SMS Authentication: pros and cons of secure online payments

Amongst the different methods of authentication that are adopted by merchants to secure buyers' purchases we find SMS authentication. As seen in our insight on SCA and 3DS 2.0, where we have explained what Strong Customer Authentication is and what the necessary steps of verification are, SMS can be used by companies to send one-time passwords (OTP) as part of the 2-factor authentication process. In the current fraud and cybercrime landscape choosing the best authentication methods and complying to security regulations is of utmost importance for Ecommerce merchants and for buyers. In this insight we’ll focus on SMS authentication in relation to secure online payments, discuss the pros and cons to adopting this security measure for your Ecommerce and look at possible alternatives.

Authentication in the current cybercrime and fraud scenario

Right now, cybercrime and online fraud account for high losses in the UK, Europe and the world, with increasingly deceptive techniques adopted by fraudsters, who can adapt to new technologies and to the evolution of online products and services to test and exploit system’s flaws. In the meantime, companies are adopting cybercrime prevention solutions and complying to policies, as we can see from the growth of the cybercrime market, which only in the UK is projected to reach 7.12 billion GBP in revenue by the end of 2022.¹

In this scenario, fraud prevention solutions differ and have evolved throughout the years, also moulded by the new policies put forth by the European Union and the UK itself after Brexit. As part of the SCA, SMS authentication is one of the most used methods to this day. Since smartphones are the most commonly used device for online purchases, it is clear why this type of authentication has been chosen as it is convenient and immediate to users.² However, amongst existing authentication methods it does not guarantee a high level of security and is vulnerable to cyber hacking. Let’s dive into how it works and what the pros and cons are.

SMS authentication (abbreviated in technical terms as SMS auth) works as proof of identity in the two-factor authentication process (2FA), where the buyer receives a code on their mobile to then enter on the website in order to verify the user’s identity. Many websites use this method of verification, like well-known Google, Facebook, Instagram and a number of Ecommerce sites.

However, an important aspect to keep an eye out on is that text messages are not a secure means for passwords, as they are not encrypted and can be easily hacked by fraudsters. Moreover, with the boost of Internet of Things, the number of access points for hackers has increased, and so has the risk of fraud. Malware can be installed to intercept OTP SMS messages and is part of what is now known as SMS phishing or smishing.

SMS Phishing or Smishing

Phishing and Smishing fall under the same category: they are attempts to deceive the user by disguising the scam as an official communication from a government agency or a known company, via emails (phishing) or SMS (smishing).

The objective is always the same: to deceive and extort sensitive data such as bank account and credit card numbers usually during the payment phase of an online purchase.

Phishing aims at individuals as well as large companies and with a single hack can bring a large loss to a business. We can see this in the cases of smishing in the banking sector in Singapore in the recent years, with a total amount of $7.8 million in 2022, according to the Singapore Police Force. Now the Monetary Authority of Singapore (MAS) has announced measures to increase the security of digital banking.

It then comes as no surprise that large enterprises are now educating and informing their subscribers of dangers of cybercrime and how to spot their communications compared to hacker’s behaviour, while looking at the most secure ways to authenticate transactions. One example is Netflix, that recently informed their subscribers to be careful of messages received by “Netflix” and ignore any message the users receive unless expected, like during a transaction.

However, SMS can also be used as a means of protection to cybercrime hijacking of accounts. If we look at the Google account verification and the numbers shared on their internal research, “adding a recovery phone number to a user’s Google account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that happened during their investigation.”³

Therefore, we can summarise the main pros and cons of SMS authentication as:

PROS

• Users’ familiarity
• Accessibility
• Useful for account verification

CONS

• Not encrypted
• Easy to hack for cybercriminals
• Expensive

However, what are the more secure alternatives?

For the reasons explained above, because of the advances in cybercrime and technology, moving forward companies should look at more secure forms of authentication, like app notifications and biometric authentication in order to increase the level of fraud detection. Most smartphones are now receptive to these new instruments and people are becoming more familiar with them. Some companies are now also switching to sending messages with OTPs via tools like Whatsapp, that use encryption.

However, it is important to keep in mind that some authentication methods may be more familiar to certain age groups than others. For example, SMS authentication is more suited to individuals of the “baby boomer” generation compared to millennials, who are more used to app notifications and tokens. When choosing authentication systems, thinking of the client base a business is working with and what works best with their generation needs to be taken into consideration while searching for the most secure and adaptable solution available.

To learn more about SCA and more methods of authentication available have a look at our insight on the topic.