linking. In its statement, the EBA explains that an SMS does not have to be protected if it does not contain payment information or an authentication code. This is logical, as there is no sensitive data in the SMS at risk. In this instance, “the issuer would not be required under Article 5(2) of the Delegated Regulation to ensure the confidentiality, authenticity and integrity of the information transmitted via the SMS.”

On the other hand, if payment information – i.e. the payee or the amount of the transaction – is present in the SMS, then that information needs to be protected. The EBA says, “the issuer should take all necessary security measures to ensure the confidentiality, authenticity and integrity of the authentication code and/or the payment information transmitted via the SMS.”

As SMS itself does not provide sufficient security, this effectively means that simply sending an SMS containing sensitive data does not meet the dynamic linking requirements. One option would be to encrypt the content of the SMS, but this introduces another issue – namely how the content can be decrypted on the user’s device. In most cases this will require a separate mobile app, which misses the point of using SMS in the first place.

This all presents a conundrum for banks and payment service providers to navigate. SMS OTP for dynamic linking does not comply with PSD2, unless the content of the SMS is protected – which is not straightforward. It’s therefore important that banks are aware of the alternative options available, such as mobile PUSH notifications which are protected by application shielding technology. Ultimately, this marks another compliance and security challenge facing banks in today’s digital world.

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts