Out of Band is Out Of Bound!
The US Government’s National Security group, NIST that offers guidance on deployment of different types of security systems across the government and also referred to by private companies, recently deprecated Out of Band Authentication (OOB) that makes use of SMS.
So what NIST is finally saying which has been pointed out by security experts long back that OOB authentication using SMS is not safe. This however does not apply to other OOB authentication solutions such as the one time key generated using time-synced cryptography. Which is a key that you use only once and does not go through any hoops before you make use of it.
SMS based OOB was developed as it was a very convenient way of providing one time access using a persons mobile device. But the fact that the OTP that is SMSed first goes through the SMS service provider’s server make it a valid security issue as far as the NIST is concerned.
Most of the banks are still using this highly vulnerable authentication system with some of the banks also messaging the code to their customers registered email address. So if someone has hacked into your email address, and knows your internet banking username and password, it is a easy way to steal money from your account.
Key based, time synced onetime passwords are a good alternative. But they have a disadvantage that one will need to carry a dongle for each of the service and there is no single dongle or service available for all.
There are other secure OOB alternatives such as voice passwords that verifies the customer’s voice and which are getting increasingly accurate by the day. And something that cannot be spoofed by recording someone’s voice. And yet the banking system or other online services are yet to adopt this more humane and secure authentication system.
Source: Google Image Search