Is SMS OTP secure? This question might not have a guaranteed yes answer anymore. Since SMS OTP fraud continues to rise, it might be better for businesses to switch to more secure alternatives that are available.
SMS OTP was once a go-to authentication service that pretty much everybody used. It has a simple mechanism that is easy to learn: just open the SMS that contains the OTP and then input the codes manually.
However, as fraud tactics continue to evolve, older authentication systems like SMS OTP will be more prone to them. Let’s learn about why SMS OTP is not safe anymore and what kind of alternatives are out there that can protect businesses.
Latest SMS OTP Fraud Case
SMS OTP fraud can happen to anyone, ranging from individuals and businesses to even organizations. Recently, there is one case that involves SMS OTP in BCA, one of the private banks in Indonesia. Here’s a breakdown of the whole case:
Fake BTS Scam Targeting m-Banking Users
Unlike the usual case of SMS OTP fraud, the fraudster used a much more threatening method known as fake BTS. The strategy that the fraudster implemented in the aforementioned private bank case follows:
- The fraudster took advantage of illegal BTS to intercept SMS OTP before the m-banking users received it.
- Once obtained, the fraudsters then edit its content to include smishing (SMS phishing) and then re-sent it to m-banking users, as if it was from BCA themselves.
- The smishing informed m-banking users that their balance points are soon to expire, thus needing to be exchanged with rewards immediately.
- If m-banking users click the link contained in the smishing message and input their banking credentials, the fraudsters will steal their m-banking account.
Expert Insights on the Fake BTS SMS OTP Fraud
Responding to the BCA’s SMS OTP fraud case, one of the cybersecurity experts, Alfons Tanujaya, confirms that fake BTS are being used in the fraud case. He informs any m-banking users to not click any links, even if they are coming from official phone numbers.
In case m-banking users have already visited the phishing site, Alfons suggests users change their m-banking account immediately. This is because the moment they input their banking credentials into the site, their account will soon be compromised.
Common SMS OTP Fraud Techniques
The fraud case that attacked BCA is just one of many common fraud techniques that use SMS OTP. Here are common SMS OTP fraud techniques in many such cases:
Fake BTS Attacks
Like the case above, fake BTS used a special device to intercept SMS OTP messages, modify their content, and send them back to victims. This is a dangerous technique because it looks like it comes from trusted sources.
Fake BTS attacks are usually used along with phishing in OTP messages. Without a careful examination or confirming first with the official service, any user can easily misinterpret that this is a legitimate message.
SIM Swap Fraud
This technique revolves around a fraudster claiming the victim’s phone number as their own, so they are the one who can receive OTP messages. Here’s how it’s done:
- The fraudster gathers enough information about the victim, either by phishing or purchasing from the dark web.
- The fraudster then impersonates the victim and claims to the mobile carrier that their SIM card has been damaged or lost.
- The unsuspecting mobile carrier then transfers the victim’s phone number to the new SIM card for the fraudster.
- With this, the fraudster can take control of all victims’ accounts that use the same phone number for OTP verification.
Man-in-the-Middle (MitM) Attacks
The fraudster can also use a man-in-the-middle attack to intercept SMS OTP using malware or rogue networks. This allows them to read messages, track locations, and steal SMS OTP messages from the victim.
Malware Attacks
This is the classic technique from this list. The fraudster uses malware that can steal all sensitive information from the infected device, including SMS OTP.
The victim may unintentionally download malware from pirated software or modified mobile applications. As a result, the malware will collect all needed information and then send it to the fraudster.
Why SMS OTP is No Longer Secure
There are various reasons as to why SMS OTP is not safe. While indeed it is still being used, here’s why it’s no longer secure like it used to be:
- There is a technical flaw with the SS7 protocol used for SMS. This protocol has a flaw that can be easily exploited to intercept calls and SMS messages.
- SMS does not have an encryption system. This makes SMS messages vulnerable to interception and unauthorized access.
Safer Alternatives to SMS OTP
It’s clear that SMS OTP is not safe enough to be a secure authentication system moving forward. So, what are the SMS OTP alternatives that are better than SMS OTP itself?
App-based Authentication
Mobile authentication apps are a good alternative to SMS OTP. Businesses can use applications such as Google Authenticator, Authy, and Microsoft Authenticator to authenticate users.
The top reason why app-based authentication is good is because not only are they easy to integrate into businesses, but they are also cheaper compared to SMS OTP.
Push Notifications
Push notifications can also be a good SMS OTP alternative due to their better security and authentication process. By relying on notification pop-ups, users can easily authenticate since it can be done without manual input.
Biometric Authentication
Rather than relying on numbers, businesses can also use users’ biometrical identity as a means to authenticate. This provides stronger security to the business, since it will be very hard for fraudsters to mimic fingerprints, irises, and facial features.
AI-powered Seamless Authentication
Another solid SMS OTP alternative is seamless authentication using artificial intelligence (AI). With the help of AI and machine learning capabilities, businesses can secure their users as well as proactively defend their businesses from evolving frauds.
How Keypaz Can Help Prevent SMS OTP Fraud
As an AI-powered seamless authentication, Keypaz leverages many robust tools such as device intelligence, app insights, and behavioral analytics. These tools will prevent OTP fraud in SMS by:
- Preventing many fraud techniques as early as possible with rule orchestration, ensuring safety to users and businesses.
- Detecting and blocking suspicious behavior in real-time, ensuring no fraud techniques can bypass security.
- Identifying a malware-infected or rooted device, making sure that it can’t compromise business service.
At the bottom line, businesses should learn from many SMS OTP fraud cases that SMS OTP is not as secure as it seems. Thus, it is advisable to switch to an alternative to SMS OTP, like Keypaz, in order to strengthen their protection against unlawful fraudsters.