About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Fingers in the dyke | Main | 2.5FA »

Out of band, out of mind

By Dave Birch posted Jul 14 2008 at 9:36 AM

[Dave Birch] Using SMS to provide an out-of-band 2FA scheme for access to online services sounds like a reasonable idea. But it depends on customers to do the right thing, and this is generally a bad idea in security terms. One study of a scheme that required customers to copy a pass code from their phone to a web page (to confirm online transactions) found that customers did not notice when the message included incorrect details. My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won't do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed. This is a shame, because it may hinder the development of mobile services, such a banking. People are increasingly comfortable with using their mobiles for banking, we all know that. According to TowerGroup, 90% of those who tried mobile banking at Bank of America have remained active with 99% checking balances, 87% looking at transaction history, 10% making funds transfers, and 5% paying a bill. But if they begin to read in the newspapers about mobile security being subverted, those numbers will fall.

Our position on the use of SMS in transactional services has been that the right place to begin is with simple transaction notification. It is true that out-of-band 2FA OTP solutions might be attractive, but in practice it might be better to wait for more sophisticated mobile digital signature solutions (such as are used in Turkey, for example) so that encrypted messages can be sent to the handset for digital signing. This completes the entire authentication process in a secure out-of-band way. Why is that important? Well, because SMS does not have that comparable level of security. This means that it can, will and has been exploited by fraudsters. Look at what happened in South Africa.

One of the banks operates a scheme that sends one-time passcodes to the customer's mobile phone. The customer then uses the passcode to authorise an online transaction. Sounds pretty secure: how would the fraudsters be able to break into the bank systems and get the codes? Well, they didn't. Like all fraudsters they went for the weakest link. The customer's SIM card gets falsely declared stolen by the fraudster at the service provider. A replacement SIM card is issued, rendering the customer's original SIM card void. What this means is that all security messages and codes sent to the customer by Standard Bank are sent to the fraudsters who utilise the customer's replacement SIM card. Using the bank's secure OTP, the criminals were able to change and add beneficiaries and transfer money out of the customer's account using the original information obtained through the phishing compromise.
2FA doesn't automatically mean security.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto


TrackBack URL for this entry:

Listed below are links to weblogs that reference Out of band, out of mind:


The comments to this entry are closed.