Text messages are weak backbone of UAE banking security

Conal Campbell of Touchtech Payments has some key insights on banking security in the UAE.  He is a contributor to NextMoneyDXB.

Banking authentication in Dubai relies heavily on text messages. With cyber security in the international news headlines more than ever, people may believe that using their phone and SMS to verify transactions effectively defends against fraud. This belief is largely mistaken. One of the leading vectors of attack for fraudsters in international banking today is “SIM swap”. This involves fraudsters getting control of your mobile phone by gathering your personal information and creating a duplicate of your SIM card, thus giving them access to all of your incoming SMS text messages.

SIM swapping overrides the security introduced by some banks to protect transactions. SIM swap fraud overcomes a bank’s additional security measures and allows cyber criminals to transfer cash from a victim’s account by accessing one-time codes sent via SMS notifications.

Criminal organizations obtain a customer’s bank details by disguising themselves as a trustworthy entity (known as “phishing”) in electronic communication or by purchasing this information on online criminal marketplaces.

This allows criminals to open a parallel business account with the victim’s bank as this involves fewer security checks as the victim is already a bank customer.

The criminals use answers to security questions obtained from analysis of the victim’s social media accounts (think how easy Facebook makes it to guess a person’s mother’s maiden name if she is connected to her brother on the social network) and contact the victim’s mobile network provider to request a replacement PIN.

From there, criminals can use codes from fraudulently redirected SMS messages from the customer’s bank to authorize payments and even request that security settings are changed to lock the victim out from his own account.

The core of much online fraud is so-called “social engineering”. This broad term refers to the scams used by criminals to trick victims into giving out confidential information and funds. Criminals exploit a person’s trust in order to uncover their banking details, passwords or other personal data. Scams are carried out online, by telephone, or even in person. Considering that huge databases of personal information are for sale on sites used by cyber criminal gangs, it can be relatively easy to collect enough information to fool people into thinking they are receiving a legitimate contact request from their bank.

The European Union is leading the way on what it calls “Strong Customer Authentication” (the United States is far behind). From next year, online transactions will need two of three factors - something you are, something you have and something you know. Something you “are” can be the biometric scanners available on common smartphones (e.g. fingerprint). Something you “have” can refer to your phone or something less convenient such as a token generator. Something you “know” can mean a password or code, but this is the weakest of the three as the act of knowing something creates a risk it can be phished.

Strong Customer Authentication has to be “dynamically linked”, meaning a code can only be used for one particular transaction (so token generators which reset every 30 seconds are invalid) and customers must be able to see the details of the proposed purchase when authenticating the transaction on the 2nd channel. The United Arab Emirates can learn a lot from this approach, both for reducing fraud and eliminating customer experience pain points such as wait times to add an international beneficiary.

The solution to SIM swapping and other vectors of attack is to protect each transaction fully without relying on factors which could have been compromised such as a password or receiving an SMS to a registered number.

Bank clients should not have to remember passwords for two important reasons. Firstly, social engineering is surprisingly effective at getting people to give over their private information (and victims often feel so foolish for having been scammed that they don’t fully reveal what occurred). Secondly, hardly anyone can remember the dozens of logins required for all of the websites and banking services we use today.

The core of moving beyond password-based authentication is to use data and access to apps on smartphones that can be unlocked with a fingerprint on an iOS or Android device. A fraudster running SIM swap might be able to see your incoming texts but cannot access the apps stored on your smartphone. Authenticating transactions shouldn’t use vulnerable mobile networks, but should use a channel where the purchase is only confirmed on a secure 2nd factor. While this sounds complicated, the reality is that the security features already on your smartphone mean safe online banking can be as easy as a tap of your finger.