Skip links

SMS OTP – PSD2 SCA Compliant or Not?

This is probably simple topic but banks have put lot of efforts into its discussion of whether SMS/OTP is RTS-SCA compliant or not. Arguments still carries on from two perspectives – authentication element (possession) & secure channel.

For now EBA (5th Oct) has clarified that SMS does constitute as SCA (possession) feature – EBA Single Rulebook Q&A. They have also quoted RTS article 22, which refers to confidentiality, integrity & security. While creating the OTP with dynamic linking is SCA compliant but transmission & delivery medium is debated.

Article 22.1 Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication

Article 22.4 Payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards

EBA has gone with practicality rather than enforcing RTS stringently. SMS has long been stable form of second factor authentication in legacy plagued banking infrastructure. Also educating customers on new SCA devices and methods will lead to issues in terms of customer experience.

So SMS is it?

Probably not. We would advise banks to use SMS with caution. They don’t want their customers paying someone £5,000 or more using this technology. SMS is clearly not secure – fraud are committed on social engineering front and also the rise of first party-fraud. There is no case for bank to argue when customer reports first-party fraud (customer himself colludes to defraud the bank).

Why is SMS not secure?

It goes back to SS7 – telephony signalling protocol, SIM cloning (old models) to latest malware & jailbroken phones. Latter 2 are main cause of concerns. Considering these – banks don’t have control of the end delivery & could lead to successful phishing attacks. If banks own their app, there is certainly scope of control on the end delivery of OTP.

Then comes the audit & traceability requirements – there is no proof delivery or read receipt on SMS unless the carriers support. Its merely fire & forget. These days WhatsApp messages are end-to-end secure with full audit capability. Banks are yet to come out off stone ages of ‘sms’.

OTP doesn’t need to be via SMS

Most banks already have mobile apps. Delivering OTP on the mobile app can be considered as secure transmission. Mobile app communicates on secure TLS/HTTPS with the bank server. They could improvise with Push Notification.

Where could banks use SMS OTP?

SMS could be used for small value transactions and as auxiliary to main 2FA. Banks should clearly have strategy to move away from SMS & use SMS OTP for short term.

Basically in the race to hacking – its always been investment tradeoffs. Hackers invest time & material when they get ROI. If banks allow large value transactions through SMS, then there is high risk of fraud and subsequetly be impacted by consequences of higher TRA fraud rates.

Same argument is valid with regard to email based OTP

About Banfico

Open Banking Solution provider

Banfico is a technical solutions provider founded in 2017. Our team is formed of experts with vast experience in financial services. We have successfully delivered open banking solutions in the UK, Europe, and Brazil, and we are expanding to other parts of the globe.

Request A Demo

You may also like

30 Sep 2021 | Blog

Brazilians Welcome Open Banking

In the two years since open banking was approved by Brazil’s Central Bank, there has been a great deal of progress ...

26 Jul 2021 | Blog

Deadline Extension for Strong Customer Authentication

Strong Customer Authentication (SCA) is a key part of the Second Payment Services Directive (PSD2) ...

10 Jun 2021 | Blog

Confirmation of Payee: Why It Should Be Mandatory

The growth of online banking and payments has seen a corresponding rise in fraud. Scammers have become ...