So just how safe is SMS as an authentication method?



In the customer service world, text is king. In the Aspect Consumer Experience Index from earlier this year, we found that 38 percent of consumers would rather use messaging apps like Facebook Messenger or WhatsApp to engage with customer service versus phone calls.  Businesses have rapidly incorporated SMS-based communication into their customer outreach efforts. But perhaps one of most common industries where this is occurring is in financial services, with banks turning to SMS as a means of enabling their customers to access their accounts and perform complex transactions. Here banks deliver one-time passwords to customers via SMS to authenticate their credentials.

The practice is very popular, so the news that the National Institute of Standards and Technology (NIST) in the US is a step closer to banning SMS-based two-factor authentication will have been met with some consternation in the banking industry.

The draft NIST Special Publication 800-63-3: Digital Authentication Guideline, has called for the deprecation of SMS-based two factor authentication, identifying its inherent security flaws. The guideline asserts that US government service providers should start to phase out using SMS as the second factor when confirming user identities because of the possibility that one-time codes could be intercepted or redirected.

The NIST certainly has a point in identifying SMS as problematic. SMS, when used in isolation, is fallible and easy to compromise – something that is already creating some real headaches for the banking industry. One of the biggest issues here is SIM Swap fraud. It’s possible for somebody to unlawfully obtain an identical SIM card to a mobile user and re-direct communications – including SMS – away from the intended recipient and towards the hacker. This enables the hacker to access a bank’s one-time password and access their target’s bank account. The victim and bank don’t know anything has gone wrong until it’s too late.

So, what is the way forward? Should SMS be unceremoniously dropped in favour of more rigid security procedures? Not quite. There is a way forward and SMS can (and should) continue to play a central role in the authentication process – assuming that the banks do some additional legwork to check and support interactions.

Here at Aspect we’ve been working closely with the industry to find solutions that bolster the security of SMS but don’t interrupt consumers’ lives. One such way is to deploy technologies behind the scenes that promote undetectable verification, but don’t create friction at any point during the customer experience. Aspect Verify is one such tool that supports verification with additional checks to identify the right information, context and user behaviours. These checks must be largely imperceptible to the customer, lest they interrupt their user experience. Examples include deploying sophisticated fraud detection techniques such as SIM Swap and divert detection, as well as location checks using readily available mobile data, to ascertain user identity.

The NIST is right to caution about the use of SMS to authenticate transactions and banks should heed their warnings. The guidance should be seen as a warning shot for the UK banking industry, which will need to deploy additional layers of security if it is to safeguard its customers’ accounts and maintain consumer confidence. With the right safeguards in place, SMS is perfectly acceptable, and there’s no need to throw the proverbial baby out with the bathwater!

For more information on SMS authentication visit here.