Through the online banking service, banks seek to alleviate the workload of serving the public in their branches, aiming to reduce the number of customers who are served physically in their facilities.
For as long as this form of service has existed, banks have been looking for secure ways beyond a simple password to authenticate their customers' identities when making transactions, especially when making transfers to other people's accounts.
Work began on the concept of multiple factor authentication, spreading the use of 2-factor authentication, or 2FA (2 Factor Authentication). The latter consists of the use of two elements to authenticate a person's identity; the two most commonly used factors have been something that the person knows (such as a password or PIN) and something that the person has (an object whose presence can be proven or demonstrated).
In the beginning, it was enough with a list of valid transaction authorization numbers or TAN (Transaction Authorization Number) that the bank gave to each client, and that he had to use sequentially when making his transfers. Then they switched to coordinate cards, which were also a physical resource but allowed more flexibility than the original lists.
But, these forms soon began to suffer the obsolescence caused by the abuse of the users themselves and of course, the criminals were not long in coming. Users would lose them and copy their lists and coordinate cards, so that more than one instance of the original security object would exist, and they would even save the images on their computers, further compromising the entire security scheme.
After this, banks evolved and adopted new ways to authenticate their customers online, beyond the password. The second factor took the form of a numerical sequence that the bank's system sends by text message (SMS) to the customer who is trying to make a transfer, after registering their phone number. In principle, it seems very secure, since the customer's cell phone is something that is normally only in their possession, and therefore having them present when a customer makes an online transfer seems logical and secure.
The problem is that criminals are always looking to abuse new defenses and this was no exception. Thus, it soon became common to compromise cell phones, using different deception techniques that leave the device under the control of the attackers. In this way, it became possible for attackers to access the content of received text messages, among other things. Additionally, through social engineering, what is known as SIM swapping became widespread in many parts of the world , a form of attack consisting of obtaining a duplicate of a user's SIM card through the telephone service operator itself, thus managing to receive all the messages and calls made to the number in question.
This has prompted more and more banks around the world, and particularly now many German banks (including public and private) have decided to definitively stop using SMS as a second authentication factor, according to the report.
They base this decision on the consideration that the code received via SMS is no longer seen as a strong form of authentication, since it is no longer something you have but something you know, similar to a password, thus undermining the concept of two-factor.
Adicionalmente, se están alineando con lo que se establece en la Directiva de Servicios de Pago de la Unión Europea 2 (PSD2) la que obliga a que las transacciones electrónicas remotas realizadas por parte de consumidores de la UE se autoricen mediante una «autenticación fuerte del cliente» (SCA), lo que significa el uso de 2 o más factores, categorizados como conocimiento, posesión o inherencia.
In this sense, from Security Advisor we are promoting the use of OneSpan (ex VASCO) technology, of which we are a certified channel. In this line we offer banking institutions the possibility of implementing an extremely robust second factor solution, based on high security cryptographic algorithms which are implemented on single-use password generating devices, available both in physical and virtual format. The latter can be used in the form of a highly secure application for mobile devices, provided by the brand in a basic format, or alternatively be developed by the bank through an SDK provided for this purpose.
The development of a proprietary application allows institutions to implement their mobile application (app) with all the business functionalities they want and consider convenient, while embedding in it a single-use password generator component.
These applications, both the one provided by OneSpan and the one that can be developed by each institution, have defenses that prevent their compromise by potential criminals who have infected the mobile device on which they operate, thus ensuring the security of the transactions that the customer authorizes.
We invite you to consult us to learn more about this technology and understand how your institution can benefit from its adoption, since the use of SMS has very low levels of security, according to the following report by clicking here.
Author:
Hugo Köncke - Regional Consulting Manager of Security Advisor
Connect