German banks refuse to support authorization by one-time SMS-code

Several German banks have announced plans to abandon the use of one-time SMS passwords as a method of authorization and transaction confirmation.

Handelsblatt reports that Postbank will refuse to support one-time SMS passwords in August, Raiffeisen Bank and Volksbank in autums, and Consorsbank will do it by the end of the year. Deutsche Bank and Commerzbank also plan to abandon support, but have not yet announced a deadline. Other banks, such as DKB and N26, have never used this technology, and ING has not yet made public statements about its plans.

In 2015, the EU revised the first 2007 directive on payment services (a set of rules governing online payments in the EU) and released an updated version of PSD 2, requiring the implementation of robust client authentication mechanisms. According to estimates of the European Banking Supervision Service (The European Banking Authority, EBA), which last June introduced the standards of technical standards within PSD2, current implementations of authorization mechanisms for one-time SMS codes do not meet the new requirements.

Read also: Implant FinSpy was able to read even the protected chat rooms in Telegram and WhatsApp

Over the past few years, the number of attacks using the “SIM swapping” method has increased, due to which a fraudster can fraud a telecom operator and transfer the user’s phone number to another SIM card by gaining access to the user’s online accounts at banks and cryptocurrency exchanges.

Cybersecurity experts have warned against using one-time SMS passwords for several years.

“All in all, SMS was never that secure to begin with and should have never been used so extensively. While two-step verification and two-factor authentication is recommended, security experts have been warning against relying on SMS as “the second factor”, — writes ZDNet media.

The problem lies in the inherent and uncorrectable deficiencies of the SS7 protocol (SS7), which is used to tune most telephone exchanges around the world. Vulnerabilities in this protocol allow intruders to quietly steal a user’s phone number, even without the knowledge of the provider, allowing him to track the owner, as well as authorize online payments or login requests.

These vulnerabilities have not gone unnoticed in Germany. In May 2017, BSI, the Germany cyber-security agency, warned that cyber-criminals could use SS7 to intercept SMS messages used in online banking”, — reports ZDNet.

Cybersecurity experts recommend using authenticator applications or hardware tokens instead of SMS-based authentication.