Today, the Which? consumer rights organisation released the results from its study of how people are excluded from financial services as a result of banks changing their rules to mandate that customers use new technology. The research particularly focuses on banks now requiring that customers register a mobile phone number and be able to receive security codes in SMS messages while doing online banking or shopping. Not only does this change result in digital exclusion – customers without mobile phones or good network coverage will struggle to make payments – but as I discuss in this post, it’s also bad for security.
SMS-based security codes are being introduced to help banks meet their September 2019 deadline to comply with the Strong Customer Authentication requirements of the EU Payment Services Directive 2. These rules state that before making a payment from a customer’s account, the bank must independently verify that the customer really intended to make this payment. UK banks almost universally have decided to meet their obligation by sending a security code in an SMS message to the customer’s mobile phone and asking the customer to type this code into their web browser.
The problem that Which? identified is that some customers don’t have mobile phones, some that do have mobile phones don’t trust their bank with the number, and even those who are willing to share their mobile phone number with the bank might not have network coverage when they need to make a payment. A survey of Which? members found that nearly 1 in 5 said they would struggle to receive the security code they need to perform online banking transactions or online card payments. Remote locations have poorer network coverage than average and it is these areas that are likely to be disproportionately affected by the ongoing bank branch closure programmes.
Outsourcing security
The aspect of this scenario that I’m particularly interested in is why banks chose SMS messages as a security technology in the first place, rather than say sending out dedicated authentication devices to their customers or making a smartphone app. SMS has the advantage that customers don’t need to install an app or have the inconvenience of having to carry around an extra authentication device. The bank also saves the cost of setting up new infrastructure, other than hooking up their payment systems to the phone network. However, SMS has disadvantages – not only does it exclude customers in areas of poor network coverage, but it also effectively outsources security from the bank to the phone networks.
I can understand why banks are happy to get rid of this task – if a customer loses a bank-issued authentication device it’s the bank’s responsibility to replace it and make sure the replacement gets to the right customer. In contrast, if a customer loses their phone, it is the phone company who must re-issue a SIM card for that phone number, saving the bank the costs involved. The risk is that while phone companies design the security checks around re-issuing SIM cards to be secure enough for their own purposes, when banks piggy-back onto this system for authorising payments of thousands of pounds, this level of security won’t be enough.
The result is the “SIM-swap” fraud, where a criminal obtains a SIM card linked to a customer’s phone number and then can receive security codes for accounts linked to this number. Sometimes criminals pull off this scam by contacting the phone company and impersonating the victim, claiming to have lost their phone. Phone company staff are busy, and a laborious identify verification process could easily result in genuine customers who lost their phone to ditch the company and move to a competitor. As a result, criminals find ways to bypass security checks. They’ve even infiltrated the phone companies themselves to get direct access to the systems to re-issue SIM cards.
Banks regularly outsource services to external providers, and security is no exception, but when banks do so, a basic expectation is that the provider is contractually obligated to meet some minimum level of service. With SMS authentication, this contractual obligation is missing. The phone company gets little, if anything, from the banks in exchange for operating as their authentication service provider. It’s not surprising therefore that the phone companies are reluctant to invest their own money in meeting the bank’s security requirements, and so SIM-swap fraud remains.
Re-aligning incentives
If banks picked up the bill for such fraud without question, and compensated victims for the stress and inconvenience caused, that would be one thing. However, it looks like banks don’t always do so. The Financial Ombudsman Service reports on a case where a SIM-swap victim was blamed for the fraud and not reimbursed. The Ombudsman decided in the victim’s favour and reversed the bank’s decision, but we don’t know how many such cases there are that might have been decided differently or never reached the Ombudsman in the first place.
If banks are the ones who make the decision save money by outsourcing security to phone companies, but the customers pick up the bill for the resulting fraud, there’s no incentive on the bank to improve security. Problems like this can be fixed through a combination of regulation and re-aligning incentives to shift the cost of fraud onto the party who is in the best position to improve security. Perhaps phone companies will be forced to do better prevent SIM swap fraud, but this only fixes one out of the many problems that SMS authentication suffers from and will surely make the process of replacing a lost or stolen phone slower and more painful for the customer. For now, I would expect banks to reimburse and compensate for SIM-swap fraud, but in the longer term, I think SMS should be replaced with better authentication technologies. Not only would this improve security, but it might also fix some of the problems of digital exclusion.
Images from Petr Kratochvil and Ervins Strauhmanis.