Westpac: SMS authentication doesn't help security

SMS-based two factor authentication has been touted as a way of improving online banking security but Westpac's head of information security disagrees.

The National Australia Bank, Commonwealth Bank and HSBC currently offer their customers SMS-based two factor authentication -- where customers receive a one time password via mobile phones, which is used to verify a transaction. It seems Westpac is unlikely to go down the same path.

Rather than SMS-based authentication being about security, in its current form, it is more about consumer's perceived level of safety, said Westpac's head of information security, Matthew Woodrow, at a Financial Times event called Securing the Bank, which was held in Sydney last week.

"It's not to do with security at all ... consumers have expectations of security levels while using their mobile phones to do their banking. So you're not thinking about security at all, but you're thinking about the product and what consumers want," said Woodrow.

Besides Westpac, St George, SunCorp and ANZ have also held back from adopting SMS-based verification systems for their customers.

One reason why some banks have resisted the adoption of token- or SMS-based authentication could be the emerging Europlay, Visa and Mastercard (EMV) standard, which is tied to the release of contactless smartcards, according Intelligent Business Research Services, security analyst, James Turner.

"Once EMV standards are accepted, Internet banking is going to move into that," said Turner.

While a token-based system is considered too expensive and complicated to be worth implementing for consumers, technology and standards flux should not prevent the adoption of SMS-based authentication as temporary security measure, said Turner.

"No system the banks roll out will be foolproof, but we can't sit on our hands and do nothing. [SMS authentication] is much more straightforward to deploy than physical tokens -- and mobile phone penetration is massive. Also, the majority of people understand how to use SMS. From my perspective it's an elegant solution," said Turner.

A distinction should be made between SMS-based transaction authentication and that for logging in, said Turner. Transaction-based authentication only occurs when a transaction is made, so if someone has hacked into a person's account, that transaction will only proceed if a person responds to the SMS issued by the bank.

"If I'm out at a cafe and receive an SMS from my bank, and I know that I have not made that transaction, it doesn't go ahead. So even if the password has been compromised, they can't make the transaction."

Ray Stanton, BT's global head of business continuity, security and governance, said while two-factor authentication is "not for everyone", the issue is wrapped up in consumer confidence.

"If a bank wants to maintain credibility, then it has to do everything to maintain my confidence," Stanton told ZDNet Australia.

• Related stories

• Alerts

Add your opinion

Are Westpac really that crazy? Anonymous -- 29/10/07

These days it's far too easy to hijack someone user name and password. SImply because they use the same passwords for their free email service as they do for their banking.

I would not use e-banking now without two-factor authentication. What's this Westpac guy on? Saying it's not about security. Huh?

• Reply to comment
• Reply to story
• Report offensive content

The author is confused Dean Spaccavento -- 31/10/07

I work in the security field and this article did its best to confuse me. It begins with a headline discussing SMS authentication, and then discusses SMS transaction verification. They are different things, to be used in different circumstances.

It seems that the author is confused. Mr. Turner, interviewed in the article, even clarified this point - "A distinction should be made between SMS-based transaction authentication and that for logging in" - and the author still managed to get it mixed up.

But I can forgive that, authentication/transaction verification is a specialist area and probably best commented on by people with some understanding of the issues.

However, the telling point for me is that the quote from Mr. Woodrow actually says nothing about SMS authentication / transaction verification not helping security. He says that SMS authentication / transaction verification is able to increase a user's perceived level of safety. Which makes sense, as it makes users safer. One of the beautiful things about SMS authentication / transaction verification is that it is transparent enough for a user to see why it secures them.

So take the assertions in this article with a gain of salt. I suspect the entire article was written to support a sensationalist headline.

• Reply to comment
• Reply to story
• Report offensive content

Agreed! Roger Saner -- 31/10/07 (in reply to #320088871)

I agree with Dean - the content of the article does nothing to support the title of the article. Disappointing at best; bad journalism at worst.

• Reply to comment
• Report offensive content

Not Quite Dean :) Christian Heinrich -- 01/11/07 (in reply to #320088871)

@Dean Spaccavento

I suspect what Matthew Woodrow is (badly) alluding to is that while the customer may perceive SMS authentication as more secure then a password, it can be intercepted then replayed as it is communicated in band (i.e. via the Internet) just like a password.

What Matthew Woodrow doesnt know is that the security is due to the shelf life of the SMS token, which causes it to be rejected if it has expired.

• Reply to comment
• Report offensive content

But it is more secure than JUST a password. Anonymous -- 05/11/07 (in reply to #320088952)

Just using a password puts all your eggs into one basket. Introducing SMS transaction verification means that it's not any harder to steal someones username and password, but it is a lot harder to get the money out of their bank accounts.

Replaying the one-time number would do no good, because it is just that, a one-time number, useful once, on a specific transaction.

• Reply to comment
• Report offensive content

Underground Economy Christian Heinrich -- 08/11/07 (in reply to #320089152)

In addition, trade in OTP on the Underground Economy is non existent (for the moment) due to the shelf life of OTP weighted against the �time to market� and "Sales Cycle" of the Underground Economy.

Hence, the Underground Economy thrives the sale of static passwords capable of being replayed numerous times.

• Reply to comment
• Report offensive content

SMS Password is the worst Anonymous -- 02/11/07

SMS Password has never been recognized as a secured authentication. RSA was the first to withdraw its SMS based authentication from marketing. The reasons were the insecurity, hidden costs and communication problems. A Bank can not make his business customers relay on a password that may never come when they urgently need it. WestPac has been looking at alternative solutions such as the CAT - Cellular Authentication Token. This one is a New Zealand developed TFA OTP solution. It is affordable, secured and easy to deploy. There are no hidden costs and the users just love it. Do you still remember few months bank, when Telecom announced that there was problem with SMS and people could receive other people SMS messages ? Or the fact the SMS is open text, and the SMSC operators can simply read it. Nothing like this with a CAT.

• Reply to comment
• Reply to story
• Report offensive content

TFA OTP Christian Heinrich -- 04/11/07 (in reply to #320088973)

@Anonymous,

Are you referring to Cellular Authentication Token (CAT) from Mega AS Consulting Ltd in New Zealand?

• Reply to comment
• Report offensive content

SMS Two-Factor Auth is a start Anonymous -- 07/11/07 (in reply to #320088973)

Logging in with a static pwd is far too dangerous these days. With an out of band SMS pwd, you limit breaches to someone that either has stolen your phone, either intercepted the SMS (besides from being an SMSC operator - who can?). So not foolproof but a start at least.

Maybe Westpac should check out Vasco Data Security, who has a 2FA OTP mobile solution, but uses the same server platform to change the token device to for instance an EMV compliant Secured Card Reader.

• Reply to comment
• Report offensive content

SMS Two-Factor Auth is a start Simon -- 08/11/07 (in reply to #320089317)

Just for the record, ICT Security - a Sydney based solution developer has been delivering custom CAT solutions for several years. Not only is the CAT solutions more secure but they are also more reliable and much faster. I speak as a happy customer...

• Reply to comment
• Report offensive content

TFA OTP Christian Heinrich -- 11/11/07 (in reply to #320088973)

Can some1 from Vasco, ICT Security or NZ (i.e the vendors doing the shameless plugs) explain why TFA OTP is "more secure" in light of not providing *any evidence* to back this claim up?

• Reply to comment
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials