On the IPification blog, we’ve talked time and time again about the ineffectiveness of SMS OTP for mobile authentication.
And it wasn’t only us: all the way back in 2017, the National Institute of Standards and Technology of the US Department of Commerce said SMS for 2FA was a deprecated solution.
With that, it was only a question of time until regulations were passed that would ban the use of SMS OTP for (two-factor) authentication. One of the first of its kind was passed late last year in Malaysia and it’s now being put into practice.
So, what’s the alternative? How did banks in Malaysia go around this? We’ll cover it all in this blog post, starting from the very beginning.
Malaysia Bans SMS OTP for mBanking Apps
Malaysia’s central bank, Bank Negara Malaysia (BNM) has issued a requirement on banks to demand a stronger form of authentication due to scams and cybercrime being on a constant rise.
In September 2022, the bank’s governor, Nor Shamsiah Mohd Yunus announced this in her speech, pushing for an improvement in authentication in banking transactions. And what’s so wrong with SMS OTP authentication?
A couple of things: it comes with the SS7 technical flaw, it is under the risk of phishing and SIM swapping, and it’s ultimately not cost-effective.
Ever since the SMS technology was introduced, the SS7 vulnerability was present and this hasn’t changed to this day. This flaw can be used to intercept or reroute an SMS message that contains the one-time passwords. And poof: your money is gone.
Similarly, SMS OTPs pose a huge risk of phishing or similar social engineering hacks in which a fraudster tricks a user into typing in their SMS OTP on a fake, cloned website.
Moreover, SIM swapping is a major source of worry. If you aren’t familiar, it’s a cybercrime strategy in which a cybercriminal tricks your mobile operator into issuing them a new SIM card with your phone numbers. They can then receive every 2FA code before you even notice that something is going on.
This is one of the most lucrative cybercrime strategies today with a success rate of 80 percent!
And that’s not all. When you use SMS OTP, you have to pay for each one sent. But a significant portion of these messages never reach the user. In the case of our partner CarGo, this constituted 12% of OTPs sent. Very cost ineffective, and this is without even getting into SMS pumping which only incurs additional costs for businesses.
Finally, the user experience isn’t really that smooth, and this could negatively affect your conversion rates, which is one of the reasons the tech giants Google, Microsoft, and Apple have started to move away from this technology, signifying the beginning of its end.
While switching from SMS OTP to other solutions may seem like a tedious and somewhat unnecessary process, it is actually an excellent opportunity: to improve the security of your app, build your competitive advantages, streamline your user experience, and protect your business and your users from cyberattack-incurred costs.
Best Alternatives: Mobile Token or Other Solutions?
With the SMS OTP ban, the majority of Malaysian banks have opted to use mobile tokens, most often for transaction verification. And that’s fine, at least from a security perspective.
Usually, mobile tokens are a part of mBanking apps. To use them, a user has to already be logged into their account so user registration isn’t one of the mobile token use cases.
During an online purchase, a user will be asked to verify their transaction. The user then has to quit their current app, open the mBanking app, navigate to the mobile token section, generate a token, copy it, go back to their original app, paste the mobile token, and voila — the transaction is verified.
You can now see why I’ve emphasized the security perspective above. The user experience is far from ideal. And that’s far from ideal for everyone involved.
Did you know that a 1-second delay in page load time causes a 7% loss in conversions? On a similar note, 60% of users feel they are occasionally, frequently, or always slowed down or blocked from accessing services online.
In times like these, you realize that user experience is an absolute must-have or you risk a significant user drop-off. But even more than that, it’s what helps your business stand out and builds customer loyalty.
While mobile tokens are a definite improvement when compared to SMS OTPs, there is still room for improvement.
To start with, we’d suggest multi-factor authentication as the best security strategy today which, when implemented in a smart way, offers a seamless user experience as well.
You should go for passwordless and phishing-resistant solutions, as the two features that prevent the hacks that most often occur. It’s how we’ve designed IPification.
It is a mobile IP-address based solution that removes the need for passwords and it’s completely phishing-resistant.
IPification generates a unique Mobile ID key for each user based on their device, SIM card and network data. The user only needs to click once and they’re verified within milliseconds, and without actually transferring any sensitive data over the network.
It works great for sign-in and sign-up processes, but it’s also perfect for transaction verification.
Best of all, it can work together with other authentication options (hey, biometrics) in a continuous, multi-factor authentication environment, helping to improve security, streamline user experience, and comply with the laws and regulations.
Not only would implementing a multi-factor authentication system in this way help improve the overall customer experience with higher security and frictionless user experience, but it’s also detrimental to future-proofing your business. It ensures that a few years from now, you don’t have to make huge, expensive changes to their cybersecurity systems yet again.
That being said, each app’s cybersecurity system will differ depending on its use cases.
Not sure about yours? We can help you identify it as well as the best course of action to take.
Don’t hesitate to schedule a free consultation with our team of cybersecurity experts. We’re looking forward to it!
