By Frederik Mennes, Director Product Security at OneSpan
Banks and payment service providers have several methods of authenticating someone attempting to log onto an online payment account. One of these is SMS. An SMS message with a one-time password (OTP) is sent to the user’s mobile phone, who then enters this OTP into the payment application. This method can also be used to confirm a payment, in which case the SMS will contain key information such as the amount and beneficiary.
To provide an additional layer of security, the OTP often works alongside a static password that the user must also enter into the payment application as part of a two-factor authentication system. The SMS OTP represents a possession factor (“something only the user has”), while the static password represents a knowledge factor (“something only the user knows”).
The compliance of authentication systems based on SMS has caused plenty of discussion in recent times, particularly since the introduction of the revised Payment Services Directive (PSD2) and the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC). One common question is whether SMS OTP can meet the Dynamic Linking requirements of PSD2, which stipulate how to authenticate payments.
As remote authentication is a key consideration in today’s digital world, let’s take a closer look at SMS OTP compliance in relation to two key use cases: account login and dynamic linking.
Authenticating account login
The question of whether SMS OTP complies with the SCA requirements for payment account login was addressed by the European Banking Authority (EBA) in an Opinion published in 2019, and also via the EBA’s Single Rulebook Q&A tool.
The Opinion clarifies that SMS – more specifically the SIM-card in the mobile device that receives the SMS – can be considered a valid possession element. This implies that one-time passwords (OTPs) delivered via SMS can be used to construct a strong authentication mechanism when combined with a second factor (e.g. a password or PIN). In other words, SMS OTP does indeed comply with the SCA requirements of PSD2.
However, this does not automatically mean that using SMS OTP is the best option for account login, as SMS is subject to a plethora of security vulnerabilities. For example, SMS messages can be intercepted/altered by exploiting vulnerabilities of the underlying SS7 protocol, and by malware residing on mobile devices. In addition, SIM swap attacks allow hackers to take over a victim’s mobile phone number and receive SMS messages intended for the victim. Europol recently announced a string of arrests across Europe after a group of hackers used this method to steal more than $100 million.
Attacks against the authentication mechanisms of online banking systems exploiting these vulnerabilities are well-known and have been around for many years, which banks must keep in mind when deciding whether to adopt SMS OTPs.
This is all fairly clear. But one thing the EBA’s Opinion does not discuss is SMS OTP in the context of dynamic linking. This raises the all-important question: does SMS OTP meet PSD2’s dynamic linking requirements?
Addressing dynamic linking
The dynamic linking requirement stipulates that payment information needs to be protected. Since the content of SMS messages is not protected, one would expect that SMS does not meet the dynamic linking requirements of PSD2. However, until recently the EBA had not offered a clear opinion on the subject.
Now, for the first time since PSD2 came into force, the EBA has officially made a statement about the compliance of SMS OTP in relation to dynamic linking. In its statement, the EBA explains that an SMS does not have to be protected if it does not contain payment information or an authentication code. This is logical, as there is no sensitive data in the SMS at risk. In this instance, “the issuer would not be required under Article 5(2) of the Delegated Regulation to ensure the confidentiality, authenticity and integrity of the information transmitted via the SMS.”
On the other hand, if payment information – i.e. the payee or the amount of the transaction – is present in the SMS, then that information needs to be protected. The EBA says, “the issuer should take all necessary security measures to ensure the confidentiality, authenticity and integrity of the authentication code and/or the payment information transmitted via the SMS.”
As SMS itself does not provide sufficient security, this effectively means that simply sending an SMS containing sensitive data does not meet the dynamic linking requirements. One option would be to encrypt the content of the SMS, but this introduces another issue – namely how the content can be decrypted on the user’s device. In most cases this will require a separate mobile app, which misses the point of using SMS in the first place.
This all presents a conundrum for banks and payment service providers to navigate. SMS OTP for dynamic linking does not comply with PSD2, unless the content of the SMS is protected – which is not straightforward. It’s therefore important that banks are aware of the alternative options available, such as mobile PUSH notifications which are protected by application shielding technology. Ultimately, this marks another compliance and security challenge facing banks in today’s digital world.