Telcos declare SMS 'unsafe' for bank transactions

Powered by SC Magazine
 

Comms Alliance calls on Australia's banks to use other technologies.

The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.

Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.

Today, SMS authentication is used by three of the four largest Australian retail banks as a preferred mode of second-factor authentication for transactions to unfamiliar accounts.

Several banks have rolled out physical token authentication to business customers, but retail customers usually have to ask for such devices to get one for their accounts.

Today, Australians only require their mobile phone number and one of either their mobile account number or date of birth to move their mobile phone number from one service (or telco) to another.

Secure Computing and iTnews.com.au have led a campaign to convince Australia's telcos to include extra security questions during the mobile phone number porting process to ensure fraudsters can't take control of a victim's phone number to gain access to SMS verification codes.

At the conclusion of Secure Computing's initial investigation, Australia's telcos provided a customer service phone number for concerned readers to add extra security questions to their mobile account.

But the telcos have since reversed their position.

Stanton told iTnews that the telcos have decided not to extend the security mechanism protecting the mobile number portability database for reasons of competition and database performance.

"Apart from making the porting process more time-consuming and less convenient for hundreds of thousands of Australians every year, additional ‘security’ may be seen as a tool to lock in customers, hinder number portability and thus be deemed to be anti-competitive," he said.

"There are also separate arrangements for movement of numbers from one supplier to another on the same network that vary with the different suppliers and carriers concerned."

Additional security questions could potentially "slow down mobile porting processes - for potentially zero gain in fraud deterrence.

"Today more than 170,000 mobile ports occur in Australia each month at a speed that is world’s best practice – performance highly valued by consumers and which would be compromised by placing additional layers in the process," he said.

Stanton said the real problem was the malware (such as keystroke trojans) that steal customer bank account details, prior to the fraudsters attempting to couple that information with mobile phone porting to steal money from those accounts.

Whilst acknowledging the gravity of the issue, the three major mobile telcos each told iTnews that there was little they could do about it.

A spokesman for Telstra said only that the company does what is legally required to “comply with the Telecommunications Consumer Protection Code and Mobile Number Portability Code”.

No turning back

Security experts have warned about the inherent lack of security posed by SMS technology for several years.

As far back as 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor” and its use as one is “probably going to leave [customers] vulnerable to frauds that exploit their credulity or naivety”.

But most of Australia's banks appear unlikely to shift from the technology for some years to come.

Whilst the ANZ Bank has held back from using the technology, the majority of retail banking customers using the Commonwealth Bank, Westpac and the National Australia Bank rely on it.

A spokesman for the Commonwealth Bank said the company “has no plans to phase out SMS”.

"While mobile porting is a concern, SMS authentication remains a reliable ID measure in combination with secure passwords and proper phone security,” said a spokesman for the National Australia Bank.

“Sending an SMS message to a customer's mobile provides a secondary check of identity outside the online platform.”

Spokesmen for both banks said SMS should be considered part of a “layered” security solution.

“Banks have been using SMS as a second factor of authentication for around ten years,” agreed Steven Münchenberg, chief executive of the Australian Bankers’ Association (ABA). “It’s efficient, convenient and used by millions of customers.”

The cost of responding to the phone porting threat – at this stage – appears disproportionate to the threat level.

There are 54 million bank accounts active in Australia, according to the Reserve Bank, and 35 million credit accounts.

The cost of replacing SMS authentication with tokens for debit accounts alone would cost the banking sector close to $5 billion*.

“Regarding phone porting fraud, banks and telcos tell us that the incidence is extremely low compared to the volume of switching of phone providers that occurs,” Münchenberg said.

The Commonwealth Bank has confirmed that all customers have free access to physical tokens should they demand them – but only five percent of customers use them today.

The ABA, NAB and CommBank all confirmed that the banks wear the fraud loss when unauthorised transactions are discovered to have been brought about by a breach of online banking security coupled with phone porting.

“If a mobile phone is ported by a criminal and it results in unauthorised transactions on a customer’s account, then it is the bank – not the telco or the bank’s customer – which bears the fraud loss,” Münchenberg said.

Next steps

Both Telstra and Optus have released data sheets advising customers to watch out for the scam - but have otherwise washed their hands of the problem.

The Australian Bankers’ Association (ABA) has initiated discussions with the ABA and telcos about phone porting and Münchenberg said “those discussions are continuing.”

The CommsAlliance told iTnews they hope that these meetings will bring about “practicable ways to minimise fraud."

* RBA data: 54,400,000 debit card accounts in Australia as of October 2012, 35,300,000 credit card accounts in Australia as of October 2012. This calculation took into account ANZ Bank’s 12 percent market share and assumed that the majority of credit cards are linked to a debit card for the purposes of online banking. It also assumed approximate pricing for RSA SecurID tokens at largest publicly advertised scale - approx. $100 per unit including three-year warranty/licensing.

Copyright © iTnews.com.au . All rights reserved.


Telcos declare SMS 'unsafe' for bank transactions
 
 
 
Top Stories
Hockey flags billion-dollar Centrelink mainframe replacement
Claims 30 year-old tech is holding Govt back.
 
Ombudsman wants to monitor warrantless metadata access
Requests ability to report publicly.
 
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  12%
 
National Australia Bank
  17%
 
Suncorp
  23%
 
Westpac
  19%
TOTAL VOTES: 1516

Vote