By Robert McGarvey
The iPhone may be just 10 years old and with it has come an avalanche of unexpected uses – particularly in authenticating members in credit union and bank transactions. But now worries are heard that mobile phones may not be secure enough.
In fact, many credit union security experts admit that the use of mobile phones – either for voice calls or SMS – in authentication may be coming to a close.
Don’t panic. Most experts are counseling a deliberate shift away from mobile phones. No rush.
But know that the industry leaders are already pondering the alternatives.
A story last month in the New York Times puts a spotlight on the concerns. The lead should scare you: “Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.”
This writer recently – and harmlessly – switched a mobile number from TMobile to Google’s Project Fi and, along the way, threw out an old iPhone and substituted a Google Pixel. The surprise was how little friction there was in the transaction.
No wonder crooks are enticed by the procedure.
But that shouldn’t be a surprise. Think about all of the TV ads that you’ve seen that exhort you to switch carriers and keep the same number. If a lot of consumers complained about how big a hassle that is, it would slow the churn, and the carriers don’t want that.
Thus the hijacks.
According to Federal Trade Commission data, the number of reported phone hijackings has doubled since 2013. In 2013 it was 1038 and in 2016 the number had reached 2658. And nobody thinks the FTC log is complete. There have been a lot of hijacks that nobody thought to report to the FTC.
Worse: get control of a mobile phone and often it is simple to get control of Gmail, Facebook, and other online services that use the mobile number to authenticate identity.
Consider that strike one: it is presently too easy to steal a mobile number and that throws their use for authentication into question.
Couldn’t carriers step up security? Sources told us the big ones indeed are racing to do exactly that.
But that does not solve the problem of why mobile phones are not a cure-all in authentication.
The use of SMS – text messages – to authenticate also is under scrutiny. Many financial institutions and various other online services have made authentication via SMS routine. The problem is that it may not be secure.
The National Institute of Standards and Technology within the US Dept. of Commerce has raised various questions. It points for instance to the possibility that a malicious app on the phone may redirect an SMS to a criminal.
FFIEC has also noted concerns. It has advised: “Financial institution management should employ compensating controls (e.g., redacting customer account numbers when sent via SMS) to mitigate the inability to encrypt SMS messages. Additionally, management should limit the access or functionality available to the customer through SMS banking. When the transaction risk is more significant, management should consider other risk mitigation methods, including pre-registration and the use of security tokens. PINs also could be employed, but are often easier to break and harder to remember. To strengthen the security of PIN usage, management can implement specific requirements (e.g., requiring them to be regularly changed). An institution should update its customer awareness materials to include information on avoiding phishing messages by SMS.”
Many security experts fret about the possibilities of criminals plucking SMS from the ether and, since they are unencrypted, they are easy to read.
How common is that? It may well be rare. But, the fact is, it’s possible, and that worries security professionals.
At Digital Defense, a security company, executive vice president Tom DeSot said: “When our clients implement new systems, we always recommend they use two-factor authentication that doesn’t rely on SMS texts, but rather an app that provides the secondary means of authentication.”
At Congressional Federal Credit Union, CTO David Hufnagel said that the institution still uses SMS, but “we are looking at other options.”
Many other credit union CTOs, who asked for anonymity, echoed Hufnagel.
Bottomline: start exploring alternatives. Many experts point to authenticating apps (Google Authenticator is one such). Others favor services that authenticate a SIM card, that is, the brains of a cellphone. Still, others are looking for something else entirely, that is, something other than the cellphone. Smart credit union executives are already getting ready for the move into the next phase.
Big banks will get there. Know that. Don’t be left behind.