SMS Based 2F authentication is dead.. FinTech companies skating on thin ice

During the days of G Gopalakrishna Working Group (GGWG) of RBI which was deliberating on the E Banking security, two Banks namely ICICI Bank and SBI who were members of the committee tried to argue that “Two Factor Authentication” should be considered as equivalent to “Digital Signature” for the purpose of authentication of Banking transactions. Fortunately, thanks, partly to the efforts of the undersigned the bluff was called and the GGWG rejected the recommendation of the sub committee in this regard.

This was way back in 2011 and lot of water has flowed under the bridge since then. Despite the recommendations of GGWG against Two Factor Authentication being considered as valid authentication, Bankers have continued to use two factor authentication based on SMS sent to a mobile as the principal means of authentication of all transactions conducted on Internet or Mobile.

In the case of Mobile Banking, the SMS based two factor (2F) authentication actually was reduced to a single factor authentication since the same channel was used both for the transaction and the authentication.

In the meantime, certain malwares were also developed specifically to exploit the SMS based 2F authentication and technologists continued to further compromise security by developing Apps that could read SMS automatically, pick up the OTP and continue the authentication process without human intervention. “Convenience” blinded the users into believing that this technological revolution was great.

Technologists who had little understanding of the security or ignored it deliberately for the sake of functionality of the Apps and the business entities who always pursued the compromised policy of “Security to the extent it is financially feasible” made 2F authentication a universally used system providing a false sense of security to the users.

What was regrettable was that the Government of India also fell prey to this false sense of security provided by OTP through SMS on Mobile as a valid 2F authentication which could enable an Aadhar based e-Sign authentication that could be considered as a “Legally Valid” authentication.

The UPI (Universal Payment Interface) further adopted OTP for integrating all card based transactions and increased the stakes. It is reported that there are many FinTech projects which will go on stream on the UPI platform in the coming days making SMS based OTP system a widely used digital authentication system in India.

The central point that Naavi has been making in all the discussions here was that the dependency on OTP had diluted the KYC process to be completely subordinated to the integrity of KYC system used by the Mobile Service Providers (MSP). The situation has been brought down to the extent that a “Mobile Number Ownership” was equivalent to having an “Aadhaar Card” as if it was the “Passport to Digital Identity”.  But the MSP’s processes of KYC were not robust enough to be the foundation for all financial dealings in the country and therefore the society was exposed to a huge risk of massive digital financial frauds.

There appears to be a silver lining now to indicate that the tide may be turning Yesterday there was a news report that the Indian Army had filed an FIR against Airtel over issue of “Pre activated” and “Unverified SIM cards” in Manipur.

According to the complaint, an Army column had found that a distributor was handing out free, pre-activated SIM cards to the villagers without any paper work.

Though Airtel has officially denied that they are violating any DOT norms, the prevalence of the practice of issuing pre-activated SIM cards that can be used by ether terrorists or fraudsters has been documented beyond doubt exposing the naivety of the regulators in Banks including RBI, DeITY, UPI, Aadhar, UPI etc to rely upon the KYC process of the MSPs as reliable enough to mount their financial transactions on, as a Standard Operating Process. (SOP).

This incident alone should have immediately brought out a clarification from RBI and DeITY or the CERT-IN that the SMS based 2F authentication is no longer to be relied upon for building authentication systems which may further be used for financial transactions.

I therefore urge CERT-IN to immediately step in and issue the advisory.

In a further confirmation of this need to deprecate the use of SMS based 2F authentication, the globally acceptable, Government backed, Standards organisation namely the NIST (National Institute for Standards and Technology) of  US has proposed to deprecate the SMS based authentication in its latest standard draft.

The report also identifies that NIST has flagged the use of SS7 protocols by hackers which was highlighted by Naavi.org recently. According to the NIST,

“it’s going to deprecate it (Ed:the 2F system) in favor of other options. Those options include using your smartphone with secure applications (such as Google Authenticator) that can generate out of band authentication codes, or other types of devices that can be used as out of band authentication (such as security keys, smart cards, and so on). If the cryptographic keys are stored on the device, then it should use trusted platform modules (TPMs), keychain storage, or trusted execution environments.”

One of the additional reasons why identity verification through an SMS sent to a mobile number is considered unreliable is the development of online services where a “Virtual Mobile Number” is made available as a service. This “Virtualization” of the MSP system will be a feature that can come in handy for fraudsters and be a threat for the law enforcement agencies.

The “Authentication Industry” has to therefore find a new method of reliably verifying the source of a digital transaction without which the entire FinTech industry will be skating on thin ice.

This development will be a milestone in the standards that set the bench marks for “Due Diligence” and “Reasonable Security Practice” under Section 79 or Section 43A of Information Technology Act 2000/8.

All Judicial authorities including Adjudicators as well as all Advocates need to take note of this development and ensure that Banks and other organizations that continue to use SMS based 2F authentication will no longer be considered as following “Due Diligence” or “Reasonable Security Practice” under ITA 2000/8 and hence will have to absorb the liabilities arising from frauds where OTP is used as an authentication feature.

Additionally, this article placed in public domain will also be a “Notice” to all Organisations, Security professionals, the Advocates and Judicial Authorities, including the Government Agencies that the failure of SMS based OTP as a reliable authentication mechanism in digital world has been brought to their notice and their continued use will disable any legal defense based on this concept being projected as an accepted “Industry Practice”

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Bank, RBI. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.