SMS OTP - PSD2 SCA Compliant or not?

SMS OTP

This is probably simple topic but banks have put lot of efforts into its discussion of whether SMS/OTP is RTS-SCA compliant or not. Arguments still carries on from two perspectives - authentication element (possession) & secure channel.

For now EBA (5th Oct) has clarified that SMS does constitute as SCA (possession) feature - EBA Single Rulebook Q&A They have also quoted RTS article 22, which refers to confidentiality, integrity & security. While creating the OTP with dynamic linking is SCA compliant but transmission & delivery medium is debated.

Article 22.1 Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication

Article 22.4 Payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards

EBA has gone with practicality rather than enforcing RTS stringently. SMS has long been stable form of second factor authentication in legacy plagued banking infrastructure. Also educating customers on new SCA devices and methods will lead to issues in terms of customer experience.

So SMS is it?
Probably not. We would advise banks to use SMS with caution. They don't want their customers paying someone £5,000 or more using this technology. SMS is clearly not secure - fraud are committed on social engineering front and also the rise of first party-fraud. There is no case for bank to argue when customer reports first-party fraud (customer himself colludes to defraud the bank).

Why is SMS not secure?
It goes back to SS7 - telephony signalling protocol, SIM cloning (old models) to latest malware & jailbroken phones. Latter 2 are main cause of concerns. Considering these - banks don't have control of the end delivery & could lead to successful phishing attacks. If banks own their app, there is certainly scope of control on the end delivery of OTP.

Then comes the audit & traceability requirements - there is no proof delivery or read receipt on SMS unless the carriers support. Its merely fire & forget. These days WhatsApp messages are end-to-end secure with full audit capability. Banks are yet to come out off stone ages of 'sms'.

OTP doesn't need to be via SMS
Most banks already have mobile apps. Delivering OTP on the mobile app can be considered as secure transmission. Mobile app communicates on secure TLS/HTTPS with the bank server. They could improvise with Push Notification.

Where could banks use SMS OTP?
SMS could be used for small value transactions and as auxiliary to main 2FA. Banks should clearly have strategy to move away from SMS & use SMS OTP for short term.

Basically in the race to hacking - its always been investment tradeoffs. Hackers invest time & material when they get ROI. If banks allow large value transactions through SMS, then there is high risk of fraud and subsequetly be impacted by consequences of higher TRA fraud rates.

Same argument is valid with regard to email based OTP