Skip to main content

Why is 2FA SMS OTA NBG?

xxx

The National Fraud Intelligence Bureau (NFIB) and one of the UK’s largest mobile phone networks, EE, have raised concerns about banks’ growing reliance on text messages when authorising large payments.

FBI turns up the heat on banks over Sim scams | Money | The Sunday Times:

I seem to remember first raising concerns about the banks’ use of text message for authorisation about a decade ago, but no-one ever listens to me. Of, it appears, anyone else who has said this over the last ten years or so.

Now, I’m not saying that no banks at all have listened to the cacophony of security experts telling them not to use text messaging for a purpose for which is was never intended. Earlier this year, German banks dropped support for SMS -based OTP as 2FA for SCA in PSD2 .

 

In the UK, it’s the mobile operators who have taken action. They have created something call “SMS Phishguard” which means that (I think) fraudsters will not be able to ‘spoof’ numbers so that bogus texts appear to be sent from a real bank.

Comments

Post a Comment

Popular posts from this blog

We could fix mobile security, you know. We don't, but we could

Earlier in the week I blogged about mobile banking security , and I said that in design terms it is best to assume that the internet is in the hands of your enemies. In case you think I was exaggerating… The thieves also provided “free” wireless connections in public places to secretly mine users’ personal information. From Gone in minutes: Chinese cybertheft gangs mine smartphones for bank card data | South China Morning Post Personally, I always use an SSL VPN when connected by wifi (even at home!) but I doubt that most people would ever go to this trouble or take the time to configure a VPN and such like. Anyway, the point is that the internet isn’t secure. And actually SMS isn’t much better, which is why it shouldn’t really be used for securing anything as important as home banking. The report also described how gangs stole mobile security codes – which banks automatically send to card holders’ registered mobile phones to verify online transactions – by using either a Trojan...
Post a Comment
Read more