At this point in 2019, we’ve all dealt with some flavor of two-factor authentication that uses SMS one-time passcodes. We attempt a sign-in and see a prompt that tells us that a six- (or nine, or four) digit PIN is being texted to us, and that we have to enter it to proceed with our login or password change. It’s a mild piece of friction, but it’s not terribly onerous and is doing something useful: keeping consumers safe.
Unless, of course, it isn’t. SMS one-time passcodes are more of a risk than most consumers realize, Boku CEO Jon Prideaux told Karen Webster in a recent conversation. The consumer thinks their bank is sending them a unique code that only they can directly access — but the reality is a little different.
A fraudster doesn’t always have to hack a phone to access a user’s identity and information — they can hack the person. There are any number of social engineering techniques — impersonating an employee based in a call center, for example — that can get someone to cough up a PIN texted to them by their bank. Moreover, Prideaux said, there are all kinds of technological solutions to gain illicit access to a consumer’s mobile device.
“The weakness is also in malware — little bits of code slipped into a rogue app. It is possible to slide those onto Android phones especially, and that malware can read your SMS messages without you ever being aware of it,” Prideaux told Webster.
In fact, he noted, a good enough piece of malware can mess with a phone’s settings so that the owner never knows they got a text message, and won’t know their bank account has been covertly seized until some damage has been done.
“What the world needs is a better mobile-based solution that isn’t vulnerable to being spoofed or hacked,” Prideaux said.
The good news is that solutions already exist; the challenge is that there is a bit of work to be done to make proper use of it.
The Better Mobile Mousetrap
It is perhaps easy to beat up on SMS-based authentication for how relatively easy it is to overcome — but it is perhaps a bit unreasonable to expect it to act as an authentication method. SMS was designed as a method for exchanging data easily, Prideaux noted, and has been grafted ad hoc into the authentication process.
The digital world has been transitioning from desktop-based to mobile-based for a decade now, he said, and it has become increasingly clear that mobile authentication methods are needed. The tools of the past — IP addresses and email accounts — just don’t cut it anymore as they are so cheaply and easily obtained. And while we could all theoretically use our debit and credit card numbers as our unique digital identifiers, that would essentially mean trying to fight fraud by surrendering to the fraudsters.
But a phone number, Prideaux noted, is exactly the right idea. SMS-one time passcodes provide a security solution in the right neighborhood, but at the wrong house.
“The phone number is something everyone has — they know it, they are used to giving it out,” he said. “There is an expression: ‘Your bank account will outlive your marriage.’ Well, my mobile account information is older and better established.”
Moreover, Prideaux continued, we already know the location of the right house in the mobile authentication neighborhood: with the phone carriers who have gotten incredibly good at validating the phone numbers. They have to, he said — otherwise, they couldn’t bill people for services.
Through the magic of a SIM card, he noted, the phone company can nearly instantly verify that the person trying to transact inside an app on their phone is associated with the phone itself.
“The customer is not sent off-app or asked to retrieve anything — this all happens on the backend, without interrupting their experience,” Prideaux said. “It feels like magic.”
Moreover, it is magic that lives quite literally in the palm of a majority of customers’ hands. Instead of using the mobile device as a payment token, this is a way of turning its data caches into an identity token — and in a way that builds a better and more secure consumer experience.
So if it works so much better, Webster wondered, what’s holding it back from becoming a new authentication standard?
In a word, Prideaux noted, the problem is fragmentation.
Building Ubiquitous Access
SMS may not work terrifically well as an authentication tool, but it does have one massive advantage and selling point: It is ubiquitous. Everyone has it, everyone knows how it works and it is standardized, so it works more or less the same everywhere.
Phone carrier networks, on the other hand, are a diverse bunch. As of today, the global market has over 150 different networks that each has more than 10 million customers.
“If you are trying to interact with all mobile phones, the prospect of integrating into 150 telephone networks is massive — and none of it is standardized across networks,” Prideaux said. “We are laboring night and day to build a global network that can make this kind of service based on carrier data consumables.” The goal is to create a world where everyone can leave SMS authentication behind, because “a better mousetrap is available.”
How will they know when they’ve gotten to that point? As Prideaux noted, this isn’t a cut-and-dry question, because authentication and verification is a complex world. At the absolute top tier, there are government-mandated AML/KYC processes to answer the question “who are you,” and credit checks to determine one’s worthiness for underwriting.
There are all kinds of verification use cases, he said, that don’t quite need full AML/KYC compliance, and classification purposes as to whether the consumer is in good standing or not. Preventing mobile account takeovers of existing accounts, or recognizing and proactively thwarting identity theft are two of the most common. When the world at large will be able to start adopting what Prideaux described as a “really exciting” new market for identity depends on what size and scale of service a firm needs.
For some things, he said — mainly things that need to operate at a global scale — if the services aren’t offered at near-ubiquity, it won’t work. In other cases, a firm might only need one carrier in the market to start moving forward on a thin shell of services.
Those thin shells, Prideaux said, will thicken into fuller offerings based on the ability to use mobile data as an identity tool in a more direct, less SMS/passcode-driven way.
It will take time, but the technology already exists to make it happen. The challenge lies in building all the connectors to make it work together.
“The real inhibitor isn’t the tech – it is the availability of the technology through a single, simple API,” Prideaux said.