German Banks Are Moving Away From SMS One-Time Passcodes

Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method. From a report: Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports. Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year. Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans. The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year. In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.

Good

[gachunt]

Hoping my bank does the same. Or, at least makes it optional.

Re:

[dunkelfalke]

Not good. If my phone dies, I'll have a problem.
SMS passcode doesn't have this problem.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dunkelfalke]

I put the SIM card into another phone and let the bank send the SMS again. Can even do it while being abroad.
Registering a different phone for the app is, on the other had, quite a hassle. That's why I intend to keep the SMS passcode even though my bank charges me a fee for that now.

Re:

[infolation]

Meanwhile in Europe, verified-by-visa has just started making one-time-passcode SMS verification compulsory [thisismoney.co.uk]

I rant at my bank about the prevalance of sim-jacking, but it falls on deaf ears.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

Yes, one of my banks (Netbank) sent a letter a few days ago where they mention Apple's Touch ID as one of several possibilities for the upcoming 2FA.

But they also appear to continue to support SMS OTPs (they call it mTAN).

app based solution

[fermion]

Other banks have already moved away from simple phone verification to app verification. The app is still attached to a known phone, and the app has to be verified on that phone, but it can be used anywhere to get codes.

This is actually useful for customers who do work internationally, but still appreciate the high level of security provided by requiring these codes.

Re:

[Rockoon]

I believe the point of SMS is that its communication across a different channel than the one you are trying to manipulate your bank account with.

The point of not using SMS is to force you to install their friendly app that is fun to be with. Share and enjoy.

Re:

[AmiMoJo]

The apps do offer some additional security. They use the phone's secure storage, and on Android there is a security framework that verifies the integrity of the OS (so rooted devices typically can't run them).

Allowing the use of open source apps would be best.

Re:

[Anonymous Coward]

Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone. I'm not giving up control of my phone, so leaving it stock is not an option.

SMS works just fine. Apps can be vunerable to attacks as well.

Re:

[swillden]

I control my own phones, but I would never trust banking information to them. I do my banking on my desktop.

This is backwards. Your phone is almost certainly much more secure than your desktop, at least from a software perspective. Mobile OSes are much more thoroughly segmented and compartmentalized, and have security baked much more deeply into them than desktop OSes. Well, assuming your mobile OS is up to date on its patches.

Of course, your desktop (not laptop) is more secure in one way: It stays in a presumably-secure environment, behind locked doors, while phones and laptops tend to roam the world with

Re:app based solution

[rastos1]

In that case, I'm completely backwards. On a desktop machine I can see the filesystem, I can see the process list, I can verify origin of each of file, I can tune and access logs for each component, I can monitor network traffic, look a the SSL certificate details ... On a phone this is completely hidden from the user. Unless you take a lot of effort of rooting the phone and installing the firmware that has much smaller community and less vetting. The vendors do not maintain the system after 1 or two years, etc.

I personally do not trust a phone one bit.

Re:

[swillden]

In that case, I'm completely backwards. On a desktop machine I can see the filesystem, I can see the process list, I can verify origin of each of file, I can tune and access logs for each component, I can monitor network traffic, look a the SSL certificate details ...

You can see what you think is the actual contents of the filesytem, process list, etc. Doesn't mean what you're looking at is reality.

On a phone this is completely hidden from the user.

It's hidden, but much more thoroughly firewalled and protected internally. Take Android, for example, which isolates every app from every other app, so no app can read or write the files of any other or otherwise muck with it. This greatly reduces the potential impact of malware. The permission model also gives you a lot of control over what apps can do, if you pay attent

Re:

[SharpFang]

Only if you're paying attention to what you permit - which is an illusion. It may work for security-conscious people, but a Joe Average will install the new weather app that requests access to taking screenshots and process list for whatever reason, clicks "OK" without reading the permission list, and the author of the app has full access to the banking.

Re: app based solution - proprietary auth sucks

[MCRocker]

I have agree that proprietary authenticator apps and OAuth based services are dubious at best. It's no surprise that banks don't trust them either.

It's too bad that OpenID started out half-baked, the implementations so inconsistent that sites stopped offering the opportunity to provide your own URL, and then the standards committee hijacked by industry representatives with vested interests that loaded it up with verify instead of fixing its security problems.

But, you might want to check out SQRL [wikipedia.org], which I mentioned in a reply to the parent post. It's an open standard with open source implementations and a two party security model that keeps those pesky snoops at bay.

Re:

[ortholattice]

The Wikipedia article says SQRL was coined and invented by Steve Gibson of GRC. Maybe it's good, I don't know, but given Gibson's background of "NanoProbes" and other questionable security products, I'd like to see an independent assessment.

Re:

[swillden]

Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone.

A proper OTP app shouldn't be able to spy on you; it should have almost zero permissions, because it doesn't need them. All it needs is a cryptographic key it can use with the current time to generate a one-time password that changes every minute, which it displays on the screen. It should have no network connectivity so even if it did somehow spy on you it couldn't report home.

SMS works just fine.

It absolutely does not "work just fine". SMS is very vulnerable to several sorts of attacks, the simplest of which is simply soci

Re:

[jaklode]

Am I the only one who hates these apps? It's another thing to spy on me. It's another thing I have to find work arounds to work on my rooted / unlocked phone.

A proper OTP app shouldn't be able to spy on you; it should have almost zero permissions, because it doesn't need them. All it needs is a cryptographic key it can use with the current time to generate a one-time password that changes every minute, which it displays on the screen. It should have no network connectivity so even if it did somehow spy on you it couldn't report home.

In the context of banking, we're not talking about "normal" OTP like we use for logins, we're talking about a transaction authentication code, a TAN. You can't just show a simple OTP, the authenticator also needs to show transaction details so you can be sure the TAN you get is for the transaction you have initiated, and not another transaction initiated at the same time. That's why it needs network access.

Re: app based solution - SQRL

[MCRocker]

Just in time for the release of Secure, Quick, Reliable Login [wikipedia.org]. SQRL has the potential to be more secure and easier to use, which is a rare combination in the security realm.

Re:

[rew]

When I switch to "app verification" I have to install the app on my phone. That app can also be used to wire funds anywhere. So now there is a single point of failure: the app on my phone.

There are two "failure modes" that I worry about. The first is that someone in my environment might watch me do something with the app and shoulder-surf my pass-code to the app. With the classical method I also have to login to my account on my computer. That password is entered through a real keyboard at rate of over 300

Re: It was stupid anyway

[Anonymous Coward]

If they have your actual phone, then an APP isn't going to be any different than SMS.
What an app gives is protection from SIM hijacking.

Re:

[pgmrdlm]

Lock the email app. Use a password that is different than anything on the phone. I am sure there is some app lock method out there that can be trusted with encryption and security.

Re:

[pgmrdlm]

I have no problem with that either. Both would work.

Re:

[jaklode]

This is not applicable to banking, as it's a OTP scheme for logins, and not a transaction authentication scheme, which requires showing you details about the transaction you are authorizing.

Re:

[jaklode]

We're not talking about logins here, we are talking about individual bank transactions. That's a huge difference! The important thing to realize is that the authenticator produces TANs, not simple OTPs. You are not authorizing any transaction at the current time, but a specific one. Hence an authenticator needs to show you at least who you are sending the money to, the amount of money being sent.

All phones are insecure

[DogDude]

All phones are insecure. I think it's insane to do any sort of banking on a cell phone.

Re:

[Applehu Akbar]

All phones are insecure. I think it's insane to do any sort of banking on a cell phone.

It's safer to bank over cellular data than over public WiFi.

Re:

[DogDude]

It's safer to bank over cellular data than over public WiFi.

True. That doesn't make using a cell phone any safer, though.

Re:

[pauljlucas]

If the connection to the bank is over HTTPS (which it very likely is), then it doesn't matter what the communication mechanism is or whether it's encrypted.

Re:

[DogDude]

That's some serious faith you have. I don't share it.

https won't protect the actual keystrokes from being captured by the device.

Re:

[pauljlucas]

https won't protect the actual keystrokes from being captured by the device.

True, but this is no different that using a desktop or laptop computer. So using a cellphone for banking is no worse than using any other computer.

Re:

[DogDude]

I can control what software I install on my computer, I can control my computer's security, and I can be reasonable sure that I know what my OS is doing.

Unless you wipe your phone and install Lineage or something else open source, you have no control over your Google or Apple phone.

Not login

[jaklode]

Banks do not generally have any 2 factor auth for logins, they only have single factor login, and then apply TAN as the second factor for individual transactions. That said, some banks (N26) replace TAN by a paired device and a pin.

Other 2FA methods not allowed?

[necro81]

The article includes a table from this EU document about various authentication methods [europa.eu]. I was confused to see this entry of disallowed methods:

OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)

Which would seem to rule out security keys or code-generating apps in the same breath as SMS OTP.

To clarify, however, this table is a listing of "knowledge elements", i.e., the "something you know" portion of multi-factor authentication [wikipedia.org]. Elsewhere in the document, Table

Re:

[thegarbz]

The problem only arises in the banks that require only "something you have" and not "something you know".

It would be interesting in my case. ABN AMRO uses exclusively a OTP generated by hardware. However that hardware is generic, the "something I have" is my debit card that I need to enter in to that hardware, and the "something I know" is the PIN I get asked when I click the button to generate the OTP.

I actually like this system since it means there's a good likelihood that I can do 2FA even if I forget my

Android/IPhone will be required?!

[grumpy-cowboy]

So banks will develop their own authenticator apps and I guest it will requires to have an Android/IPhone. SMS is available on ALL cell phones, not just Androir/IPhone.

Trash article

[maevius]

Although I agree that SMS is a stupid way to do 2FA, the article got it completely wrong and the PSD2 directive doesn't state anything like that.

According to the linked document https://eba.europa.eu/document... [europa.eu], it says that SMS is not suitable as a possible knowledge element (table 3), however it is suitable as a possible possession element (table 2). So, strong customer authentication can be implemented using a password (knowledge) and SMS (possession).