Avoid becoming a security statistic by implementing the right controls
Empower your people, your strongest defence against cyber threats
Avoid becoming a security statistic by implementing the right controls
Empower your people, your strongest defence against cyber threats
Most banks in India use SMS OTP (one-time password) to provide 2 factor authentication required to enhance security of the transaction. Despite the inconvenience of waiting for the SMS OTP to arrive to perform any online transaction, customers too have accepted and feel secure about this security mechanism.
However, storm clouds are gathering…
Almost a year ago, on July 27, 2016, US National Institute of Standards and Technology (NIST) advised that SMS-based two-factor authentication should not be used in future due to security concerns.
The primary reasons for stopping use of SMS OTP are two fold:
Earlier this month, the German-based newspaper Süddeutsche Zeitung reported that criminal hackers in Germany completed a two-step attack on German bank accounts in January, successfully routing money from bank customers into their own accounts. But this wasn’t just another data breach – this was a Signaling System 7 (SS7) security breach, which many believed was low risk.
Hackers exploited known flaws in the SS7 signaling protocol, a critical part of the cellular network, in order to intercept two-factor (2FA) authentication codes sent by text messaging (SMS) – making this one of the first publicized real world attacks, and proving the risk isn’t low at all. (Source: https://www.wirelessweek.com/article/2017/05/ss7-vulnerability-allows-hackers-drain-bank-accounts-what-next)
The Indian Banking sector have been largely ignoring this risk. However, with the government pushing for demonetization and digitization, it now needs to look at the danger squarely in the eye.
BGP and SS7 protocols need to be strengthened to ensure that SMS OTP sent to a user cannot be re-routed. However, while efforts are on to plug the vulnerabilities, it will take time.
The way forward at this time seems to be implementation of hardware or software dongles. NIST has even proposed the use of biometrics.
SMS OTP, as we know it, has been compromised. Despite warnings from organizations like NIST, industry has not really woken up to the risk. However, hackers have proved the SMS OTP vulnerability in Germany and it will be a matter of time before this is repeated across the world.
The banking sector in India should plan for a post SMS OTP scenario. It has been one of the countries that quickly rolled out chip and pin technology for cards when other countries were procrastinating. It should now take the lead in introducing new technology to counter the threat to SMS OTP.
With the Indian economy on the upswing and getting increasingly digital, security is key to success.
