Aspect Software’s latest blog has issued a stark warning about the risk of financial fraud for mobile banking customers if banks continue to use SMS alone to send one-time passcodes (OTPs) to mobile devices to authenticate transactions.
Keiron Dalton, mobile security expert and Senior Director of Customer Strategy & Innovation at Aspect, suggests in his blog that this type of two-step authentication has been popular due to its ease and lack of disruption for the customer, but the threat of ‘SIM Swap’ fraud has now rendered it vulnerable.
He said [On BBC Radio 4]: “Genuine contact centre recordings from an online banking customer in the UK exposed the concerning simplicity of how someone was able to verbally convince an agent working for a mobile network operator to ‘swap’ the customer’s registered SIM card to one in their possession. Any OTPs generated from online or mobile transfers initiated by the fraudster would then go to their new SIM card, enabling them to authenticate and complete the transaction process.”
According to guidelines from the European Banking Authority (EBA), banks must use at least a two-factor authentication for complex transactions such as payments. But Dalton strongly recommends that if SMS is used, the provider must deploy extra context checks, such as divert detection, location-based checks using GPS, and SIM Swap detect via the contact centre.