Many organizations rely on SMS to send consumers one-time passwords (OTPs) as a step in the two-factor authentication process. This gives them added confidence that a consumer is who he or she claims to be by sending a password to that person’s device before allowing them to access an account or complete a transaction.
However, the National Institute of Standards and Technology (NIST) recently took the stance that OTPs via SMS may not be secure, and organizations should use other identity authentication methods when doing business. Understanding NIST’s concerns about the technology, and its vulnerabilities, will allow companies to analyze their current verification systems and improve processes to fight fraud and eliminate risk.
Vulnerabilities in SMS Communication
Any time an organization requires a user ID and password in order to access information, such as an online bank account, it gives hackers incentive to launch attacks on consumers in an effort to steal those credentials. While the idea behind two-factor authentication using SMS is well intentioned, it does not end up discouraging fraudsters from hacking their way into a system.
Some of the ways criminals exploit vulnerabilities in SMS include:
- Middleman Malware – The premise behind OTPs via SMS is that users log in using a username and password, and are sent a one-time code to their mobile device. They then use this code to complete the authentication process based on the notion that only someone with both the ID/password combo and access to the mobile device is legitimate. However, this doesn’t account for malware that takes users to fake websites where they input their credentials. Once an OTP is generated the user types that into the fake site as well, and the fraudster now has complete account access.
- Number Porting – Another way hackers get around SMS codes is through number porting, where they are able to transfer a mobile phone number to a new device without a person’s knowledge. Using a combination of other tactics to steal the username and password, criminals gain account access when the OTP is sent to their device instead of a legitimate user.
The authentication system believes that it has been successful in verifying a user, but it has actually been tricked.
Secure Authentication with IDology
It is paramount that organizations strengthen their identity authentication processes to keep fraud out of the equation. IDology’s ExpectID Mobile platform gives businesses a more secure and robust solution that uses real-time access to Mobile Network Operator data combined with device and identity data.
IDology has solutions that can be customized for any organization, including tools aimed at strengthening verification for mobile. Rather than relying on outdated username and password combinations, and SMS OTPs that are insecure, implement a system which adds to your confidence that your customers are legitimate at both account origination and future access attempts.
Learn more about the benefits IDology delivers to your organization by contacting a representative today at 866-520-1234 to request a demo.