The overwhelming use of SMS OTP, its Status, Short-comings and Alternatives
Picture this; you are at a shopping mall, ready to pay your bill at the check-out when suddenly you realize that you’re out of cash and there are no ATMs nearby. You ask the cashier if they would accept online payment, you open up your banking app on your smartphone, type in the credentials, and just before you transfer the money, your banking app asks you to verify your transaction by entering a code you would receive via SMS, on your phone; your SMS OTP. You’ve used this feature a million times before, unconsciously, never realizing what it is, how it works, and if it is any good as a security feature.
Like you, millions of people use this feature for individual and corporate transactions, contributing a staggering $8.9 billion to the OTP segment of the two-factor authentication market.
In this article, we will look at what SMS OTPs are, how secure they are, and if there are any better ways to authenticate your personal and financial information out there. So let's get to it.
What is SMS OTP?
An SMS OTP or “One Time Password” is an alphanumeric code or pin generated by a website, bank, digital platform or application to verify user data and to authenticate that a legitimate user is utilizing the service being used.
This technique involves cross-referencing already available user data with the time-based code sent to you by your service provider. This type of authentication is known in the technical world as “Two-Factor Authentication”, which simply means that the online service you log into or utilize will ask you to manually provide information, such as username, mobile phone number, or other, to verify your identity and to ensure an added layer of protection.
An OTP is sent to you, making it a two-step verification process. SMS OTPs are incredibly common and are being used globally by all forms of banking and online service providers. This system of authentication ensures that you are protected from interferences and hacking, and carrying out unwanted transactions. Due to its ease of use, according to a recent survey by the Mobile Ecosystem Forum (MES), over 93% of enterprises use SMS OTP for some verification aspect.
The key advantages of an SMS OTP are;
Due to ease and flexibility, SMS OTPs have stormed the digital world. However, there is still a lot that we do not know, so let's dig deeper and find out how effective this system is in securing your data.
SMS OTP Taking Over Banking Apps
Banking apps are one of the most commonly used transaction solutions for carrying out routine payments ranging from paying your school bills to ordering from your favourite restaurant. In many countries across the globe, banking apps are required by law to use 2FA. For instance, in the UK and USA, all financial transactions must go through a 2FA via a PIN code and a financial OTP received via SMS.
The popularity is two-way since more than 67% of digital banking, and e-wallet app users prefer OTPs through SMS.
But are SMS OTPs really that awesome, or once again, is this a false trade? Let’s explore
Are SMS OTPs Really Secure? The Perils of SMS OTP
As they say, you cannot have too much of a good thing; this is true regarding SMS OTPs. Sure, on the surface, it may seem that getting a secret code for a short time on your mobile device is secure. But it's far from the truth. Here are a few key shortcomings of SMS OTPs:
Vulnerability
As unlikely as it may seem, your SMS OTP is vulnerable to phishing attacks and cyber engineering. This is primarily because you need to manually rewrite the OTP code on your browser or device, which a fraudster or a hacker can easily influence. Someone might convince you to show them or give up your OTP or might use software to get OTP from your device when you enter it.
Once they have your OTP, they can play hell with your accounts and finances.
Dependency on Telecommunication Services
Banking apps heavily rely on telecommunication services to send you your beloved SMS OTP. But there are a few grave issues with the dependency. Since the banking app is outsourcing its OTP service, and telecommunication companies are not bound by law to provide suitable protection, a fraudster can easily manipulate or hack it. How, you may ask? Well, people can get duplicate SIMs issued thanks to insufficient identity checks by telecommunication apps, which means your OTP might also end up on their cell.
Outdated Technology
The technology infrastructure behind SMS service is ancient and outdated. It is now possible to intercept and steal information as it transits from one device to another. This vulnerability is because of the lack of data encryption and the absence of the latest protocols, such as end-to-end data encryption and TLS. Of course, such an insecure situation is an invitation for trouble.
Unwanted Backup
By using SMS OTPs, you are liable to have your highly secure OTPs backed up on telecommunication servers and government surveillance and security infrastructures. This unwanted backup of information may lead to spying, data interference and even data theft.
User Inconvenience
The sms based OTP system is highly inconvenient, especially when you have to do multiple transactions since you have to manually enter each code you receive for each transaction every time.
Another major inconvenience with this system is the delay in receiving the SMS if you are in an area with low cellular coverage, which may seem like your transaction had not occurred or has failed when in reality, the money had already been received or transferred.
In addition, sms OTPs may not reach you at all due to network issues between the cellular companies and your banking infrastructure.
SMS OTP Alternatives
Based on the various key issues facing the SMS OTP, it is safe to say that this form of authentication is no longer secure and is outdated, making it prone to hacking, social engineering, and phishing attacks. Fortunately, there are a few robust alternatives available.
Silent network authentication (SNA) is the latest and most secure alternative to SMS OTPs. In this method, the user’s identity at the time of sign-up or transaction is authenticated without the user requiring them to leave their app or without manually entering any codes.
The system uses GSM technology which, through direct carrier connections, verifies the possession of a phone number in the background. This form of verification, when triggered, enables the creation of a session whereby your verified phone number is cross-referenced and authenticated for being original and not spoofed through your GSM service provider. This form of authentication is secure since there is nothing that a hacker or a fraudster can steal or trick you out of.
In addition, it also helps protect you from malware attacks and cell phone cloning since the system verifies your number and its possession directly from your service provider and cross-references it to your current location. This technique is becoming popular among individual users. However, this concept is relatively new for businesses.
A common and more reliable alternative to insecure SMS OTP is WhatsApp OTP. Receiving your one-time password or other sensitive information is safer through WhatsApp since WhatsApp utilizes end-to-end data encryption.
This means that your OTP is well-protected from cyber attacks, and since WhatsApp is widely used, it is not only convenient but far less expensive to get your authentication done via WhatsApp than through sms.
A very common alternative method to two-factor authentication is providing your information, which is already present on a third-party platform, such as Google or Facebook, to log in to websites and banking apps. This method is convenient. However, there are still security concerns, and the dependence on the third-party website or platform is a question mark, especially if the third-party website fails to operate or is hacked or compromised.
The FIDO technology considers the user’s device a secure authentication key store. This means that to gain access, all you need to do is to present something that belongs specifically to you. For example, your fingerprint (biometrics), a pattern or your lock screen password, all of which are in your possession and possession only.
In this system, your mobile device can also be used to authenticate your identity, whereby all you need to do is to click a prompt on your mobile, pc or laptop to gain access. This is highly secure and convenient and is backed by the three giants of the tech world, Google, Apple and Microsoft.
Are the Fast-Growing Digital Apps Equal to Consumer Digital Literacy?
With the constantly evolving field of information technology and our increasing dependence on mobile apps for banking and shopping, it is difficult to keep tabs on these solutions' dangers, failures and vulnerabilities. Banking apps and websites are exceedingly popular all across the globe.
Despite the sheer number of online platforms, awareness regarding safe and effective use is limited, and cybercriminals and scam artists often trick consumers to give up vital information willingly, leading to financial loss and psychological trauma. There is a great need to educate users regarding data security and safe data transmission alongside improving outdated systems such as SMS OTP.
SMS OTP-based Cyber Attack Indonesia
Much like the rest of the world, Indonesia uses banking apps and online banking platforms to carry out their financial transactions. Although banks are required by law to ensure a high degree of safety and authentication for their users, there are still some flaws due to outdated technology, such as SMS OTP.
All the banks in Indonesia utilize two-factor authentication to validate financial transactions. However, the weakness of this system came to life in the incident of one of national bank in Indonesia; whereby cybercriminals started off with phishing websites that looked like the website of the bank to get people to select tariffs and packages for banking services, and in doing so, trick them into giving in their pin-codes and OTPs.
But, the attack did not stop there; in the next stage, the cybercriminals utilized malware to intercept messages from infected devices to steal user information, OTPs and financial PIN codes. This incident costed thousands of users large sums of money and ended up not only destroying the banks' reputation but also exposing the weaknesses of the outdated sms bases two-factor authentication system being used in Indonesia. With the right tools and alternatives, such grave incidents can be prevented and cured.
Final Words
After an extensive look at the extremely popular and widely used sms based authentication system employed worldwide, it is clear that this system is in desperate need of an upgrade. Fortunately, a few highly secure and convenient alternatives, such as silent network authentication, are available.
We recommend that as a user of mobile banking apps and online e-commerce platforms, you should avoid using sms OTP if possible. If for some reason you are unable to avoid using sms OTP then we recommend you utilize end-to-end data encryption services to safeguard your identity, as well as your finances.
We hope that this article helps you better understand sms OTPs, and as always, we hope to see you in the next article!
