Okay LogoOkay Logo

2FA - Why sending OTP via SMS is vulnerable

25/02/2020

artifact

Most organisations today provide two-factor authentication (2FA) to their users and customers, to provide them with a more secure mode of accessing their accounts. 2FA has indeed helped most users keep their accounts more secure than they were before its inception. However, with the introduction of 2FA as a more secure way of authenticating users came other issues that made it vulnerable to certain hacks.

Where is the vulnerability?

The issue is with the basic implementation of these authentication systems. Most systems use sms messages for delivering tokens to users devices, building on the assumption that a user’s phone number is unique, and is only associated with that particular user. However, recent cases in the past 2-3 years have shown that delivering tokens via sms is less secure than we might think. A hacker who is very committed to breaking into your account/system would go as far as swapping devices and possibly start receiving all sms on their device. They might also try to intercept an sms message going over the wire, as sms are susceptible to interception. 

Some of the biggest telecommunication companies use personal information such as billing address and pin to initiate device swapping. This is information that is vulnerable to social engineering hacks, and thus, the telecom companies might miss every hint that the caller who is initiating this request is malicious.

Push Notification Authentication

With the current vulnerability of sms there has to be a better way to implement 2FA systems with minimal risk of interception and other social engineering hacks. Push Notification Authentication provides a better mode of authenticating a user on the Internet. When implemented properly, it provides a better way of making sure that the right user has control over his accounts. This is made possible by the provisions of “Device Tokens” that are being assigned to unique devices, making sure that no device other than the targeted device receives the notification. Push notification systems are built by some of the largest tech organizations out there, such as Google and Apple, which provides great security infrastructure.

The responsibility of keeping push notification systems out of the reach of malicious hackers now rests on the implementation and design of an application and its server. The reason for this is that no matter how secure a push notification provider is, if the provided credentials to accessing that provider’s services are not kept secure, push notifications can be sent by any malicious hacker who acquires them.

We are well aware that even push notifications systems can be broken into and its security is well dependent on the application implementing it. That is why Okay provides an extra layer of security over the device and the application to ensure that transactions are not tampered with by providing a sandbox where multiple integrity checks are performed to make sure everything remains intact and invalidates transactions once a malicious intent is detected.

Would you like to know more about Strong Customer Authentication with Okay? Take a look at our use cases or reach out to book a demo.