Telcos declare SMS 'unsafe' for bank transactions

The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.

Communications Alliance chief executive John Stanton, representing the interests of mobile providers Telstra, Optus and Vodafone, took the extraordinary step of of declaring the technology insecure in the wake of numerous reports of Australians being defrauded via a phone porting scam first uncovered in Secure Computing magazine.

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," Stanton told iTnews this week.

Today, SMS authentication is used by three of the four largest Australian retail banks as a preferred mode of second-factor authentication for transactions to unfamiliar accounts.

Several banks have rolled out physical token authentication to business customers, but retail customers usually have to ask for such devices to get one for their accounts.

Today, Australians only require their mobile phone number and one of either their mobile account number or date of birth to move their mobile phone number from one service (or telco) to another.

Secure Computing and iTnews.com.au have led a campaign to convince Australia's telcos to include extra security questions during the mobile phone number porting process to ensure fraudsters can't take control of a victim's phone number to gain access to SMS verification codes.

At the conclusion of Secure Computing's initial investigation, Australia's telcos provided a customer service phone number for concerned readers to add extra security questions to their mobile account.

But the telcos have since reversed their position.

Stanton told iTnews that the telcos have decided not to extend the security mechanism protecting the mobile number portability database for reasons of competition and database performance.

"Apart from making the porting process more time-consuming and less convenient for hundreds of thousands of Australians every year, additional ‘security’ may be seen as a tool to lock in customers, hinder number portability and thus be deemed to be anti-competitive," he said.

"There are also separate arrangements for movement of numbers from one supplier to another on the same network that vary with the different suppliers and carriers concerned."

Additional security questions could potentially "slow down mobile porting processes - for potentially zero gain in fraud deterrence.

"Today more than 170,000 mobile ports occur in Australia each month at a speed that is world’s best practice – performance highly valued by consumers and which would be compromised by placing additional layers in the process," he said.

Stanton said the real problem was the malware (such as keystroke trojans) that steal customer bank account details, prior to the fraudsters attempting to couple that information with mobile phone porting to steal money from those accounts.

Whilst acknowledging the gravity of the issue, the three major mobile telcos each told iTnews that there was little they could do about it.

A spokesman for Telstra said only that the company does what is legally required to “comply with the Telecommunications Consumer Protection Code and Mobile Number Portability Code”.

No turning back

Security experts have warned about the inherent lack of security posed by SMS technology for several years.

As far back as 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor” and its use as one is “probably going to leave [customers] vulnerable to frauds that exploit their credulity or naivety”.

But most of Australia's banks appear unlikely to shift from the technology for some years to come.

Whilst the ANZ Bank has held back from using the technology, the majority of retail banking customers using the Commonwealth Bank, Westpac and the National Australia Bank rely on it.

A spokesman for the Commonwealth Bank said the company “has no plans to phase out SMS”.

"While mobile porting is a concern, SMS authentication remains a reliable ID measure in combination with secure passwords and proper phone security,” said a spokesman for the National Australia Bank.

“Sending an SMS message to a customer's mobile provides a secondary check of identity outside the online platform.”

Spokesmen for both banks said SMS should be considered part of a “layered” security solution.

“Banks have been using SMS as a second factor of authentication for around ten years,” agreed Steven Münchenberg, chief executive of the Australian Bankers’ Association (ABA). “It’s efficient, convenient and used by millions of customers.”

The cost of responding to the phone porting threat – at this stage – appears disproportionate to the threat level.

There are 54 million bank accounts active in Australia, according to the Reserve Bank, and 35 million credit accounts.

The cost of replacing SMS authentication with tokens for debit accounts alone would cost the banking sector close to $5 billion*.

“Regarding phone porting fraud, banks and telcos tell us that the incidence is extremely low compared to the volume of switching of phone providers that occurs,” Münchenberg said.

The Commonwealth Bank has confirmed that all customers have free access to physical tokens should they demand them – but only five percent of customers use them today.

The ABA, NAB and CommBank all confirmed that the banks wear the fraud loss when unauthorised transactions are discovered to have been brought about by a breach of online banking security coupled with phone porting.

“If a mobile phone is ported by a criminal and it results in unauthorised transactions on a customer’s account, then it is the bank – not the telco or the bank’s customer – which bears the fraud loss,” Münchenberg said.

Next steps

Both Telstra and Optus have released data sheets advising customers to watch out for the scam - but have otherwise washed their hands of the problem.

The Australian Bankers’ Association (ABA) has initiated discussions with the ABA and telcos about phone porting and Münchenberg said “those discussions are continuing.”

The CommsAlliance told iTnews they hope that these meetings will bring about “practicable ways to minimise fraud."

* RBA data: 54,400,000 debit card accounts in Australia as of October 2012, 35,300,000 credit card accounts in Australia as of October 2012. This calculation took into account ANZ Bank’s 12 percent market share and assumed that the majority of credit cards are linked to a debit card for the purposes of online banking. It also assumed approximate pricing for RSA SecurID tokens at largest publicly advertised scale - approx. $100 per unit including three-year warranty/licensing.