Two-factor verification is an important security measure for online and app-based banking, but SMS is one of the least secure options available.
This is not the fault of the banks or the messaging protocol, but rather the decision by mobile operators to offer a SIM-swap function as an opt-out service.
Cases of SIM-swap fraud have been constantly on the rise in South Africa, and often victims are unable to prevent the crime from taking place.
Instead, they are forced to react and try to regain control of their number from a fraudster who has impersonated them and stolen their number.
If an attacker has compromised your online banking credentials, they will then be able to access your OTP verification code if they also gain access to your number.
In this situation, the fraudster would be able to log into your bank account and access your funds immediately.
Some South African banks have begun moving away from one-time PINs sent via SMS in favour of more secure platforms, such as app-based authentication or email OTPs, but others continue to use SMS as the default verification option.
We asked South African banks about their OTP verification systems, and why they still used SMS as an OTP delivery method considering the threat of SIM-swap fraud.
Standard Bank told MyBroadband that the current options available for OTP are SMS and email.
It added that it was working on an improved identity authentication method which would no longer rely on OTPs via SMS and be vulnerable to SIM-swap fraud.
“We are currently on a strong authentication and in-app messaging journey where OTP in its current form will be replaced by options such as push notification into the banking app as well as biometric such as facial recognition for ‘sensitive transactions’,” Standard Bank said.
“Our authentication journey will see the replacement of SMS OTP in the first and second quarter of 2020.”
The bank said that it has current controls in place to protect its customers against SIM-swap fraud.
When asked whether it has considered implementing OTP delivery via third-party apps such as WhatsApp, Standard Bank said it had considered this option, but its priority remains on its in-app and push messaging solution.
FNB offers its customers the option to receive OTPs through an in-app system called Smart InContact, removing the threat of SIM-swap fraud.
Head of FNB Digital Banking Giuseppe Virgillito told MyBroadband that the bank adopts a multi-levelled approach to help customers detect suspicious activity on their accounts.
“The majority of customers use Smart InContact to protect their bank accounts from SIM-swap and to be aware of all transactions that are processed on their accounts,” Virgillito said.
“Furthermore, our customers who use FNB Online banking can use Smart inContact on the FNB App to approve legitimate transactions and report suspicious ones using this method on a daily basis.”
Virgillito encouraged customers to contact FNB immediately if they become aware of any suspicious transactions.
“In addition, FNB makes a concerted effort to educate our customers on the latest fraud trends when they login to their Banking profile,” he said.
“Our interventions include reminding customers that the best protection against fraud is to ensure that their login credentials are not compromised.”
Nedbank said that it uses SMS verification as a fallback if its “Approve-it” system is not able to reach a client.
“Nedbank utilises Approve-it – a cellphone-based transaction authentication system that allows clients to authenticate sensitive banking transactions from their cellphones,” the bank told MyBroadband.
“On the Nedbank Money App, an Approve-it is sent to the client during the registration process. Our Online Banking platform also utilises Approve-it for all sensitive transactions.”
Nedbank said that it does not currently allow customers to receive an OTP via push notifications or within the banking app, but said this was under development.
“If we are unable to reach a client’s device via an Approve-it™, an SMS is then used as a fallback,” Nedbank said.
“It is important to note that we have a very effective and efficient sim-swap detection feature through Entersekt’s mobile authentication technology.”
The bank added that it has not investigated using third-party apps like WhatsApp for OTP delivery, but it was actively pursuing OTP security options through its Money app.
Capitec said that it does not use OTPs that are delivered via SMS – instead, its clients can use a Remote Banking PIN or biometrics to authorise transactions.
“When transacting on their mobile devices, clients receive secure in-app confirmation messages on their registered device, with the details of the transaction, requiring the client to authorize the transaction using their Remote PIN or fingerprint biometrics,” Capitec said.
Clients that only use Internet Banking are issued with a token on a keyring, which they use to generate one-time passwords for sign-in and approval of financial transactions.
“For our banking app, a push notification is displayed within the secure banking app itself,” Capitec said.
“If the app is not open, the client will receive a push notification prompting them to open the app and approve the transaction.”
The bank added that OTPs are only used as an exception for Internet Banking and are generated with a handheld token issued when the account is opened.
It said that it using a third-party app for authentication would not make sense, as its banking app is more secure.
“No consideration has been given to WhatsApp–based OTPs because, if the client does have a smartphone, the banking app is more secure than WhatsApp,” Capitec said.
Absa told MyBroadband that it does use OTP via SMS for credit card payments when shopping online, but said it was moving away from this practice.
“Our banking application does not have an OTP functionality and will not in future rely on such authorisation methods,” Absa said.
“The use of second-factor authentication via the mobile app is the bank’s secure method of transacting. Absa offers a free digital warranty where customers who use the banking app are deceived.”
Absa said it would move its SMS OTP authentication method to a banking app approval or USSD (1-approve or 9-reject) approval request.
“Card online transactions still require an OTP via SMS,” Absa said. “This is a control which we’re replacing.”
“We do have SIM-swap controls in place and will not issue OTPs via SMS to a customer where a SIM-swap was detected.”
Absa added that it does offer some WhatsApp banking capabilities, but it is currently focused on implementing other authentication methods.