Who Said SMS Authentication Is Dead? Part Two
By Karin Tansey
Passwords. The bane of my existence. Can’t they all just get along? Did that password start with a capital letter or was it lowercase? Was it an exclamation mark or an asterisk? Millions of consumers each year inadvertently forget their passwords, sending them down the password reset process. It typically consists of a one-time passcode (OTP) sent to the consumer’s mobile number they have on file, who then must validate it before they are authorized to change the password.
Now, as the sender of that OTP (the verifier), ask yourself a few questions. How confident are you that the SMS message you just sent actually hit its intended destination? How do you know that the consumer still owns that phone number? How do you know that the OTP token wasn’t forwarded to a fraudster’s phone?
When we left off from my last blog in this series, I made the argument that SMS out-of-band authentication (OOBA) is far from dead. In fact, it continues to have a worldwide market, encompassing a number of different industries and verticals, including financial services, healthcare and e-commerce. According to an Allied Market Research report titled, Global Out-of-band Authentication Market, 2017-2023, “The global out-of-band authentication market generated $274 million in 2016, and is projected to garner $1,143 million by 2023.1”
However, not all SMS OOBA solutions are created equal, which is where we’ll pick up from the previous conversation. With so many threats affecting the digital and mobile channels, including malware, man-in-the middle fraud, spoofing of phone numbers, and SIM swaps, it’s becoming increasingly difficult to confidently authenticate a customer in the digital space. As mentioned previously, these very threats and vulnerabilities led the National Institute of Standards and Technology (NIST) to update its Digital Identity Guidelines in June 2017, including updated OOBA rules. Most notable, senders of OTP’s “SHALL verify that the pre-registered telephone number being used is associated with a specific physical device.2”
Get smarter with Mobile Network Operator (MNO) Intelligence
Having the ability to do a little private investigation on your customer’s information directly with the carriers BEFORE sending the SMS is strongly recommended and frankly, a “no- brainer.” An ounce of prevention is really worth a pound of cure. Verifiers need the ability to fight against account takeover attacks and other fraud threats that target their customer’s accounts.
MNO Intelligence helps to:
- Validate account ownership. MNO intelligence can return a match/no-match indictor for identity elements as part of the mobile authentication process and is used to confirm that the details on file with the MNO match the information in your files. For example, you can confirm that the phone number you’re sending to is really associated with Sally Jones and not James Johnson.
- Identify mobile network status changes. By understanding a phone number’s network status (active/deactivated) and whether or not a SIM swap has recently occurred, you can identify potential high-risk activities, such as carrier or phone number changes. These can signal possible account takeover attempts at the carrier level indicating your consumer is no longer in possession of the phone number.
- Create a secure token. Confirm that the customer is associated with the right mobile device and account. Using the device’s SIM card, a secure token is created to associate the SIM information on the device, phone number and the account with each other. This helps to ensure the integrity of all three are intact.
- Verify the responder. Know that the device you intended to reach, is the device responding and verifying the OTP. By using a specially constructed OTP, the user can click the request and the MNO can determine which phone responded to the request
At the end of the day, these types of services help you answer the question, “Should I even send this OTP to this phone number?” The assumption is that the phone number you’re sending to is in possession of your customer. But what if it’s not and you knew that? Would you still send the OTP? Likely, you would not.
The takeaway from both of these blogs is simple; know before you send that SMS with added confidence that you can associate the OTP with your intended recipient. Be sure to stay ahead of the fraudsters, keeping both your company’s reputation intact AND your customer accounts protected.
Hear more about current fraud trends impacting the digital channel and how MNO intelligence is helping companies combat these types of threats.
About the Author
Karin Tansey is sr. director of product for authentication and mobile product lines for Early Warning. Ms. Tansey has been delivering network security and mobile solutions for over 15 years. An avid Xbox gamer, she thoroughly enjoys developing and delivering new solutions for out-of-band authentication and mobile multi-factor services.