Last updated: 09 February 2016
Have you ever received a secret code from your bank by SMS text message, when buying something online? Most of us have. That’s what banks do nowadays, to make sure that it really is you making the purchase. They call this system 3DS, and the secret code is known as a “One-Time Password” or “OTP”. The consumer is safe, the bank is safe, and hackers are kept at bay, right? Wrong. The recent experience of 50 smartphone users in Singapore proves that this is just not enough to protect you.
So, what happened? Some hackers managed to steal the credit card details of 50 smartphone users, through a malicious app that pretended to be a software upgrade. After this, they still needed the OTP. Their solution to this was simple: just intercept the SMS text message being sent. Once they had done this, they then had the credit card details and the OTP – everything they needed to pose as the legitimate end-user.
This unfortunate occurrence could have been avoided easily… Let’s explore how.
The dangers of SMS
According to one security expert quoted in the article: “Any SMS traffic can be intercepted. There’s no doubt about that.” Sure enough, we agree.
He then explains that banks have security measures in place: “Banks tend to ring you up if they think an amount is particularly significant…” Yes, they do tend to do that. The problem is, this is not always enough – and obviously it wasn’t enough in the case of Singapore. Why? Because the transactions were for amounts that were not very significant: the average was “a couple of hundred dollars”. Still, as the article says, some users lost “thousands of dollars over multiple transactions”.
It seems that a solution that avoids SMS traffic could have helped.
But the article offers other suggestions. Let’s explore further.
Smartwatches: a role in transaction security?
The security expert then goes on to suggest that pairing a smart watch with your smartphone could give “additional levels of authentication” if the two devices are “within a certain radius of each other.” Yes, this is true – in the case of a stolen smartphone. If the stolen smartphone cannot connect to the smartwatch because it is not within its radius, the bank can abort the transaction, or require further authentication. But that’s not the issue here: the smartphone was not stolen. It simply had malware running in the background. And it’s not clear how pairing your smartphone with your smartwatch would have helped in this case.
So does this mean that smartwatches do not have a role in securing mobile transactions? They do – but their role is more to enhance convenience than to add a level of authentication, because banks are usually less worried about stolen smartphones than about malware.
How to protect users
So how could the Singapore attack have been avoided?
An effective measure would have been to use a data-based Out-Of-Band (OOB) solution.
A data-based OOB solution uses push notification and 3G/4G network connection, so as to get rid of easy-to-intercept SMS text messages. There are two ways a modern OOB solution can replace SMS OTP:
- Local OTP generation: The OOB solution sends an authentication request to the mobile phone, which then generates the OTP locally.
- Secure transmission: The secure OOB channel is used to transmit the OTP that was generated on the server.
Both options provide a much higher level of protection against malware than SMS OTP, since everything happens outside of the easily accessible SMS inbox.
Of course, someone could try to hack the OTP generation. But, unlike an SMS inbox, OTP generation can be protected inside the banking application by applying strong cryptographic techniques and protection against malware.
The OTP will eventually have to be sent to the server so it can check if the OTP matches what it has generated on its side. Theoretically, it could be intercepted at that point. But again, unlike SMS text messages, it can be sent via a controlled Secure Channel.
So what does all this mean? It means that even if someone steals your credit card details, if you have an OOB solution, they will not be able to pose as you, and they won’t be able to intercept your OTP.
The article ends with a quote about biometrics as “a new way of authentication.” Definitely, an OOB solution coupled with biometric authentication would be much better protection than an OTP sent by SMS. Plus, a local bank application could enable biometric authentication in addition to cryptography – again, something that is simply not possible with an OTP sent by SMS.
The good news is the required protection does exist. Ezio Mobile Secure Messenger, for example. Combine this with biometric authentication, and you’ll significantly reduce the chances of fraudulent activity.