A Message from Hell

“Customers appreciate security” is something I’ve heard time and again. When a big credit card associations wanted to increase user registration to a new eCommerce authentication program some ten years ago, they did a ‘focus group’, and people told them it would be really swell if the bank enforced the new security rather than made it optional. “It shows the card company takes security seriously” was the quote, if I remember correctly. This got me smiling; our own data showed that when you force people to use the new scheme, 20% abandon the eCommerce transaction. I shared that info with the card association, and thankfully they dropped the idea.

I heard it again when UK banks deployed CAP EMV, which are smart card readers that users of online banking must use to send money out of their accounts. Five years later, the only folks who seem to like these controls are the fraudsters who found clever ways to circumvent them. Users don’t really like them, and many of the banks I talked to want to get rid of them.

I’m hearing it again nowadays in relation to a new trend that is hitting the cyber streets: one-time-password codes sent via an SMS (a text message) as a second factor of authentication, proving you’re in possession of the phone on record. Again I’m hearing “customers appreciate security”: I mean, if the bank sends you a one time code because you come from a new location/device, you’re going to appreciate it, right?

The technology first took root in Europe, where several banks in countries such as UK and Spain adopted it several years ago. Australian banks began using it as well, and by now many countries use the method. In the US, text messages were not as prevalent and the secondary authentication remained secret questions (e.g. where did your parents meet?) in most cases.

This is now changing because of a regulation update from the FFIEC, a super-regulator in the US, who says secret questions are rubbish, and something better must be used as a step-up authentication. They are right, of course, but I don’t think anyone considered the usability implications. Banks that must discard secret questions and move to text messages are about to discover the Dark Side of Security. 

Sending a 6-digit one-time code via text is a brilliant idea – if it works. Trouble is, there’s a 15%-20% chance it won’t.  The following things may go wrong:

• The mobile number on file may be not up to date.
• Roaming users may not get the text message. It happened to me this week: I was on my way to a meeting and wanted to access my Google Drive to fetch the phone number of the guy I’m meeting. Since I was accessing the drive from a location I never used before, Google sent me a text message with an OTP. I never got it, and was locked out of my drive. That’s the last thing Google wants to do, locking people out of their cloud infrastructure.
• Your battery might be dead, or the phone might be in a bad reception area. Happened to my colleague who was in an Internet café and wanted to connect via the local wifi. It was a free wifi, but required opening an account, a process that also involved a text OTP sent to my colleague’s device. Which was out of battery, so he couldn’t connect his PC to the wifi.
• You might not even have the phone with you. Another colleague of mine, a security journalist, told me he has 2 phones: a regular phone and an international one. He was with the international phone when he tried to log into Hotmail, and Microsoft told him he’s coming from an IP address he never used before – which is quite expected when you travel internationally.  Anyway, he couldn’t log in because he was using another phone for the international travel.
• Folks who are less technology-savvy won’t figure it out. There’s a good chunk of your customer base who will see the scary message of “new 2-step authentication”, won’t understand a bit, close the browser and just call you or visit the branch to complete the transaction. You’ve just killed the online channel for these individuals. They have other options; you don’t. The call center and branch are SO expensive to maintain. 

Note that I’m not even talking about the level of security SMS codes provide (hint: not that great. Fraudsters have been bypassing it for years using methods like Zeus in the Mobile – Zitmo for short – and more basic stuff like socially engineering the victim to give the code to the fraudster, or doing call forwarding, or changing the user’s phone number at the bank etc.) – I’m just talking about the impact of moving to SMS authentication.

So, what can banks do about this?

The main thing is to reduce the number of high-risk transactions you need to handle with a text message. Today the banks use monitoring technologies that fall into two buckets: transaction-focused intelligence, which looks for anomalous actions, and device-focused intelligence, which looks for a new device, a strange IP geo location or signs that the device is infected with something. Using these controls, the banks get to about 5% of high-risk scenarios that require a secondary authentication. This translates to millions of login events per month or daily (depending on the size of the bank). Every 1% represents thousands of frustrated customers eager to do business with the bank online and failing to do so… But getting it below 5% while not letting fraudsters in is a daunting task, because that’s the practical limit of current risk analysis  technologies.

No; cutting the high-risk handling must be done with a new sort of monitoring. Something that goes beyond transactional or device focused traits. Good candidates are technologies that track user behavioral traits, trying to profile the user and see if their interaction with the site is consistent with the past; or technologies that focus on fraudster behavioral traits, which means analyzing the fraud cases for any repeat characteristics in their interaction with the application.

In any case, if banks don’t think ahead of this move, they might find the whole thing turning into a Message from Hell…