Should You Use SMS as a Security Factor for Customers?
With the staggering amount amount of customer data breaches that occur, customers are becoming more protective of their personal data. They expect you as an organization to protect the data that they share with you. A recent example of this is the Equifax data breach, in which nearly half of Americans (143 million people) had their personal data compromised. These types of breaches are making customers aware of a need for security.
Preventing breaches requires many elements of security: data encryption, data access governance, password policies, etc. The scope of this blog is limited to multi-factor authentication (MFA). One of the most common ways hackers can get into your system and steal customer data is by using a customer's actual login credentials. It's inevitable that some of your customers will have their credentials compromised and there is virtually nothing you can do to stop it. Customers may fall victim to phishing scams or reuse passwords across sites and have them compromised elsewhere.
Joseph Bonneau, a researcher from Cornell University, compared leaked data from two separate breaches. By cross referencing 456 legitimate email addresses contained in both breaches, he found that 43% of email addresses reused passwords. An even higher percentage, up to 49%, used very similar passwords.
In these situations, presenting customers with a second factor to approve transactions or verify their identity during authentications is the best defense. That second factor often takes the form of an SMS message. It works like this: Your customers try to authenticate or perform a transaction that is determined to be risky-either manually or through a risk engine, but that's a topic for another blog-and then they receive an SMS text message to the phone number they provided when they registered or enabled SMS as a second factor. The message contains a short code that they have to copy into a web app to approve the authentication or transaction.
This is a very common approach, and your organization may be using SMS as a second factor today. However, there are several problems when SMS is the only option available:
SMS is insecure. In a recent report, The National Institute for Standards and Technology (NIST) listed SMS as an authenticator threat. They deemed SMS messages vulnerable to being intercepted by malicious third parties. There are many, many other reports and articles that list SMS as the weakest link in a two-factor authentication (2FA) or MFA workflow.
Hackers can intercept SMS data via several methods that range in cost and complexity. The simplest and lowest-cost method for intercepting SMS messages is to use social engineering techniques to impersonate the authorized user. This may involve a telephone call, email exchange or online chat with a Customer Service representative, and indirectly changing the mobile phone number to an unauthorized phone. All MFA attempts using SMS will be sent to the new phone number. There may be no evidence that the phone number is not valid, and potentially insufficient notification to the authorized user, if any at all.
SMS forwarding is another technique imposters use to receive SMS notifications. This method is typically free, although more technically sophisticated, as it requires access to the mobile device through malware infection or other vulnerabilities, including physical access to an unlocked device. As the name would suggest, SMS messages sent to the authorized phone are forwarded to the unauthorized number. User detection is more likely than with the previous technique; however, the user would not be notified until after the breach had occurred. This hacker then may have time to compromise user data before the user can react.
SIM cloning is the most expensive and technically challenging method. It is also the most likely to cause long-term and persistent exploitation. SIM cloning is a popular method utilized primarily on Android devices, to allow a user to access unauthorized networks that are not permitted by that device. If a device is able to connect to the provider network (there are many preventative measures taken by providers, and detection is highly likely), then the device with the cloned SIM will receive all SMS messages intended for the authorized user. The authorized user will also receive these messages, but like the SMS forwarding technique, once the SMS is received it's too late.
SMS flows also detract from your customer experience. They force customers to disengage from your brand, open a separate SMS app on their phone, read unformatted text and copy a code from the message they received. This multi-step process is a far cry from the bar set by CX leaders today. When consumers are abandoning sites in droves because a pages take five seconds to load, SMS definitely has the potential to create friction in the customer experience.
If you're using a third-party service, such as Twilio, for your SMS messages, there is a cost associated with each message. If you rely heavily on SMS as a second factor, those costs can add up.
There are secure, convenient and more cost-effective alternatives to SMS, one of which is to leverage the customer-facing mobile app you already have and turn it into a second factor. This option has several advantages that counteract the drawbacks SMS presents.
When using your own mobile app, you can completely incorporate your own branding into the experience. And since your mobile app can utilize push notifications, customers can get data about what they're approving in a clean, user-friendly format. They usually can also use a fingerprint for a simple, one-touch approval without even opening an app. This is much more streamlined than the multi-step process SMS requires.
Push notifications are much more secure than SMS. SMS simply sends a code to a phone number, which can be spoofed. Your mobile app can verify device secrets that are much more secure. It can then send the push notifications directly to a customer's device, not just the phone number or SIM card their carrier associates with that device.
Push notifications don't come with a per-use cost like SMS does. So if you begin to utilize your second factor more, costs won't drastically increase as a result.
Though many of your customers may already use your mobile app, you probably don't want to (and couldn't if you tried) force them to download it. Turning your mobile app into a security factor may be an additional benefit to your app and cause an uptick in usage, but there will likely be a group of your customers who will never download your mobile app. These customers may still benefit from a second factor. You'll still want to give an option to them, even if it's a less secure one. SMS and email are popular options for these cases.
There is no way to suddenly implement any type of MFA technology for consumers to 100% defend against every attack in every situation. The choices your security and business teams make should be around ensuring that the largest number of your customers have access to the most secure, convenient second factors.
From there, you'll want to consider what you'll do for customers in edge cases or emergency scenarios. These scenarios may include customers who don't have your mobile app, customers without mobile internet access, or customers who forget their passwords and lose all of their devices. There is no right answer, and your security team will have to consider these variables carefully to strike a balance between security and convenience.
SMS has an important role to play in that process. However, SMS is not an ideal primary second factor considering its cost, security vulnerabilities, and the friction it introduces to the customer experience. Using your own mobile device as a secure, convenient second factor where possible is ideal. This should act as the primary second factor for authentications and transaction approvals for most of your userbase. Then, SMS, email or other less secure and convenient second factors can be used to fill in the gaps and provide security when your mobile app cannot.
To learn more, download our MFA for Customers white paper to discover the unique requirements of multi-factor authentication for customers and the five things that a customer MFA solution must do to strike this balance.