ITEM: Earlier this month, an Australian telco lobby group denounced SMS as a poor security measure for verifying IDs for online banking transactions, But security experts say the security issues lie with the telcos, not SMS itself.
At the center of the row is a reported phone fraud scam in Australia in which criminals get around bank security measures that use SMS as a second-factor authentication measure for online financial transactions by getting the minimal amount of information necessary to port the victim’s phone number to another device on another service provider network – and using that device to authenticate transactions.
According to an investigation by Secure Computing magazine in December 2011, A$45,000 (almost $47,000) was stolen from a victim’s account in one case. Since that article was published, similar fraud cases have been reported as recently as this month.
Both SC Magazine and iTnews say they have urged telcos to make the phone-number porting process more secure by adding security questions to their account.
However, John Stanton, chief executive of the Communications Alliance (Australia’s telco lobby that represents Telstra, Optus and Vodafone), told iTnews earlier this month that telcos would not add extra security to the porting process because making it more difficult “may be seen as a tool to lock in customers, hinder number portability and thus be deemed to be anti-competitive.”
Stanton declared further that SMS “is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication.”
However, security experts disagree with that assessment.
SecurEnvoy CTO Andy Kemshall, for example, told ARNnet the problem isn’t SMS but telcos making it too easy for scammers to port phone numbers.
Meanwhile, Goode Intelligence managing director Alan Goode argued that SMS can actually make online banking more secure if used properly, ARNnet reports:
“When used in two-factor authentication, SMS allows all users, and not just a limited few, to benefit from agile strong authentication and protect them against financial fraud and identity theft,” he said.