Rethinking: OTP VIA SMS a critical analysis of its suitability for Banking
During a consultancy we were working on for a bank and the company providing its digital channels, we had a hot discussion to reach important decisions related to security and protection, and at the same time without posing a problem in the user experience and ease of digital channels, one of these The important points that I liked to publish about is the use of OTP via SMS in the main verification processes.
As I personally just accept - not support - the use of OTP via SMS in verifying operations through mobile/web applications, but I have an oppositional and strict opinion on its use in the main operations such as (changing the password, activating a new phone, unblocking an account), and I think It is can be used - not support - with the operations that take place inside the applications after making sure in a safer way for what was mentioned previously, for example, I do not accept changing password using OTP I receive through a text message, on the other hand, I think it is ok to use it to transfer money - with limits - or any other procedure inside the system.
On the contrary, I consider it a mistake made by some banks, One of my bank accounts I unblocked it after several wrong and even suspicious operations, as soon as I sent the phone number and the national number, then verified through the OTP via SMS, and POW I am using it again with full privilege! In your opinion in the current era is the national number considered confidential information?
Next, I will try to summarize the reasons for my lack of belief in OTP via SMS to use in these cases, in a much-simplified manner for each point, many may see it as theoretical points, but when designing such systems I always go with zero-trust.
1) The problem of the channel mediating the code sending:
In theory and practice, if the message containing the code is sent to the phone number, it arrives through a telecommunications company. Therefore, your primary reliance on the security of the information will come from your reliance on the security and protection of the telecommunications companies, technically, or even for the people working in it, in my personal opinion It is considered a security vulnerability, in this case, the telecom company and its employees play the role of man-in-the-middle I can’t trust.
2) Problem with the receiver itself:
Our current devices are no longer for calls and receive messages only, therefore you cannot be sure of all the applications that customers use, and from these applications, many applications have the power to access and read SMS, also These applications are used in hacking operations for this type of protection, so the possibility of access SMS, it means access to all its accounts through another device in a different place, and this happened a lot with breaches of chat accounts (WhatsApp) specifically, where WhatsApp use an alternative than SMS OTP system for protection, the (PIN code), but unfortunately it is not compulsory, seems that they care about ease of use more than protection.
3) Ownership of the intermediary phone number in the process:
Ownership is carried out in a contract outside the framework of the bank’s system, so the owner of the number may change at any moment. This point, in particular, may seem very theoretical, but if we think about it and use it in a way targeted to a specific person, our view will change. Remember we talk about zero-trust in such designs.
4) Something the customer does not have:
The code in this way is something that the customer does not have, but something sent to him through an intermediary, thus the security responsibility is transferred from the customer to the customer and the system, but in the case of using something that the customer has and not with the bank or any other party, the security responsibility will be on the customer and not on the system, nor I mean here the legal! Rather, the responsibility is in the hands of a person and not a large number of possibilities.
For this and many other details, I am a supporter of using a code that follows different criteria to change the password or activate a new device… etc., and then it is possible to use the easiest method such as OTP via SMS in other operations such as entering the account or transferring money and so on, we need a 2FA more than 2-step-auth which can be useless sometimes for what written above.
What do you think? Do you have another opinion?