Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT Technology

German Banks Are Moving Away From SMS One-Time Passcodes (zdnet.com) 76

Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method. From a report: Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports. Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year. Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans. The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year. In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.
This discussion has been archived. No new comments can be posted.

German Banks Are Moving Away From SMS One-Time Passcodes

Comments Filter:
  • Good (Score:4, Interesting)

    by gachunt ( 4485797 ) on Thursday July 11, 2019 @05:14PM (#58910476)
    Hoping my bank does the same. Or, at least makes it optional.
    • Not good. If my phone dies, I'll have a problem.
      SMS passcode doesn't have this problem.

      • Comment removed based on user account deletion
        • I put the SIM card into another phone and let the bank send the SMS again. Can even do it while being abroad.
          Registering a different phone for the app is, on the other had, quite a hassle. That's why I intend to keep the SMS passcode even though my bank charges me a fee for that now.

    • Meanwhile in Europe, verified-by-visa has just started making one-time-passcode SMS verification compulsory [thisismoney.co.uk]

      I rant at my bank about the prevalance of sim-jacking, but it falls on deaf ears.
    • Comment removed based on user account deletion
  • app based solution (Score:5, Interesting)

    by fermion ( 181285 ) on Thursday July 11, 2019 @05:17PM (#58910498) Homepage Journal
    Other banks have already moved away from simple phone verification to app verification. The app is still attached to a known phone, and the app has to be verified on that phone, but it can be used anywhere to get codes.

    This is actually useful for customers who do work internationally, but still appreciate the high level of security provided by requiring these codes.

    • by Anonymous Coward

      Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone. I'm not giving up control of my phone, so leaving it stock is not an option.

      SMS works just fine. Apps can be vunerable to attacks as well.

      • by MCRocker ( 461060 ) * on Thursday July 11, 2019 @06:27PM (#58910748) Homepage

        I have agree that proprietary authenticator apps and OAuth based services are dubious at best. It's no surprise that banks don't trust them either.

        It's too bad that OpenID started out half-baked, the implementations so inconsistent that sites stopped offering the opportunity to provide your own URL, and then the standards committee hijacked by industry representatives with vested interests that loaded it up with verify instead of fixing its security problems.

        But, you might want to check out SQRL [wikipedia.org], which I mentioned in a reply to the parent post. It's an open standard with open source implementations and a two party security model that keeps those pesky snoops at bay.

        • The Wikipedia article says SQRL was coined and invented by Steve Gibson of GRC. Maybe it's good, I don't know, but given Gibson's background of "NanoProbes" and other questionable security products, I'd like to see an independent assessment.
      • Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone.

        A proper OTP app shouldn't be able to spy on you; it should have almost zero permissions, because it doesn't need them. All it needs is a cryptographic key it can use with the current time to generate a one-time password that changes every minute, which it displays on the screen. It should have no network connectivity so even if it did somehow spy on you it couldn't report home.

        SMS works just fine.

        It absolutely does not "work just fine". SMS is very vulnerable to several sorts of attacks, the simplest of which is simply soci

        • Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone.

          A proper OTP app shouldn't be able to spy on you; it should have almost zero permissions, because it doesn't need them. All it needs is a cryptographic key it can use with the current time to generate a one-time password that changes every minute, which it displays on the screen. It should have no network connectivity so even if it did somehow spy on you it couldn't report home.

          In the context of banking, we're not talking about "normal" OTP like we use for logins, we're talking about a transaction authentication code, a TAN. You can't just show a simple OTP, the authenticator also needs to show transaction details so you can be sure the TAN you get is for the transaction you have initiated, and not another transaction initiated at the same time. That's why it needs network access.

    • by MCRocker ( 461060 ) * on Thursday July 11, 2019 @06:09PM (#58910684) Homepage

      Just in time for the release of Secure, Quick, Reliable Login [wikipedia.org]. SQRL has the potential to be more secure and easier to use, which is a rare combination in the security realm.

    • by rew ( 6140 )

      When I switch to "app verification" I have to install the app on my phone. That app can also be used to wire funds anywhere. So now there is a single point of failure: the app on my phone.

      There are two "failure modes" that I worry about. The first is that someone in my environment might watch me do something with the app and shoulder-surf my pass-code to the app. With the classical method I also have to login to my account on my computer. That password is entered through a real keyboard at rate of over 300

  • All phones are insecure. I think it's insane to do any sort of banking on a cell phone.
    • All phones are insecure. I think it's insane to do any sort of banking on a cell phone.

      It's safer to bank over cellular data than over public WiFi.

      • by DogDude ( 805747 )
        It's safer to bank over cellular data than over public WiFi.

        True. That doesn't make using a cell phone any safer, though.
        • If the connection to the bank is over HTTPS (which it very likely is), then it doesn't matter what the communication mechanism is or whether it's encrypted.
          • by DogDude ( 805747 )
            That's some serious faith you have. I don't share it.

            https won't protect the actual keystrokes from being captured by the device.
            • https won't protect the actual keystrokes from being captured by the device.

              True, but this is no different that using a desktop or laptop computer. So using a cellphone for banking is no worse than using any other computer.

              • by DogDude ( 805747 )
                I can control what software I install on my computer, I can control my computer's security, and I can be reasonable sure that I know what my OS is doing.

                Unless you wipe your phone and install Lineage or something else open source, you have no control over your Google or Apple phone.
  • Banks do not generally have any 2 factor auth for logins, they only have single factor login, and then apply TAN as the second factor for individual transactions. That said, some banks (N26) replace TAN by a paired device and a pin.
  • The article includes a table from this EU document about various authentication methods [europa.eu]. I was confused to see this entry of disallowed methods:

    OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)

    Which would seem to rule out security keys or code-generating apps in the same breath as SMS OTP.

    To clarify, however, this table is a listing of "knowledge elements", i.e., the "something you know" portion of multi-factor authentication [wikipedia.org]. Elsewhere in the document, Table

    • The problem only arises in the banks that require only "something you have" and not "something you know".

      It would be interesting in my case. ABN AMRO uses exclusively a OTP generated by hardware. However that hardware is generic, the "something I have" is my debit card that I need to enter in to that hardware, and the "something I know" is the PIN I get asked when I click the button to generate the OTP.

      I actually like this system since it means there's a good likelihood that I can do 2FA even if I forget my

  • So banks will develop their own authenticator apps and I guest it will requires to have an Android/IPhone. SMS is available on ALL cell phones, not just Androir/IPhone.

  • Although I agree that SMS is a stupid way to do 2FA, the article got it completely wrong and the PSD2 directive doesn't state anything like that.

    According to the linked document https://eba.europa.eu/document... [europa.eu], it says that SMS is not suitable as a possible knowledge element (table 3), however it is suitable as a possible possession element (table 2). So, strong customer authentication can be implemented using a password (knowledge) and SMS (possession).

/earth: file system full.

Working...