SMS OTP is Dead!

Most banks in India use SMS OTP (one-time password) to provide 2 factor authentication required to enhance security of the transaction. Despite the inconvenience of waiting for the SMS OTP to arrive to perform any online transaction, customers too have accepted and feel secure about this security mechanism.

However, storm clouds are gathering…

Why is SMS OTP not secure?

Almost a year ago, on July 27, 2016,

The primary reasons for stopping use of SMS OTP are two fold:

  1. In case the customer was using VoIP, the website sending the SMS OTP could not technically verify that the person getting the OTP was authentic
  2. The SS7 protocol used by telecom providers had been found to be vulnerable

Why should we really bother?

Earlier this month, the German-based newspaper Süddeutsche Zeitung reported that criminal hackers in Germany completed a two-step attack on German bank accounts in January, successfully routing money from bank customers into their own accounts. But this wasn’t just another data breach – this was a Signaling System 7 (SS7) security breach, which many believed was low risk.

Hackers exploited known flaws in the SS7 signaling protocol, a critical part of the cellular network, in order to intercept two-factor (2FA) authentication codes sent by text messaging (SMS) – making this one of the first publicized real world attacks, and proving the risk isn’t low at all. (Source: https://www.wirelessweek.com/article/2017/05/ss7-vulnerability-allows-hackers-drain-bank-accounts-what-next)

What does this mean for the Indian Banking Sector?

The Indian Banking sector have been largely ignoring this risk. However, with the government pushing for demonetization and digitization,  it now needs to look at the danger squarely in the eye.

What should be done?

BGP and SS7 protocols need to be strengthened to ensure that SMS OTP sent to a user cannot be re-routed. However, while efforts are on to plug the vulnerabilities, it will take time.

So meanwhile, what are the alternatives for Banks?

The way forward at this time seems to be implementation of hardware or software dongles. NIST has even proposed the use of biometrics.

Summary

SMS OTP, as we know it, has been compromised. Despite warnings from organizations like NIST, industry has not really woken up to the risk. However, hackers have proved the SMS OTP vulnerability in Germany and it will be a matter of time before this is repeated across the world.

The banking sector in India should plan for a post SMS OTP scenario. It has been one of the countries that quickly rolled out chip and pin technology for cards when other countries were procrastinating. It should now take the lead in introducing new technology to counter the threat to SMS OTP.

With the Indian economy on the upswing and getting increasingly digital, security is key to success.