As published in Straitstimes on 1st April 2020, One Time Password (OTP) related scams have jumped up by almost 3000% between 2018 & 2019 in Singapore.

While the introduction of SMS OTP’s into the login process initially reduced fraud, we are now seeing that fraudsters are targeting the structural flaws in SMS OTP based security mechanisms.

What are OTPs

Over the past few years, to cut down on rampant on-line fraud, many companies have augmented their digital channel security processes to include sending an out-of-band SMS based one-time passcode (OTP) in addition to traditional username and passwords for customer logins.  

With SMS OTPs enabled, customers first enter their username and password and upon successful entry, the company’s server send an SMS based OTP, often time bound to a few minutes, to their previously registered mobile phone.  Then customers enter the code into the web form to complete the login process. 

Introduction of an SMS OTP accomplishes two goals. Introduction of a position factor (e.g. the customer physically has their mobile phone) in combination with a non-static factor to the authentication process.  Both of these factors significantly limit the value of dark web purchased stolen username/password credentials.

What makes OTPs so vulnerable

The four main flaws are that they 1) are sent in clear text / un-encrypted text; 2) are out of context of the operation; 3) rely on the integrity of the mobile phone operator’s customer management processes to ensure the SIM is always locked to the same physical phone; and 4) can be subverted through malicious manipulation of the calling infrastructure itself.  Because SMS is sent in clear text, with no security over public networks, the data sent along an SMS OTP is often heavily redacted or more often just the SMS OTP itself is sent.  As a result, a customer is unable to determine from the SMS message itself what the OTP is used for (e.g. login or transaction authorization).  The lack of encryption and context set the stage for fraudsters to use either remote access software (RATware) or social engineering techniques to gain possession of the SMS OTP and use it for fraudulent purposes. 

Fraudsters often gain access to SMS OTPs by swapping SIM cards. By doing so fraudsters aim to bypass the “possession” factor of the SMS OTP. Fraudsters use faults within the customer management process to pretend they are the real customer with the aim of porting the phone number to a new SIM. Once armed with a replacement SIM card, they use the username and password of the customer (often obtained via the dark web, RATware or social engineering) to gain access to the clients account, often within minutes and well before the customer realizes that their mobile phone number doesn’t work.

How such frauds can be eliminated

The good news is that high quality, extremely customer friendly security and inexpensive solutions are available now. Uniken’s REL-ID solution solves all three of the SMS OTP issues, also enhances the customer experience and eliminates passwords making it easier for customers while further reducing the attack surface.

REL-ID uses cryptographic based keys on the client’s mobile device in combination with a secure push-based notification system to provide messages that can clearly and boldly denote the bank’s security policies of never asking for credentials thereby limiting fraud.

It ensures that passwords cannot be bypassed, like SMS OTPs, that rely on SIM cards by ensuring that the cryptographic keys are embedded in the device hardware itself.  It also has a malware detection capability that eliminates threats related to Remote Access Techniques (RATware) and requires the customer to present a biometric to the device itself before allowing access to the local hardware based cryptographic key.  

Screen Shot 2020-05-01 at 8.48.29 AM

Let’s all move past SMS OTPs. The time is right!

About Uniken 

Uniken is a pioneer in the field of mobile first security. Uniken's flagship product REL-ID is an advanced, first-of-its-kind, security platform that secures connections between customers and businesses while taking fraud to zero. REL-ID protects customers, enterprises and the entire ecosystem from a wide variety of risks such as identity attacks, device attacks and network attacks. For its pioneering products, Uniken has received various awards and recognition including Gartner Cool Vendor in Identity and Access Management (2018) and Forrester Now Tech Industry Leader in Authentication Management Solutions (2018) and most recently (2019) the Frost & Sullivan Identity & Access Management Technology Innovation Award.