A new report found that 77% of financial apps have at least one serious vulnerability.
I’m sure we can all agree that this number is unacceptable, especially at a time when online activities have skyrocketed.
To be more precise, fintech app user sessions have increased by 49% over the first half of 2020, and in turn, cyberattacks have increased by 118%, taking risks to whole new levels we’ve never seen before.
And when we talk about mobile security, we have to talk about SMS OTP for 2FA, which is one of the most widely used methods for two-factor authentication today with around ⅓ of mobile users relying on it.
At the same time, SMS OTP 2FA is one of the biggest vulnerabilities of these apps, named by NIST a deprecated authentication solution over five years ago, a move even then called “long overdue” by global mobile security experts.
Now you’re probably wondering why it is still in use then. A couple of reasons: it’s fairly simple and requires no additional development work, and users are familiar with it.
However, what’s not as widely realized is that SMS OTP is highly cost-ineffective and that replacing it with other authentication methods would actually help fintech companies acquire more users, retain existing ones, as well as stay cost-effective and bring in more revenue.
Let’s start from the beginning.
SMS for 2FA As An Increasing Vulnerability: Does It Provide More Value Than It Incurs Costs?
With an increasing number of experts and tech giants denouncing SMS OTP for 2FA in the last couple of years, including Microsoft, Apple, and even some globally-leading German banks, you have to ask yourself whether the value SMS 2FA provides outweighs the costs it incurs.
Let’s talk through it briefly, but – spoiler alert – the answer seems to be a solid no.
To start with, SMS OTP for 2FA doesn’t offer great security. It is extremely vulnerable to social engineering attacks, man-in-the-middle attacks and it carries with it security flaws.
Susceptible to phishing attacks and SIM swapping, an attacker can fairly easily gain access to your account. With a huge increase in phishing recently, and when 80% of all SIM swapping attacks are successful, this becomes a huge deal.
On top of that, since its introduction, SMS has had an in-built flaw in the SS7 switching protocol that enables cybercriminals to intercept or reroute an SMS message with your one-time password. That one has bad news written all over it.
Now, I am talking about this because the cost of a single cyberattack could put a small or medium company out of business.
According to the Microsoft and Frost & Sullivan Study, when a cyber-attack happens, a large financial services company incurs an average of $7.9 million of economic losses: direct losses from customer disruption, remediation costs, and fines, and indirect losses brought on by lowered user trust, decreased share prices, and customer churn.
Furthermore, the SMS OTP 2FA user experience is far from ideal. And why does that matter?
Well, user experience is emerging as the most important competitive advantage, even ahead of security, and yes, even in the financial services industry.
With SMS 2FA, you have to type in your number, wait for the SMS to arrive, and then head back into the original app to put in the code: and that’s if the SMS ever actually arrives. Many SMS OTPs never get delivered, although you pay for all that are sent out. One of our partners, CarGo used to experience 12% of unsuccessful OTP deliveries over SMS.
Sure – some will say – but, customers are familiar with SMS OTP 2FA. And to them, I say, yes, but that doesn’t mean they like it. Did you know that 64% of individuals choose not to use it?
With that, it’s clear that by keeping SMS OTP 2FA, you may be using customers to your competitors who may be providing higher security with a frictionless user experience, such as the mobile IP address-based mobile authentication.
How Mobile-IP Based Mobile Authentication Is Changing the Game for FinTech Companies
As the only globally present mobile IP address-based authentication solution, we were very proud to recently be selected for the renowned Fintech Innovation Lab Asia Pacific program from Accenture.
During the 12-week program with other leading growth-stage enterprise technology fintech companies, we are having the chance to not only learn about and improve our own strategies but also to network with these companies and hear first-hand about the biggest cybersecurity issue they face daily. We’re looking forward to the final demo day in the middle of November.
It is a true real-world test of whether IPification, our one-click mobile authentication, user and transaction verification, eKYC, and fraud prevention solution, passes the fintech app test. So far, the answer has been overwhelmingly positive.
IPification assigns each user their own unique mobile ID key, made of the user’s phone number, SIM card, and device data passed via the user’s public IP address and port. Users are verified in milliseconds with only one click, and you can integrate IPification within days at a cost on par or slightly higher than your current SMS budget.
And even if the cost goes slightly over your current SMS budget, the increased user trust, and the increased user acquisition, retention, and engagement rates will more than make up for it.
