Authenticating payments by SMS alone could open fraud holes


Banks and payment services providers (PSPs) should not use SMS alone for one-time passcodes to authenticate mobile and online transactions as it could leave users open to identity fraud.

The European Parliament has formally adopted the revised Payment Services Directive (PSD2), boosting protection of online and mobile transactions by requiring PSPs to use multi-factor authentication for complex transactions such as payments. The rules state that the two or more methods of authentication must be independent so they cannot be compromised by each other.

Although these regulations will rightly encourage PSPs and banks to focus more on security when it comes to mobile and online banking, it may compromise both the customer experience and potentially open routes to newer, more sophisticated types of fraudulent activity such as SIM Swap. These rules no doubt bring major changes to digital banking. No longer will banks be able to simply provide solutions to customers based on their speed, but also need to consider how secure their systems are and what lengths they go in protecting customer interests.

The new two-factor authentication process will require many payment service providers to rethink their current models, which are increasingly using one-time passwords (OTPs) via soft (SMS) or hard tokens (small plastic devices) to complete transactions. However, although popular, SMS is very easy to compromise.

SIM Swap, for instance, is a common technique for intercepting SMS messages. The term describes when someone unlawfully obtains an identical SIM card to a mobile user and re-directs communications – including SMS – away from the intended recipient and towards the hacker. Victims may not find out until it is too late, leaving their accounts vulnerable and open to attack from those with fraudulent intentions.

For banks to comply with these new regulations, they need to pay attention to any increased risk surrounding channel choice when it comes to authentication processes.

PSPs and banks must consider the line they want to tread while providing a digital experience. Hard and soft tokens can have a vital part to play, but commonly interrupt the natural flow of a transaction. With the importance of the customer experience rising due to an increase in demand for high convenience, technology thus has a wide role to play in promoting undetectable verification.

SIM Swap checks, divert detection and location detection are simple procedures that can be undertaken imperceptibly, but still offer layered verification when delivering communications. The genuine user’s day is not interrupted, and they still have a great experience when making a transaction.

The PSD2 guidelines ought to prompt PSPs and banks to retain the ease-of-access approach that has become such a key component of modern banking, but also take steps to secure the protection of their customers. For providers that do not, customers will likely choose alternatives when considering their payment options.