Forcing Phone Companies to Secure SMS Authentication Would Cause More Harm than Good
Food-writer and campaigner, Jack Monroe, has become the latest high-profile victim of a SIM-swap scam, losing over £5,000 from both her PayPal and bank accounts to a criminal who intercepted SMS authentication codes. The Payment Services Directive requires that fraud victims get their money back, but this process is not always quick or straight forward. When (as I hope it will) the money does eventually get reimbursed, she’s still unlikely to get compensation for any consequential losses, nor for the upset caused. It’s no surprise that this experience has been stressful for Jack, as it would be for most people in her situation.
I am, of course, very sympathetic to victims of SIM-swap fraud and recognise the substantial financial costs, as well as the sense of violation that results. Naturally, fingers are being pointed at the phone companies and followed up with calls for them to do better identity checks before transferring a phone number to a new SIM card. I think this isn’t entirely fair. The real problem is that financial institutions rely on the phone company to perform authentication but do not ensure that the level of security provided is appropriate for the sums of money at risk. This leaves their customers to pick up the pieces when things go wrong.
More Secure SMS Authentication
But what if phone companies did do a better job at handing out replacement SIM cards? Maybe the government could push them into doing so, or the phone companies might just get fed up with the bad press. Phone companies could, in principle, set up a process for re-issuing SIM cards which would match the level of security banks expect for SMS-based authentication. Let’s put aside the issue that SMS was never designed to be secure, and that these processes would put up the cost of phone bills – would it fix the problem? I would argue that it does not. Processes good enough for banking authentication could lock people out of receiving phone calls, and disproportionately harm the most vulnerable members of society.
Making phone calls is a different task from payment system authentication, and they should be separate systems. I think one of the most important reasons is that the two activities have different requirements for the speed of replacing a lost device. This characteristic is critical for ensuring that re-issuing processes are secure enough.
Replacing banking authentication devices is quite slow compared to replacing a SIM card. Sometimes you need to wait for a letter from the bank, and sometimes you need to go into a branch to collect your authentication device. But, the few days it takes to activate the new device gives an impending fraud victim more opportunity to spot a scam in progress before money has been taken. Because customers can still access the online banking channel or visit the bank branch, the short wait is not a problem. There are usually other ways customers can do transactions in the meantime. The trade-off is that you create a far more secure re-issuing process.
In contrast, any delay in recovering access to a phone number can be costly. A study by SimplySecure found that the gig economy means customers who miss a phone call risk losing out on a shift, and possibly being tarred as unreliable and so be passed over for future work. Losing a phone would already put a strain on many people’s finances. Waiting days for a replacement SIM to be active, missing phone calls, all while phone credit is locked up could easily be the trigger for a cycle of financial difficulties. There’s a clear need for a quick and easy process to re-issue a SIM card. There would still be a risk of SIM-swap attacks, but if we move payment authentication away from SMS, the value to criminals of phone number is no longer as high, other than call credit which the phone company should reimburse.
Separating authentication and phone calls allows their different security requirements to guide the design of appropriate processes for recovering from lost devices. SMS-based authentication codes force two distinct activities to share infrastructure, leading to trade-offs which are inadequate for either. That’s not to say that cooperation between banks and phone companies cannot play a part in a better solution, as long as the authentication application was separate from the phone number. Customers could receive phone calls on a re-issued SIM before the authentication application had keys loaded following enhanced security checks. Banks could alternatively issue dedicated authentication devices or deploy an application that sends authentication codes though push messages. Regardless of what solution banks select, the process for handling a lost device must not be allowed to introduce a weak point in security. Banks and financial institutions can make the choice of authentication technology they think is appropriate, but they must accept the responsibility for their decision and not pass costs onto the victims of fraud.
This article, originally published on 14 October 2019, first appeared on Bentham’s Gaze.