SMS One Time Password (OTP) - Is it SCA compliant or not?

OTP Blog feature picture@4x

Strong customer authentication is a PSD2 requirement that aims to make online transactions more secure. Before any payments that require SCA can be made, consumers will need to provide two kinds of information to verify their identity. While not a perfect solution, SCA is an important step towards reducing fraud in online shopping.

SCA requires consumers to provide at least two of the following kinds of information:

  • Something they know.This can be something like a password, PIN, or answer to a security question.
  • Something they have.This can be a debit card, phone number, or email address.
  • Something a person is.This refers to biometrics, like fingerprint scanners and facial recognition.

For obvious reasons, the last one is the hardest to hack, but it is also the hardest to implement, so the majority of SCA is going to focus on the first two: something a consumer knows and has.

Are One-Time Passwords (OTPs) SCA compliant?

One of the most popular forms of SCA are one-time passwords, or OTPs. These are short codes that can be sent to a person's phone number or email address (sometimes known as a verification code) and then entered before a transaction is approved. OTPs fall under the "something a person has," category, as the person would only receive the code if they have a specific phone number or email.

According to the EBA, OTPs are SCA compliant. This is because there is enough certainty that the person receiving the OTP has to be the same in possession of the device, or more specifically, the SIM card on the device.

It's important to note, though, that the OTP sender is responsible for making sure that the OTP is sent in a secure, authenticated manner. The EBA also specifies that the SMS message containing the OTP is not "something a person has," component, it's the SIM that qualifies this as SCA. The message is just to confirm that the individual has the SIM in their possession.

The risks of One-Time Passwords

Not only are one-time passwords SCA compliant, but they're actually one of the most popular forms of SCA, especially when sent over SMS. This is also known as two-factor authentication, or 2FA. These codes are sent to a person's phone number, generally after they enter a password online, and are a quick way to verify someone's identity.

The issue with these codes, however, is that, while they are convenient, they are not the most secure means of verifying a person's identity. In fact, there is a fairly simple and increasingly popular way to exploit 2FA codes, and that's through SIM swap fraud.

What Is SIM Swapping?

SIM swapping is when a person's phone number is ported from one SIM card to another. This process allows you to move a phone number from one phone to another without ever having the first phone in your possession. The theft is one of identity.

While it may sound surprising, it's a necessary and common feature offered by mobile carriers. When old SIM cards need to be replaced or a phone is lost, SIM card and all, SIM swapping allows someone to get a new SIM card without losing their phone number.

SIM swap fraud is when someone takes advantage of this feature to effectively steal a person's phone number. They do this by contacting a person's mobile carrier, impersonating the victim, and having the victim's phone number moved to a phone in the fraudster's possession. This gives them access to OTPs and password-reset capabilities, which can wreak havoc on the victim's finances in a matter of hours.

Alternatives to SMS OTP

Even though SMS one-time passwords are one of the most popular forms of SCA, there are alternatives. A common example that many apps are beginning to implement is sending a code as a push notification in an app installed on someone's phone. If banks were to build their own apps with this feature, they would be able to control the OTP from the moment it's sent to when it's delivered.

How JT Can Secure Your OTP Messages

Fortunately, there is a way to implement SCA compliant one-time passwords over SMS without putting your customers at risk, and that's by partnering with a security provider like JT: one of the world’s leading telecom providers, with over 120 years of experience in keeping people connected and safe.

JT can prevent these kinds of attacks from occurring by checking for a SIM swap before a one-time password is delivered to the device, so your verification codes will only ever reach their intended recipients. JT can also provide a secure path for delivering these messages using our 300+ operator agreements and SMPP Messaging Hub, so you don't have to worry about messages being lost or intercepted along their journey. As with all of JT's security features, this happens instantly during every 2FA interaction, so your customers will never notice a delay. Unless, of course, JT discovers that the SIM has been swapped, in which case we will notify you as the OTP sender for further action.

Is SMS OTP SCA Compliant Cover

To learn more on this topic, please download our new white paper: Is SMS OTP authentication method SCA compliant or not. 

Get A Copy