OTP vulnerability raises SCA questions

Market participants warn that a known vulnerability in telco operations could prove problematic for banks using one-time passwords (OTP) to authenticate transactions, once PSD2’s SCA deadline rolls around in September.

Earlier this month, Metro Bank was hit by fraudsters exploiting the vulnerability – the SS7 protocol – in the telco network. After phishing login credentials, the fraudsters were able to divert messages from legitimate customers’ phones – including OTPs – in order to initiate transactions and bypass two factor authentication. A Metro Bank spokesperson told bobsguide it had only affected an “extremely small number” of customers and those customers were not out of pocket.

Mark O’Keefe, founding director of payments specialists Optima Consulting, warns that the vulnerability could present a breach of PSD2’s Strong Customer Authentication (SCA), that requires banks to “ensure integrity and confidentiality” of two factor authentication (2FA).

“If this flaw or weakness [in SS7] becomes so obvious or so possible that you cannot ensure the integrity or confidentiality then by definition it would render OTP not a potential option for SCA,” says O’Keefe.

“SS7 is a pretty major vulnerability,” says Graeme Coffey, head of business development at telephony security firm, AdaptiveMobile. “But was never designed to be secure in its own right,” he says.

The SS7 protocol was designed as a control protocol for the telecom networks by global industry body GSMA between 1988-1990.

“It was assumed back then that the SS7 environment was closed in that only other carriers were connecting to these networks, all of which were heavily scrutinised; a person from BT could call the person from Vodafone initiating the connection and confirm it directly,” says Coffey.

“But with the emergence of new vendors from Russia and China as well as the emergence of mobile virtual network operators (MVNOs), the SS7 environment has become much more open to the extent that you can now buy SS7 capacity and use it pretty much without scrutiny,” he says.

Firms have known about this vulnerability for some time, says Ryan Gosling, vice president of partnerships at CallSign, calling it a “fundamental problem with no quick fix” after a similar attack in Germany as well as revealing research on the hack in 2014.

“The telephony network operators have been doing some work to mitigate it,” he says, “but it’s really down to the nature of the protocol that there are some messages they just have to accept from other network operators and the protocol doesn’t allow them to verify that those messages are coming from a legitimate source.”

Vodafone has specific security measures in place to protect customers against SS7 vulnerabilities, according to a spokesperson. GSMA did not respond for comment.

Coffey contends the vulnerability is still an industry issue and one that is not set to go away.

“Without a dedicated firewall in place, every network is vulnerable,” he says. “Some of the carriers in the UK have firewall protections in place and others don’t.

“Even the new standards coming out like diameter messaging still have the same flaws and vulnerabilities – even the move to 5G will have to work with legacy networks and protocols, and hackers will continue to exploit the weakest point in the chain,” says Coffey.

SS7 & SCA – a real threat or an academic question of compliance?

While banks have been working with the likes of CallSign and AdaptiveMobile, there is still much to be desired for cross-industry collaboration, particularly with the impending SCA deadline, says AdaptiveMobile’s Coffey.

Banks, or Account Servicing Payment Service Providers (ASPSP), will need to implement two factor authentication under SCA by September 14. Two factor authentication involves confirmation of something the customer knows (knowledge element), something the customer is (inherence element), and something the customer has (possession element). OTP constitutes something a customer has – the phone.

“Carriers are able to point to other chains in the process and say it’s not our fault,” says Coffey. “It’s their fault, because we never told them our network was secure and the banks say that they assumed the network was secure.

“Partly it’s a misunderstanding of the technology on both sides, partly it’s a lack of problem ownership end-to-end and partly regulatory structures that keeps carriers from problem-solving industry-wide collaboration creates a worsening situation,” he says.

Ensure confidentiality and integrity of OTP, says regulator

A lack of ownership and increased interest in fraudster circles for the SS7 exploit are set to create the perfect chaotic storm when the deadline comes around.

“As exploit kits and the use of SMS and also outbound calls as factors of authentication have become ubiquitous, it’s worth more for fraudsters to go after that market because it’s growing; they’ve potentially got a wider target audience.

“PSD2’s SCA driver, things like SMS and phone calls which rely on the SS7 network has taken an uplift and their use may unravel a few more of these of the fraud challenges that we've got. ” says CallSign’s Gosling.

For Optima Consulting’s O’Keefe September’s SCA deadline will bring with it an increased use of OTP.

“Come September, the path of least resistance for most issuers is going to be the use of OTP and presents a great opportunity for fraudsters to take advantage of the SCA changes.

“That might be by marketing around the changes to perform phishing attacks, pretending to be a bank needing to re-enter details or, on the flip side, if SCA will phase out OTP, fraudsters might look to get into this SS7 OTP loophole and fill their boots while they can," he says.

While the issue of the SS7 vulnerability has not been explicitly addressed by the European Banking Authority (EBA), a recent Q&A at the stakeholder group asked the question of the reliability of OTP as an authentication method.

In the Q&A, clarification was asked around the OTPs.

“Paragraph 35 of the EBA opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication) clarifies that ‘For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’,” responded the EBA.

"In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of these RTS, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of these RTS. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.

"In addition, regardless of whether an SCA element is possession, knowledge or inherence, Article 22(1) of the RTS requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the RTS states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.

“The EBA and FCA have been clear on this in a way,” says O’Keefe. “They say that if you want to use OTP you need measures to prevent replication in the elements and the ability to ensure the confidentiality and integrity.”

• Read more under:
• BankingTech
• Digital Banking