Should India's Banks Drop User-Based OTPs?Some Experts Stress It's Time to Adopt Other Forms of Authentication
With the Cosmos Bank attack still fresh in memory, some security experts are urging the Reserve Bank of India to take immediate steps to upgrade the security capabilities of banks. For example, they want banks to do away with user-based one-time passwords delivered via text messages, a common authentication practice.
One-time passwords are sent via SMS in plain text, so they can be intercepted by a man-in-the-middle attacks, security experts warn.
"There are many apps residing in smartphones that routinely take permissions for reading and sending SMSs," says Na. Vijayashankar, a cyber law expert based in Bangalore. "Any one of these apps can have a vulnerability, and a fraudster's app can ride over such an application and read and write SMS without having to install a separate app."
Tamaghna Basu, CTO at NeoEYED, a behavioral analytics firm, notes: "In the cybersecurity world, it is well known that OTP is one of the most vulnerable methods of authenticating a person as there are multiple applications out there which have permission to read your SMS transactions and you as a user have given permission to do so.
"Now these applications not only know your OTP but also your salary, your spending pattern your messages and so on. With identity theft combined with stolen OTPs, a fraudster is in complete control of your banking account to do frauds."
Despite the obvious vulnerabilities, banks say there are infrastructure challenges involved in moving away from user-based SMS authentication.
"Banks in other countries have already moved away from user-based authentication," says Pradeep Seth, who works in a Bangalore-headquartered public sector bank. "But in India, we do not have so many smartphone users, especially in rural areas, and internet connection is poor."
One-time passwords used in India pose risks, in particular, because they are user-based, says Pune-based Rohan Vibhandik, a security researcher with a multinational company.
"This means a customer has registered his phone number with the bank to receive OTPs," he says. "Even though Aadhar verification is compulsory, there are various instances were a SIM card has been obtained through fake identity or by stealing documents."
Many indivudals share their permanent account number and Aadhar details with insurance agents or credit card agents, Vibhandik says. "They might misuse the documents to get a SIM card on our name," he says.
And with the help of these documents, it's easy for criminals to change the registered mobile number, he adds. "As a result, now OTPs can be routed to another number and transactions can be legally made without victim's knowledge," Vibhandik says.
Because encryption is not applied to SMS transmissions by default, messages can be intercepted and snooped, even if the receiving end device is not infected by malware, says Prakash Kumar Ranjan, a Bangalore-based security expert with a public sector bank. It's common for hackers in India to use the social engineering method of SIM-SWAP, in which they obtain some details of the bank account holder and thereafter swap SIMs, he says.
Several types of malware are available that criminals can use to read SMS messages, security experts say.
For example, Mazar Virus, an Android malware first reported in 2016 that has the capability of erasing data in a mobile device, has apparently resurfaced and is suspected to have played its role in a recent local cybercrime incident, says Vijayashankar, who has knowledge of the case.
The virus can steal credentials by taking over a messaging application without the knowledge of the owner. A security company called Heimdel in Denmark reported this virus could be sent like a hyperlink to any SMS message; if an Android mobile device user clicks on the link, it infects the device.
"It appears that the virus may not require rooting of the phone and may not even display the permissions screen," says C.N. Shashidhar, founder of SecurIT Solutions. "It is possible that it may simply ride on one of the banking applications which is legitimately installed in the mobile device."
In many other nations, banks use device-based one-time passwords, rather than user-based OTPs. Device-based OTPs are generated by registering a mobile device through a bank app. "Your carrier is not at all involved in generating OTPs through SMS," Vibhandik says. "If you change your device, you need to re-register a new device through the bank app. So fake SIM cards cannot be used by attackers."
Vibhandik adds: "Use of a pictorial image to verify your account in case your bank account is spoofed has proven successful to prevent impersonation/spoofing attack for bank accounts. "If you change your device, you need to re-register new device through the bank app. So fake SIM cards cannot be used by attackers."
The State Bank of India is the first in India to use this method. "The banks have a separate app, SBI Secure OTP, which is generated on user's registered mobile device and supports online and offline modes for OTP generation," Vibhandik says. "Also, the app is password protected irrespective of your smartphone's lock system. So only genuine user has the control over generating and using the OTPs."
But some security experts are questioning whether one-time passwords delivered via SMS can ever be made secure (see: Here's Why Account Authentication Shouldn't Use SMS).
Although some banks in the U.S. use biometric technologies as a single factor of authentication, security experts suggest the use of two-factor authentication to reduce fraud.
"Banks are fast exploring the concept of behavioral biometrics. ... This is built based on the way you type, mouse movements, the way you interact with phone and so on. This allows the AI to create unique signature for each individual, which can be applied across the life of banking transaction," Basu of NeoEYED says.
Many Indian banks are exploring behavioral biometrics. "Some of the fraud which happened in the recent past - like the SWIFT credentials getting compromised by internal users, internal employees sharing passwords and fudging with data or any kind of impersonation be it on internal or customer sides - can be monitored and prevented using behavioral biometrics," Basu notes.
The main challenge in moving away from user-based OTP is the need to change the infrastructure, says Prakash Kumar Ranjan, a security expert with a Bangalore-based state bank.
"Since OTP is the easiest and a user-friendly channel for customers, bringing another channel is difficult in current scenario," Ranjan says. "For example, HSBC uses token- based authentication for netbanking, but can we expect all our users to be adopting the same? We also have to think of the cost that will be incurred on using other authentication channels.
"Also, whether the return on security investment for moving to other modes from SMS-based authentication is more than the loss incurred by compromise of SMS-based authentication needs to be [examined]."
Shashidhar points out another challenge: "The practical challenge of implementing the new technology for authentication, like mobile behavioral analytics, is the lack of security awareness of board members and senior management of banks. They do not understand security and are unable to understand the benefits of using these cutting edge technologies."