This week, the Financial Conduct Authority (FCA) confirmed the phased roll-out of PSD2 SCA within the UK. As part of this phased approach, it is envisaged that as of March 2020, merchants will be allowed to introduce 2-Factor Authentication as an approved method to achieve SCA compliance. However, to ensure full compliance, merchants must ensure their plans are completely in place by March 2021.
The introduction of SCA by the EBA (European Banking Authority) is expected to reduce the levels of financial fraud online, which significantly impacts the global e-commerce marketplace. However, due to concerns about the ability of Issuers, Acquirers, Gateways and Merchants to deploy 2-Factor Authentication by the original 14th September 2019 deadline, the FCA has agreed to allow the use of EMVCo 3DS 2.+ (Risk Based approach) alongside one form of authentication. SMS OTP is the primary form of authentication suggested by the FCA due to the potential availability to consumers.
Is SMS OTP the Mag Stripe of the e-Commerce World?
There are meaningful concerns within the e-commerce world around the security of SMS OTP, particularly with regard to social engineering and hacking vulnerabilities. The SMS delivery mechanism – sending a message directly to a consumer’s phone – introduces a new vector that fraudsters can attack to take over individual consumers’ accounts and commit fraud. There is a disturbingly low bar to entry for fraudsters looking to employ this technique:
Thanks to the prevalence of corporate data breaches, any entire ecosystem of individual consumer’s personal data is available to be obtained illicitly via social networks and the dark web. This data includes sensitive personally identifiable information: names, addresses, telephone numbers, birthdays, etc. Once a fraudster has obtained that information, all they have to do is contact the Mobile Network Operator (e.g. EE in the UK, or Verizon in the US) and, fraudulently impersonating the victim, explain that they have lost their SIM card and ask for a new one to be sent to “their” address.
The security questions typically asked by the MNO tend to be Name, Address and DOB – information easily obtained by the fraudster. Once provided, the fraudster can ask the MNO to send to the SIM card to a “new” address, and within days a new SIM card is delivered. Now the fraudster can call the victim’s bank and, impersonating the victim, ask for an account password and username reset. Most financial institutions will send a SMS OTP to the fraudster’s mobile phone, without knowing that the phone has been compromised. The fraudster inputs the SMS OTP code and now can access the victim’s bank account. The rest, as they say, is history.
What’s the Solution to Replace SMS OTP?
Boku Identity has built an authentication solution which is secure and does not burden the consumer with any inconvenience. The key is in the individual’s mobile phone. Boku Identity connects directly with Mobile Network Operators, who can confirm in real-time that the phone number and sim card information provided matches the information on record. This meets the “Possession Factor” of SCA under the EBA regulations.
What happens if the end consumer is not on the mobile network and instead accesses the merchant via WiFi on a mobile device? Two things can happen: Boku Identity’s intelligence can either temporarily push the consumer off of WIFI and on to the mobile network so that a silent authentication can be completed, or if this is not possible, a secure SMS OTP is then sent instead. But wait – aren’t SMS OTPs bad? Boku’s SMS OTP is secure because Boku is integrated directly with the MNOs and can look at things like SIM Swap, Call Divert, Call Forwarding, etc prior to sending the SMS OTP to ensure that the device / SIM Card has not been compromised.