SMS codes are insecure. What’s next?
The high popularity of mobile banking induces additional risks for customers and their operations. What the risks are and how to address them, Denis KALEMBERG, CEO of SafeTech, told in an interview with NBJ.
NBJ: Denis, please explain what new, previously unknown risks are we talking about?
D. KALEMBERG: The risks generally remain the same: this is the possibility of stealing money from user accounts. This risk existed in Online Banking, but since the channels for issuing and authorizing documents were combined on a mobile device, fraudsters got much more opportunities for the attack.
NBJ: SMS authorizations are now seriously criticized. Why?
D. KALEMBERG: The SMS channel was not originally designed to transmit confidential information. The message can be intercepted in many ways both in the channel of the telecom operator and in the smartphone itself. And fraudsters have learned how to do it well! Thus, sending confirmation codes to authorize payments via this channel is not a good idea. On the other hand, SMS has been the cheapest “channel” to reach customers for a very long time, and banks actively used it.
NBJ: What are the alternatives to SMS?
D. KALEMBERG: To drastically reduce the risk of theft, two conditions must be met:
Do not transmit transaction authorization codes via insecure communication channels, but generate them on the client side;
authorization codes should be generated based on the details of each transaction: that is, if the fraudsters somehow intercept the password, they would not be able to use it to authorize another document.
One can use hardware tools for this (e.g., MAC tokens), but this option is quite costly and requires complex logistics. The second way is to use transaction signing software that can be installed on a smartphone or even be integrated into a mobile banking application.
NBJ: Please tell us more about the PayControl solution by SafeTech.
D. KALEMBERG: PayControl is an application for a smartphone or tablet that allows user to sign electronic documents and authenticate customers. The user reviews details of an operation and authorizes it in one touch. The solution is much more secure and user-friendly than SMS passwords as it does not require waiting and manually entering a confirmation code. Moreover, user can sign the transaction, even if the smartphone is offline.
NBJ: Does the company have plans to expand the solution functionality?
D. KALEMBERG: Yes, we do. We are releasing a new version that is integrated with the CryptoPro DSS cloud-based signature service developed by our partner, CryptoPro. A joint solution will allow users to authorize payment documents with a qualified digital signature (QDS) directly on their smartphones. We believe the solution is ideally suited for corporate mobile banking systems and have already submitted it for certification to the FSB of Russia. Now banks are able to implement cost-efficient authorization of payment documents on mobile devices with a qualified signature. The new integrated solution of PayControl and CryptoPro DSS makes this real.