Why are financial services adopting SMS MFA when the industry recommends against it?

Has your bank informed you of their recent security improvements? UK banks and financial institutions have been announcing the use of SMS Multi-Factor Authentication (MFA) to secure your accounts and financial transactions. So far we’ve seen the likes of HSBC, Co-Operative Bank, Metro Bank, NatWest Bank, and many others jump on board the SMS MFA bandwagon, sending out communications assuring customers that this is the solution to “Strong Customer Authentication” – the new regulations which all UK banks must eventually meet.

While the Financial Conduct Authority (FCA) agreed on a plan that allowed for phased implementation in the UK — giving us more time than the EU’s September 2019 deadline — the agreement still stipulates that UK institutions must-have steps in place to show that they are working toward the end goal of SCA compliance. Meaning that many institutions have taken steps to become compliant already, including seeking Finance compliance advice where necessary, and some will take the 18 month grace period that they have been afforded.

What is strong customer authentication?

Strong Customer Authentication (SCA) is a directive put in place by the EU’s Revised Directive on Payment Services, the Payment Services Directive 2 (PSD2) which stipulates that UK and European companies must adopt multi-factor authentication in order to increase the security of their electronic payments.

As stated in the Directive 2015/2366/EU – Article 4 (30):

Strong customer authentication means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

The definition above calls for Multi-Factor Authentication, or 2-Factor Authentication; a subset of MFA where only two pieces of information are required.

While the push for “strong customer authentication” had been coming for some time, the eventual decision to set a date of compliance had the apparent result of pushing financial institutions into a situation whereby the time had run out and action needed to be taken quickly.

This situation has led to the widespread adoption of SMS MFA — or TEXT one-time password, as it’s also referenced by the banks — to make them compliant in “strong customer authentication”.

The trouble is, however, that SMS MFA is not a “strong” solution for the long-term.

Pressure lacking appropriate direction

While it’s inherently positive that there are governing bodies pushing large institutions to protect the security of their customers, the challenge is that there was no specification as to which MFA/2FA security solution should be adopted.

Left to the institutions, SMS was the overwhelming favourite. After all, everyone has a mobile phone and uses SMS. It was the one option guaranteed to have the lowest level of resistance from customers.

However, of all the MFA solutions available today, SMS MFA is the least secure and in 2015 the US National Institute of Standards and Technology (NIST) released this caution:

“Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementors of new systems should carefully consider alternative authenticators.”

Is SMS MFA really that bad?

If it’s an available option and large institutions are adopting it, then surely it can’t be that bad? Well, let’s discuss a few cases of breach and see if it’s a solution that you would feel comfortable with as the standard of compliance for your security.

In October we mentioned a story run by the New York Times raising some concern about SMS MFA, following an attack which saw Twitter CEO, Jack Dorsey, lose access to his Twitter account. What is interesting, and worrying at the same time, about this story is that the hack was not one which required the sophistication of technically superior hackers. It simply required them to be bold enough to make a phone call, manipulate or bribe an operator and access was granted.

That is a tactic called SIM porting, or SIM swapping, as it’s also known. A relatively skill-free approach which allows hackers to gain access to the SIM of their target.

Because Twitter had adopted SMS 2-Factor Authentication (2FA) whereby password resets could be confirmed by SMS, they opened themselves and their customers up to breach.

As the New York Times reported, this is not an isolated occurrence. Actress Jessica Alba, and online personalities Shane Dawson and Amanda Cerny have also been victims to SIM porting, as well as a slew of businesspeople worldwide.

What about the UK?

As reported by the Telegraph, Metro Bank, who have adopted the SMS MFA in order to be SCA compliant, became the first major bank to fall victim of a new type of cyber attack. One which targets the codes sent via text to customers to verify transactions.

Unlike the SIM port, which requires a compliant telecommunications operator to hand over access, ‘SS7 attacks’ use the flaws in the SS7 protocol, which coordinates how they route calls and SMS messages around the world. In this case, tracking phones remotely and intercepting messages to authorise payments from accounts, making this a far more worrisome and widespread form of attack.

While no customers were left out of pocket and the attack was spotted quickly, the scenario serves to shine a light on the very real vulnerability of SMS MFA.

Why adopt a vulnerable solution?

Of course, we can’t speak for the banks adopting SMS MFA, but it is no secret that the appeal of an SMS style solution is that it is a central push technique, with no requirement for any configuration or software on the user’s device. It’s the easiest solution to implement and is the most familiar to users.

But it is the convenience of this solution that leads us to the root of its problem: there is no established trust with the device on which the code is received.

Closely tied to the ease of adoption is the pressure from the PSD2 for institutions to act quickly. With compliance legislation dictating that something must be done, there is likely a considerable amount of pressure to prioritise implementation, over adopting the best, most secure solution.

Another challenge that is concerning to us is that this new legislation forcing banks to “become compliant” could be seen as the last step to ultimate compliance — implement and you’re secure — but this is just not the case.

MFA is the first step, not the final

2-Factor Authentication (2FA) is, of course, better than nothing. It’s a step in the right direction, but it should not be seen as the final destination.

In the case of SMS MFA, solutions use not one but two vulnerable layers of security; the first is the password, and the second is text. Both of these methods have flaws.

Passwords have been the standard of security for some 50 years until very recently. Yet, they have been incredibly easy for hackers to hack and unbelievably difficult for users to keep track of.

Born out of the need to fix this weak solution came. Adding another factor – which could be SMS or a number of other (more secure) options – would ultimately add an extra layer of security to the log-in process and make it more difficult for hackers to access the accounts.

Multi-Factor Authentication serves this function well, even SMS MFA, to a point. But as security solutions improve, so too do the capabilities of hackers, and SMS is the latest security layer that they have been able to exploit. The new SS7 attacks are an example of this in real life.

Unfortunately, while vulnerable security solutions are used, security is going to be vulnerable. No matter how many layers are put on it.

What’s the solution?

Enforcing compliance is most definitely a step in the right direction, but MFA that uses passwords and SMS is not the final step. Passwords themselves are the weakness that these MFA solutions are trying to fix, so it is passwords that ultimately, eventually, need to go.

We work with clients to achieve this in a three step process:

1. Comply
Not compliance in SCA but compliance in using passwords that meet the new password policy guidelines set by NIST SP 800-63B, as well as establishing real-time password breach protection, so that users are still protected when their existing passwords become breached.

Achieving the NIST standard of password security is easier than most organisations realise. Authlogics has a simple-install solution which works on any platform to automatically check the passwords of users against a database of over 2 billion credentials which have been breached, which includes over 520 million unique clear text, breached passwords. This approach analyses passwords in real-time, using a combination of granular policy controls, a rules engine, a custom blacklist, and heuristic scanning and the breached database and ensures that users cannot use compromised passwords that risk the security of the business.

The best part for users — and by proxy the organisation — is that the solution works in real-time and negates the need for regular password changes and complex password rules. In a short time, user passwords are unique, secure and compliant.

2. Secure
A unique un-breached password can immediately improve access security. Following this, adding a well-implemented second factor to the authentication process is the gold standard when implementing a secure access method, making systems much harder to breach.

Compliant passwords alongside SMS-based MFA does add some element of security, it certainly makes it harder for hackers to gain access, but with both still the most vulnerable security methods, SMS MFA is not the best solution for this step.

Luckily for banks, they are well placed to implement this through their smart devices. All leading banks have a mobile app, and a high percentage of their customer base use this app. For those customers that that don’t there are still solutions banks can use, like mobile app advertising which could help ecourage clients to use their app.

For MFA to be secure, the solution needs to know exactly which device a centrally generated code is being sent to. This requires some form of configuration or app on the user’s device and banks already have this.

In this scenario, the mobile app could generate the code itself, meaning that it could confirm that a known and trusted user device is being used – which can’t be duplicated or intercepted. Where customers don’t yet have smart devices, other solutions, such as pattern-based or phrase-based authentication, could be used over SMS to mitigate the risks of SIM swaps and SS7 attacks.

3. Replace
Replacing the password is the only way to remove the weakness that it presents. While passwords are in the picture, there is a vulnerability in your security system.

Thankfully, as we’ve mentioned, banks already have the widely adopted software — via their apps. With this software, it is possible to add authentication methods which eliminate the need for passwords — such as fingerprint readers or other biometrics, including Face ID. Authlogics design such solutions.

With the user’s experience in mind, we create password-free solutions using a range of low and hi-tech alternative authentication mechanisms that are easy to adopt.

This solution swaps one factor for another factor. One which is more convenient, and more secure, involving something you know (your pattern), something you have (your device), and something you are (such as your face or fingerprint), providing the highest level of security, with the lowest level of friction for the user.

Where can banks go from here?

The fact that we are having discussions about compliance and the most secure solutions is an extremely positive move in the right direction.

While we’re speaking primarily about the banking and financial sectors, these realities are true across the board, and the solutions to fix these problems can be adopted in any sector by making passwords comply with NIST standards, secure with MFA, and eventually replacing them with other solutions, like biometrics.

Banks, in particular, are fortunate. They have already built the foundations upon which their security solutions can be added. Their apps are already widely used by their customer base, and they can easily adopt a two-pronged solution which caters both to those who are utilising their software and those who are not yet.

Financial services adopting SMS MFA – where to find out more

For anyone considering what they are going to do to become SCA compliant, you can review our online demonstrations and utilise our password audit check on your business email. Our experts can walk you through the best steps to compliance tailored specifically to your business and the needs of your users.