PSD2 and strong customer authentication: Are all elements equal?

The European Payment Services Directive 2 (PSD2), introduced in January 2018, contains the requirement for additional security features for certain online transactions. These security requirements, known as Strong Customer Authentication (SCA), come into force on September 14, 2019 and define strong authentication as the combination of two or more of the following three elements:

  • Knowledge – Something only the user knows
  • Possession – Something only the user possesses
  • Inherence – Something the user is.

The end result of the authentication process is the generation of a single-use authentication code, commonly referred to as a One-time-Passcode (OTP). Whilst there are other features and requirements under SCA, in effect PSD2 has mandated 2-factor (2FA) or multi-factor authentication (MFA), a security technique that is well established and used by many financial institutions today.

Yet for many existing users of 2FA and for those institutions that choose the same strategy as these existing banks, their SCA implementations are already vulnerable to the theft of the all-important OTP or compromising the SCA processing entirely through sophisticated cyber-attacks, such as exploitation of the SS7 telephony signaling network.

2FA models have historically been dominated by the first two factors, Knowledge and Possession. It is because Knowledge, by itself, is such a weak form of authentication, e.g. PINs and Passwords, that the second factors were required. For organizations that have adopted 2FA, the hitherto favored Possession factor has taken numerous forms, with some of the simplest being TAN lists, particularly favored in Germany, to simple hardware-based One-time-Passcode (OTP) generators.

A TAN (Transaction Authentication Number) List is simply a sheet of paper with perhaps 50 OTPs printed on it. As each OTP is used, e.g. for authorizing an Internet banking transaction, it then becomes invalid for further use. The problem is the unused codes have no meaningful expiry period and therefore became the target of Phishing attacks. OTP generators, on the other hand, had expiry periods on the generated 4- or 6-digit code, meaning it was more difficult for fraudsters to obtain and use the codes.

Both techniques, however, were rendered obsolete by the introduction of Man-in-the-Middle and Man-in-the-Browser attacks. Because transaction details are dynamic, TAN lists, containing only static OTPs, were immediately obsolete. The simple OTP generators were too, but the manufacturers addressed this new threat with the introduction of signing token generators which allowed for the manual entry of limited transaction information. Manual data entry using these devices is however, prone to error, frustrating, simply not user-friendly and also hold the potential to be compromised by Man-in-the-Browser attacks.

Out-of-Band (OOB) authentication, including transaction detail verification, was seen as the cost-effective and user-friendly alternative to hardware-based token generators. The OOB approach proved not only popular and cost-effective, but effective against all attack vectors. The fraudsters, however, devised a new strategy against this form of 2FA. One such attack is known as SIM Swap fraud, which entailed convincing the MNO that the fraudster was in fact the legitimate subscriber and having the phone number ported to a SIM under the control of the fraudster.

SIM Swap detection services immediately evolved, however these are designed for detection and not prevention. The banks still need to make decisions on whether a detected SIM Swap is fraudulent or a legitimate number port by the genuine subscriber.

In February, UK-based Metro Bank disclosed that it had been a victim of a hack to the supposedly secure telecommunications-based SS7 network protocol. SS7 is the backbone network for global mobile telephone connectivity, both calls and texts, and Metro Bank confirmed the hack involved the stealing of SMS-delivered security codes for Internet banking transaction authorization, i.e. OTPs. Whilst this attack was targeted against SMS messages, it would be equally effective against a code delivered by phone call.

The fundamental premise of preventing these sophisticated cyber-attacks has always been about “possession” which only asserts the identity of the customer to a limited degree. Knowledge (something only you know) is all about possession. If a fraudster knows what you know, they can use that knowledge just as you can. A personal device is about possession, and this can be exploited through attacks such as SS7 vulnerabilities, SIM Swap and Call-Forward Unconditional. Possession is no longer enough to assert the identity of an individual.

The third element as defined within SCA, Inherence, is the only element that proves identity rather than possession. Why this is crucial is because we have to assume any channel can be corrupted and secret information stolen. Therefore, we need to prove identity and not possession before handing over OTPs and secondly, we need to authenticate the user with something that can’t be used by a fraudster if stolen.

Inherence is the key to multi-factor authentication, especially in Out-of-Band solutions, in complying with SCA. SMS obviously doesn’t support inherence but OOB phone calls do. If we look at SIM Swap and SS7 hacking, both will have the fraudster generating a call to either their own phone or having the ability to intercept the call to obtain the OTP.

By applying inherence on that call, i.e. voice biometric authentication, prior to the issuing of the OTP, it doesn’t matter who is on the end of that call, possessing the call is not enough. Only the legitimate account holder will be able to successfully authenticate, and only then will the OTP be issued. This is genuine proof of identity, and only proof of identity negates the vulnerability of the routing and secure environments required within the SCA definition. It negates the need to rely on security models leveraging infrastructure that was never designed to support strong user authentication.

Voice is becoming the User Interface of the future, being used to issue commands and instructions to everything from smart personal assistants, home appliances and even automobiles. Voice is not only used for commands, but also identity, and the two combined will provide the seamless User Interface and strong authentication required in our interactions with machines and AI.

Voice is also the inherence element within multi-factor authentication and SCA that overcomes network and infrastructure vulnerabilities and allows financial institutions to deploy OOB solutions that will not only satisfy SCA requirements but protect their account holders from fraud and financial loss.