E-Wallet Authentication Methods: Are They Inadequate?Security Experts Assess Whether SMS-Based OTPs Are Enough
Most of India's e-wallet companies are taking an inadequate, single-factor approach to user authentication, relying only on one-time passwords delivered via SMS, some security experts say.
Because India has one of the highest rates of fraudulent financial transactions in the world, these experts are calling on the e-wallet companies to move to more robust multifactor authentication. Some suggest, for example, that the companies could use SMS-based OTPs as the second factor of authentication with username/passwords being the first. But others suggest that SMS-based OTPs should be replaced with OTPs based on hardware and software, with biometrics a potential long-term solution.
Some e-wallet companies, however, claim that a move a different form of authentication is impractical.
"How can they have hardware or software tokens when their customers run in millions? E-wallets in India are used for ease of payment," says Aditya Khullar, who until recently worked as tech security leader at the e-wallet provider Paytm.
But using one-time passwords as the only factor of authentication is inadequate, argues Venkata Satish Guttula, director of security at Rediff.com, an Indian news and shopping web portal. "Without a password, the process is just flawed," he says.
Growth of Digital Payments
In India, there's been a 41 percent increase in the number of users making payments through e-wallets since 2014, according to a study by Pacific Business Review International. Common uses for e-wallets, the study shows, are paying utility bills online, buying groceries online and in person and online shopping and ticket booking.
By 2019, India is expected to become the second-most targeted country for financial fraud, behind the U.S., according to a report by cybersecurity firm Gemini Advisory.
But the sudden rise in digital payments apparently has not been accompanied by similar investments in security from the e-wallet companies.
Most of the popular e-wallet companies have shied way from multifactor authentication, relying exclusively SMS-based OTP for those logging into an account or for linking the wallets for making transactions on other apps or sites. The picture below shows how only an OTP is used to link e-wallets to other websites.
So, once a user in India downloads a BigBasket app for ordering groceries or a Swiggy app for searching for nearby restaurants, they can click on a payment option and link e-wallets, such as Freecharge, Mobikwik, Paytm, Phonepe and AmazonPay, by providing a mobile number where an OTP will be sent.
By doing so, the user is giving permission to third party apps like Swiggy and BigBasket to have access to e-wallets via only single factor authentication.
Risks With SMS OTPs
In addition to their concerns about e-wallets relying only a single form of authentication, security experts point to potential security issues with SMS-based OTPs.
The biggest concern is that SMS messages transmitting an OTP in plain text can be intercepted by fraudsters in what's known as a man-in-the-middle attack, says Prakash Kumar Ranjan, a former security researcher at Canara Bank.
"There are many apps residing in smartphones that routinely take permissions for reading and sending SMSs," says Na. Vijayashankar, a cyber law expert based in Bangalore. "Any one of these apps can have a vulnerability, and a fraudster's app can ride over such an application and read and write SMS without having to install a separate app."
Tamaghna Basu, CTO at NeoEYED, a behavioral analytics firm, notes: "There are multiple applications out there which have permission to read your SMS transactions. Now these applications not only know your OTP but also your salary, your spending pattern your messages and so on. With identity theft combined with stolen OTPs, a fraudster is in complete control of your banking account to do frauds."
Is Security a Priority?
Most e-wallets in India are built around functionality, and security is still not a major consideration, says Amit Arora, a cybersecurity professional based in Gurugram who formerly worked with Freecharge, an e-wallet company.
"Most applications in India, including e-wallets, market themselves on the functionality part - how friendly is the user interface, the services that an e-wallet can provide as an ecosystem, etc.," Arora says. That's why they rely on user-friendly security controls such, as SMS-based OTPs to authenticate customers, he says. "The thought process is that more or stringent security layers would mean more friction for users."
Most e-wallet companies in the very competitive market "are struggling to survive," Arora says, so "security is not something that comes to your mind easily.
But security teams at e-wallet companies face the challenge of convincing their boards that security needs to be a top priorty, he adds.
Khullar, who formerly worked at e-wallet company Paytm, says that company is working on machine learning techniques to register devices and enhance security.
"When I was there, we were working on a system wherein from the backend we will register the device a user is using. If OTP gets confirmed from a different device, the account will be temporarily blocked," Khullar explains.
Information Security Media Group reached out to the current CISO of Paytm as well as Mobikwik and Freecharge for comments but did not receive a reply.
Security experts say e-wallet firms have a number of options for enhancing security, beyond shifting to hardware and software OTPs. Those include biometric options, such as fingerprint scans, retina scans or even voice recognition, Ranjan notes.
"Many services uses solutions like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, offer OTPs via push notification in order to bypass SMS delivery," he says.