The US Government’s National Security group, NIST that offers guidance on deployment of different types of security systems across the government and also referred to by private companies, recently deprecated Out of Band Authentication (OOB) that makes use of SMS.

So what NIST is finally saying which has been pointed out by security experts long back that OOB authentication using SMS is not safe. This however does not apply to other OOB authentication solutions such as the one time key generated using  time-synced cryptography. Which is a key that you use only once and does not go through any hoops before you make use of it.

SMS based OOB was developed as it was a very convenient way of providing one time access using a persons mobile device. But the fact that the OTP that is SMSed first goes through the SMS service provider’s server make it a valid security issue as far as the NIST is concerned.

Most of the banks are still using this highly vulnerable authentication system with some of the banks also messaging the code to their customers registered email address. So if someone has hacked into your email address, and knows your internet banking username and password, it is a easy way to steal money from your account.

Key based, time synced onetime passwords are a good alternative. But they have a disadvantage that one will need to carry a dongle for each of the service and there is no single dongle or service available for all.

There are other secure OOB alternatives such as voice passwords that verifies the customer’s voice and which are getting increasingly accurate by the day. And something that cannot be spoofed by recording someone’s voice. And yet the banking system or other online services are yet to adopt this more humane and secure authentication system.
Source: Google Image Search

About The Author

"Founded in July, 2016, is a cyber security blog that covers important security issues affecting common users, industry and governments. It aims to create awareness among its readers about malware, hacking, encryption, identity theft, privacy, etc and also offer solutions to protect themselves from such attacks"

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

9 + 3 =