German banks to stop using SMS to deliver second authentication/verification factor

German banks are moving away from SMS-based customer authentication and transaction verification (called mTAN or SMS-TAN), as the method is deemed to be too insecure.

According to German business news outfit Handelsblatt, a number banks – whether private, co-operative or public – have either stopped offering the option or are planning to remove it by the end of the year. Among these are Postbank, Berliner Sparkasse, Consorsbank, and others.

The reasons are mostly due to security and regulation compliance

Since a lot of people do their online banking via their mobile/smart phones, hackers need to compromise only this device to get all the information needed to perform a fraudulent transaction. Users can have also their online banking credentials compromised and be targeted with fake text messages purportedly coming from the bank.

It’s also becoming common for attackers to perform SIM swapping to impersonate the target’s phone and validate the fraudulent transaction. And, finally, there have been instances of criminals exploiting long-known security vulnerabilities in the SS7 protocols to bypass German banks’ two-factor authentication and drain their customers’ bank accounts.

The German Federal Office for Information Security (BSI) has been warning of security risks of using SMS-TAN for years, Handelsblatt noted, and instances of abuse of the mTan process have become more frequent.

Also, banks and other payment services providers must get in line with the EU Payment Services Directive 2 (PSD2), which mandates that remote electronic transactions performed by EU consumers must be authorized using “strong customer authentication” (SCA).

“‘Strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data,” the Directive states.

Also: “Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently.”

SMS-TAN falls into the “knowledge” element, and the European Banking Authority (EBA) does not consider it to be SCA-compliant.

With the mTan option gone, users will have to start using:

• ChipTANs (TAN generator devices provided by banks)
• Photo-TANs (a special mobile app or reader device that photographs a “barcode” on the computer screen and generates the TAN number)
• Push-TANs (via a specialized Tan app) or
• Digital signatures (via smart cards).