Australian Banks ramp up the use of more secure SMS authentication methodsSecurEnvoy 13/11/2012 Archive
“An element of convenience is needed in our lives, but that doesn’t mean dropping security levels down to the ridiculous!“
It was unfortunate that they have been using SMS as a method to send an activation code to end users when changing between phones. Not combining this with a second form of authentication of course is going to be weak and doesn’t utilize the convenience of SMS authentication.
Communications Alliance chief executive John Stanton should live up to the trust end users put in their Telco’s. The real issue here is not the security of SMS rather the ease that Australian Telco’s allow hackers to request the number be ported to a hackers phone. This has far wider consequences than just SMS, as a hacker can setup a premium rate call line and run-up extortionate bills by calling these numbers after porting over the number.
John Stanton should take the lead from other countries that have better security questions to request a ported number (PAK code) and send them as a letter or email to the account holders registered address preventing such an attack. Expecting Banks to move back to old fashion hardware tokens that don’t scale at a cost of millions is ludicrous and doesn’t fix the real issue. Expecting end users to carry a different hardware token for each bank, credit card or secure online service they use is just not viable.
An official response from Analyst firm Goode noted: “I believe that Telecommunication suppliers have a responsibility to their clients to ensure that appropriate levels of security are implemented to prevent cyber criminals from abusing weaknesses that allow them to abuse their services. This includes SMS. SMS is being used for a wide-variety of commercial reasons, including transporting one-time-passwords in mobile phone-based two-factor authentication. When used in two-factor authentication, SMS can provide an additional layer of security that enables organisations, including banks, to improve the security of their online services and allow all users (not just a limited few) to benefit from agile strong authentication and protect them against financial fraud and identity theft.”