So long to one time passwords
As the incidence and sophistication of account takeover attacks continue to grow, security breaches at prominent global brands, such as Target and eBay, are becoming regular news items. Today, customer data can be thought of as a new, valuable currency for fraudsters, prompting the digital underground to launch better coordinated and structured attacks on a much larger scale to impact a greater portion of the business world.
Despite the potential for reputational backlash and financial losses now reaching new heights, many banks continue to depend on outdated, easily compromised user and transaction authentication systems. In layman’s terms, banks are leaving themselves wide open for fraudsters to launch an attack whenever and wherever they want.
Down with OTPs
The most widely utilized authentication systems in use are based on the one-time password (OTP), a passcode assigned for a single system login or transaction before being discarded. Initially created to enhance the security of static passwords, OTPs were considered cutting edge nearly three decades ago when they were originally introduced. Today, banks continue to rely on these systems for online transactions and authentication security, ignoring their widely-reported vulnerabilities.
For more than 10 years, fraudsters have been successfully attacking banks by capitalizing on the short-comings of OTP-based systems. Swedish online bank Nordea was one of the first victims of a large-scale attack in 2005, when its paper-based OTP security system was infiltrated by a phishing scam. Less than 12 months later, Citibank’s CitiBusiness Online was also attacked. While Citibank deployed OTPs generated by a physical hardware token, the fraudsters still had all the information they needed to successfully compromise user accounts.
No matter what specific type of OTP-based authentication system is being used, they all share the same common flaws and vulnerabilities. First, each is fully symmetric, meaning that the bank has access to the exact same information its customers do. Second, all OTP systems continue to rely on browser-based communications back to the bank. Because of this, if fraudsters were to set up a phishing site to mimic the bank’s own online portal or the browser was somehow compromised, customer credentials and the OTP can be easily captured by the attackers and immediately put to use to gain access to accounts and authenticate a fraudulent transaction.
One of the most widely used methods of sending OTPs is through the SMS channel. Historically, banks have leveraged SMS to send customers OTPs because mobile adoption among consumers is high and SMS costs lower than having to issue and manage proprietary OTP hardware tokens.
Although SMS delivery may be more convenient for customers (essentially removing the need to carry around a unique hardware token), the channel is considered unsafe for a multitude of reasons:
- The security of the SMS channel relies largely on the security parameters of the cellular networks, and without access to GSM or 4G networks, the security of text messages cannot always be assumed.
- Today’s mobile devices are extremely susceptible to Trojan viruses, such as Zeus, Perkal, Citadel, and Zitmo, which capitalize on open access to the SMS channel on mobile devices to capture OTPs. Fraudsters also use other styles of attacks on the SMS channel, such as number porting attacks, fake caller ID and call waiting scams, and SIM clones.
- Though cheaper than proprietary hardware tokens, the SMS channel can represent a significant and unpredictable financial burden. Authentication via SMS ranges in cost from $.10 to $.20 per transaction, depending on the location and total message volume, according to Gartner researcher Ant Allan. There is also the expense of contracting a third-party service provider to manage the sending of text messages, such as an SMS gateway provider or mobile network operator.
While utilizing the SMS channel as a delivery method for OTPs may no longer serve as a viable option for banks, that ubiquitous device, the mobile phone, continues to grow in popularity as a cost-effective means of user and transaction authentication. So, instead of relying on the compromised cellular networks and open SMS protocol, financial institutions ought to look at deploying industry-standard X.509 digital certificates to their customers’ mobile phones and tablets. Doing so allows banks to encrypt sensitive two-way communications and uniquely identify every enrolled customer through their device, which is essentially transformed into a second factor for authentication.
Mobile can now be used with complete confidence to confirm a user’s identity when logging into an online banking portal or mobile application or when performing sensitive transactions. Credit and debit card payments and call center interactions can also be authenticated in this way.
For banks with digital ambitions, the time to ditch OTPs, whether delivered via SMS or hardware token, has long passed. With today’s sophisticated mobile technology, there are more sophisticated, safer technologies that can significantly simplify the authentication process without sacrificing security or convenience.