How Secure Is the SMS Channel for OTP ?

Posted by Bhavin Gohil on / October 10, 2016
How Secure Is the SMS Channel for OTP ?
 

Usage of OTP as a second step authentication to login into any systems is widely used in MFS / mPayment industry. It is used to provide authentication on IVR, Banking Applications, recharges, bill payments, etc. Such OTP is used to login in defined time duration based on application algorithm. A number of systems work to deliver OTP over SMS Channel because the SMS is considered to be the most successful data transmission technique and also due to zero logistic costs and end device liability.

The security of OTP delivered over SMS is the liability of network operators. Unfortunately, many operators are using a less secured network to deliver SMSs, which enables hackers to intercept into the network and steal the information being sent. Sometimes, users may become the victim of cellular network insecurities. Another pitfall is that even if operators resolve this issue by providing a secured network for SMS, the Malware Apps in the smartphones still pose a major threat, which can read your inbox and steal the sensitive information. Also as your phone receives and enables you to compete the authentication process, it being not authenticated (as is the case most of the times) leads to yet another security challenge.

OTP delivery over SMS by network operator should be secured by operator. Unfortunately many operators are using less secured network to deliver SMSs which enables hackers to intercept into network and steal such information. Due to cellular network insecurities users may become victim. Also if operators resolve this issue by providing secured network for SMS, still the Malware Apps in the smart phones are major threat which can read your inbox and steal the sensitive information.  Your phone becomes a receiver for SMS only so that you can complete the authentication. The Device which is performing the transactions is not authenticated in most of the cases.

Also, many-a-times it becomes inconvenient to read SMS (in case you have not permitted apps to auto read your SMS inbox), copy, and paste / type it on authenticating application / interface. Many banking apps do not allow clipboard access, which makes it more inconvenient to complete the transactions. Sometimes due to this issue, you have to re-initiate the transaction. This makes it possible for the hackers to acquire the OTP through various methods like SIM Swap Attack, Wireless Interception, Physical Access to Phone, Mobile Phone Trojans, etc.

Moreover, OTP was never intended to provide a second factor. OTPs were invented to prevent replay attacks in the days when most of the network communications were unencrypted and sniffing of passwords was a much bigger problem than it is now. The thinking went that if you included a variable part in the password, then even if it did get captured from the network, the attacker couldn’t reuse it in any future session. OTPs do not protect against Man-in-the-Middle (MITM) attacks either, so an attacker can still take over a connection where a user has sent an OTP. These days, SSL/TLS is used to encrypt network traffic and prevent MITM attacks, so these threats have been greatly reduced, and OTPs are no longer needed to prevent replay attacks.

Additionally, the delay of SMS OTP delivery represents the major limitations of the traditional system. While traveling also if you don’t have roaming activated then you will not get the OTP SMS delivered, another limitation of SMS based OTP. The cost of the SMSs and network coverage are other problems associated with the trend along with phone’s unavailability.

There are numerous solutions available in the industry to avoid these challenges of SMS based OTP like ultrasound authentication, RSA keys, LSB, software-based tokens, hardened browsers, PKI-based solutions, etc. Though they provide optimum security but are not being used on a large scale due to few drawbacks. One of them being, the end user must possess a smartphone and he/she should be literate enough to use them in routine processes. Also, proper infrastructure should be in place to deploy such solutions, which again comes with a huge bundle of CAPEX.

 
Bhavin Gohil

Bhavin Gohil

Bhavin Gohil worked as a Sr. Manager ofPresales for the Middle East and Africa Region. His work focused on the telecom and MFS segment around Mobile Money,mPayments, mBanking and KYC regulations. Bhavin loved to listen to music andtravel different places to explore the beauty of nature.