We’re all well aware that passwords are indeed all but useless at this stage, some have been aware for longer, some more aware of the threats, but I think we’re all there: passwords are not sufficient to protect our money or data anymore. There are a few reasons for this, among which are attacks such as phishing, social engineering, and man-in-the-middle, all of which come at different angles to separate the victim from their privacy, money, and sometimes reputation. So, my question here is: why are we looking at passwords again?

There are some clever OTP (one-time password) solutions out there, but even the best are average when it comes to strong authentication technology, hardware and cryptographic solutions being at the upper end of the scale, ordinary passwords being at the bottom. The PSD2’s (Payment Services Directive) SCA (Strong Customer Authentication) requirement will be coming into force in the EU in September and all banks will need to achieve a minimum level of authentication security online. More simply put, they’ll need to provide 2FA (two factor authentication) for their customers. There’s an area of debate worth noting in this space though.

When we talk about 2FA, there is little debate as to what set of factors we’re drawing from; the factors are possession, biometric/inherent, and knowledge-based. The debate starts when we ask the question, where does an OTP fall? We can rule out biometric, so the question is: is a one-time password sent to your phone possession-based because you possess the phone, or knowledge-based, because though you only know it for a short time, your new password is of course, something you know? I fall into the latter camp, as it’s not because you own that phone, or even that SIM card that you get the password. It’s that you happen to be the receiver of some information passed along a channel currently assigned to your SIM card. Can it be said you own that channel, and therefore it’s possession-based? That’s a bit of a stretch, especially when the traffic along said channel can be rerouted.

Now of course, this is only my opinion, but it is based on others’, though there are quite specific paragraphs in official documents that disagree. One such paragraph being paragraph 35 of the EBA (European Banking Authority) opinion on the implementation of the Commission Delegated Regulation which states that “For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”. It goes on to say that in that context, an OTP via SMS does comply with this article. Bobsguide goes deeper but who am I do contradict the EBA? No one at all, but the more I read, the more the word emboldened above is another reason I disagree with them, and if OTPs via SMS are considered a possession-based factor, we still have to consider either a knowledge or biometric-based factor to go with it, which I fear is likely going to be just a standard password.

With the “reliable” question in our minds, let’s consider some of the ways that someone’s OTP that has been sent via SMS can be stolen. One industry wide concern is the SS7 vulnerability. This flaw in the Signalling System 7, created in the 1980s, enables data theft, eavesdropping, text interception, and even location tracking. Previously, it was not considered such a concern as the value associated with attacking this vulnerability was so low. But now that massive service providers and banks alike are utilising SMS to send security codes, it is getting the expected attention, just not from the telcos, but from our friendly, neighbourhood hackers. This has been happening for years, and though it is a complex and expensive attack, the return on investment is going to grow considerably come September when all EU banks will have to conform to the new SCA requirement, the cheap and easy solution being OTPs via SMS.

This is only one method to steal an OTP via SMS. Other cheaper, less technical options involve social engineering attacks on mobile service providers, convincing (or bribing) the customer service desk to redirect the victim’s phone traffic to the attacker’s, and phishing, which is still possible with what might seem like a simple request – “I used to have that number/put in the wrong phone number, and I’ve been locked out of my Instagram account. Could you please send me the code you’re about to receive?”. There are more complex attacks like man-in-the-middle which can involve having a user unwittingly install malware on their device which enables the attacker to see their screen or log their key strokes, enabling the attacker to steal the OTP in real time and then access the victim’s account. I don’t know about you, but I’m not willing to rely on this system to protect my life savings.

A rose by any other name… Passwords are passwords, whether they’re one time use or not. OTPs truly are the next worst thing after an ordinary password, and via SMS is all the more worrying. Banks from countries all over Europe like the UK and Germany have already been embarrassed and lost millions to attacks subverting this “new” “2FA” (both requiring “”), and from what I’m reading, more banks are about to follow in their footsteps. Banks used to lead the way in security, but it feels like many are looking to take the easy way out. My advice? Stay clear of passwords all together and use mobile-based cryptographic solutions; they’re secure, cost-effective, and of course, they are reliable.

@MaxCvdP