One-time passcodes leaving mobile banking customers vulnerable to fraud, says Aspect

19 January 2016

Aspect Software calls on banking industry to include extra checks to prevent SIM Swap fraud 

Aspect Software has warned that mobile banking customers are at risk of financial fraud if banks continue to use SMS alone to send one-time passcodes (OTPs) to mobile devices, in order to authenticate transactions. Keiron Dalton, mobile security expert and Senior Director of Customer Strategy & Innovation at Aspect, suggests that this type of two-step authentication has been popular due to its ease of use and lack of disruption for the customer, but the threat of SIM Swap fraud has rendered it vulnerable.

He said: “This weekend, BBC Radio 4’s Money Box programme demonstrated just how easy it is for criminals to permeate mobile banking security processes, and potentially transfer large sums of money from a customer’s account. Genuine contact centre recordings from an online banking customer in the UK exposed the concerning simplicity of how someone was able to verbally convince an agent working for a mobile network operator to ‘swap’ the customer’s registered SIM card to one in their possession. Any OTPs generated from online or mobile transfers initiated by the fraudster would then go to their new SIM card, enabling them to authenticate and complete the transaction process.”

According to guidelines from the European Banking Authority (EBA), banks and payment service providers (PSPs) must use at least a two-factor authentication for complex transactions such as payments. But Dalton strongly recommends that if SMS is used as part of this, the provider must deploy extra context checks, such as divert detection, location-based checks using GPS, and SIM Swap detect via the contact centre.

“The industry is of course nervous about making the customer journey any more complex or time-consuming, especially since mobile banking apps in particular are designed to fit into modern, busy lifestyles and be quick and easy to use. But context checks to detect SIM Swap attempts can be performed in the background, causing no disturbance to the seamless user experience many banking customers in the UK are used to today,” Dalton said.

He advised: “Many banks and PSPs should be re-thinking their current online and mobile security processes, as well as reviewing the user journey when using such services. They should also pay attention to any increased risk surrounding channel choice when it comes to authentication processes; is a quick and easy mobile banking app better than a secure one?”

Dalton concluded: “Banks need to work to retain the ease-of-access approach that has become such a key component of modern banking, but also take responsibility for the protection of their customers. I believe that in fact we may see the Big Four and others working together alongside mobile network operators to ensure this ha

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development