If you’ve been following Authentication related discussions, you know that a lot of the tactical focus is on adding additional authentication factors to the base username/password login mechanism as a way of making it more secure. This is particularly true in consumer facing applications, as brought into stark contrast by the Mat Honan hack episode. A cornerstone in this is the use of SMS delivered One Time Passwords (OTPs) as a just-in-time authentication factor. This has been incorporated by a variety of services, ranging from social networking to banking services. Google and Facebook (two of the biggest Identity Providers) leverage it, and I recently tweeted about Twitter’s position on incorporating this. Specifically, these services use OTP when they detect that the user is logging in from a device (laptop, tablet) not previously used.
Well, now comes this little gem from the land down under, courtesy of Simon Harvey (with Mark Perry specifically bringing it to my attention on twitter). The lobby group for Australian telcos (most notably Telstra, Optus and Vodafone) has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction. In other words, don’t use SMS delivered OTPs.
Why are they taking this remarkable position of declaring their own service ‘unsafe’? It has nothing to do with interception and decryption of communications (as has been worried about by many). In what seems incredibly reminiscent of the issues outlined in the Mat Honan attack, it is a process issue, and one that the telcos are apparently saying they don’t want to fix (in the name of consumer convenience).
The problem lies in the ease with which a hacker can implement a phone porting scam, in which they move someone’s mobile phone number from one service provider to their own, thereby receiving the SMS delivered OTP on their own device. At the heart of this is another identity verification problem. Porting the number over in Australia simply requires providing the mobile number itself, and either the persons date of birth or mobile account number – incredibly easy to obtain pieces of information by any measure. The telcos had considered adding the equally insecure Static KBA mechanism in which subscribers added security questions to their accounts, but then backed off from that.
The fact that a subscriber can have their mobile number stolen so easily is in itself a major concern, and one that the telcos aren’t taking on because of “reasons of competition and database performance”. The article quotes Communications Alliance chief executive John Stanton as saying
“Apart from making the porting process more time-consuming and less convenient for hundreds of thousands of Australians every year, additional ‘security’ may be seen as a tool to lock in customers, hinder number portability and thus be deemed to be anti-competitive,”
Except that the Mat Honan hack showed us just what can happen when you put convenience over security.
So What To Do?
First off, the telcos really need to make the process of porting numbers less susceptible to fraud by incorporating better identity verification than simply asking for a date of birth. Identity verification services like those from Lexis Nexis provide a far more robust way to spot verify the caller on the other side of the line, or at the store. Our mobile numbers have become far too important in the context of our lives to be so poorly protected.
As the article points out, backing out of SMS delivered OTP is going to be hard for a number of the services that have incorporated it. While the telcos are specifically advising against the usage in banking transactions, it is hard to imagine enterprises or identity providers not considering their risk to be in the same ballpark. But what options do they have?
The article points out how moving to physical tokens is not a practical solution for most (and it’s not even a good option). Soft tokens via mobile apps is a decent alternative (provided there is good authentication and security built into the app itself), but is not as inclusive in a world where not everyone can afford expensive smartphones. The same goes for mobile apps that leverage the smartphone camera and mic for simple biometric authentication. The use of identity verification services as described above is a little too intrusive or onerous when used to secure common transactions, but should definitely be considered for high value transactions. And there will still be enough services that consider the threat to SMS-delivered OTP to simply not be great enough to rule it out for certain levels of transactions. All these options and more (Any that I missed? Let me know in the comments) should be considered and blended into a truly risk-based security model.
Ultimately though, this problem will only be tackled in the move from authentication to recognition, where multiple, non-intrusive techniques will be layered together to provide services a high level of assurance regarding the interacting identity. In the meantime, these telcos really need to fix their processes.