This article first appeared in Digital Edge, The Edge Malaysia Weekly on October 24, 2022 - October 30, 2022
On Sept 26, Bank Negara Malaysia announced that it was working with banks nationwide to phase out the SMS one-time password (OTP) — used as a form of authentication for online activities or transactions — which is commonly used globally by companies to authenticate their customers.
This is an incredible move on the part of Bank Negara and it is one of the earliest, if not the first, monetary authorities to openly state the move away from a solution that is no longer effective in preventing financial scams. With millions of dollars lost annually to OTP scams, this is not just a Malaysian-centric problem but a global issue plaguing the banking industry.
We often see organisations become complacent in using a solution that no longer adds value to their business but they are hesitant to change because it is troublesome. This resistance could eventually come back to haunt them. In the case of authentication, however, it is the lack of initiative to move from OTPs to another platform.
The OTP has its own strength. Without getting too technical, the ability of the OTP to randomly generate a time-sensitive series of numbers automatically was designed to make it challenging for potential scammers to predict or obtain the OTPs for malicious use. It is commonly delivered via SMS to the user but can also be delivered with an OTP hardware device or as a soft token via a mobile app.
The ability to deliver OTPs via a ubiquitous platform such as SMS made it more user-friendly than carrying additional hardware or downloading and registering for another mobile app. That is why most companies, including large technology enterprises, hesitate to remove this solution.
OTPs were developed more than a decade ago but have become popular in the last five years or so as a method to authenticate users. Used with username/password logins, the OTP forms came to be known as the two-factor authenticator (2FA).
Unfortunately, what was once deemed secure is no longer so. Scammers have found sophisticated social and technical engineering designed to steal money from unsuspecting victims. Common attacks include:
Phishing scams: Phishing is a cybercrime in which scammers try to obtain sensitive information or data by disguising themselves as trustworthy sources. Examples include dating scams such as Operation Romeo and Juliet in the US and the Macau scams.
SIM swap: SIM swapping occurs when the device tied to a customer’s phone number is manipulated to access data that the customer receives. Scammers usually use SIM swapping to receive OTPs from banks, financial institutions and more.
OTP bots: Similar to phishing but using technology to replicate a trusted source and automate an otherwise manually intensive process, allowing scammers to attack more victims without the limitations of time and cost constraints.
Insecure channel interception: Plain text messages are not encrypted between sender and receiver, so when the scammers capture the message, they can read the content and/or use it with malicious intent.
It is important to note that security measures are generally based on four key areas.
First, the most basic are username/password logins. Another example is a series of “pre-set standard questions” that can be used for authentication. Unfortunately, this method has been proven to be insecure due to phishing and data breaches.
Second, cards with a chip, hardware or a USB key are considered safer than the first option but could be stolen or misplaced. Also, having to carry another device when one needs to transact is quite troublesome.
The thumb print or facial biometric is commonplace today, thanks to smart devices, but biometrics still lack a global standard for identification, making it challenging as a standalone identity authentication process. Unfortunately, we also know now that thumbprint and facial biometrics can be stolen.
The third is identifying or verifying the location of a user via communications technologies such as GPS, internet protocol and networks. For example, if a transaction is initiated in Kuala Lumpur but the IP location of the user’s mobile device is in Singapore, it would immediately signal a red flag.
It is safe to say that there is no solution above that would work all the time on its own. Therefore, it is widely known that when it comes to security strength, the global practice states that “the more factors to authenticate, the higher the security level”.
This is where multi-factor authentication (MFA) comes in. MFA is a combination of at least three factors of authentication used to determine a specific user. Each factor can cover or compensate for other factors’ limitations, making MFA a tough mechanism to crack. Lately, many banks regionally have been using a combination of the above to authenticate their customers with their “in-app authentication code” with mixed results — some require additional download and registration of third-party apps, others require mobile devices to have built-in biometric capabilities or are still using outdated OTPs for authentication.
While it is easy to say having an MFA would solve all the identity authentication problems, it is not as straightforward. Yes, security is a vital component and it is predominantly the responsibility of the service provider, but its major stakeholders are the users.
Unfortunately, the downside of more factors of authentication is that the user journey is no longer user-friendly, drastically affecting the user experience. This would eventually lead to a steep learning curve and a low adoption rate.
Unfortunately, there is no “silver bullet”, as the cybersecurity industry is constantly evolving, both at the onslaught end and defence front. One could even argue that the current security mechanisms put in place are very much reactive to the types of fraud that are happening. This means the solutions or actions taken to protect users are developed only when there are enough case studies of victims, as it is with OTPs now.
Putting a barrage of security features in place, however, could deter usage, or worse, cause customer attrition. Let us be honest, we all know that banks have strong security measures that are in place because of regulatory requirements and are a deep cost centre that do not necessarily bring in immediate returns.
We believe the sweet spot for each enterprise is at its own intersection of security measures, cost management and user-friendliness. Banks themselves are constantly trying to balance having enough security to protect their customers without impeding user experience or increasing their costs drastically.
We also believe this can be achieved through constant experimentation and quicker implementation to address the challenges of identity authentication.
Johnathan Lee is chief strategy officer at PolyDigi Tech, a cybersecurity start-up that offers identification technology to ensure secure transactions and payments
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.