The question of the validity of SMS as an authentication method is central to the payments industry. The Payment Services Directive 2 (PSD2) (Directive 2015/2366/EU) and its Delegated Regulation (EU) 2018/389 (commonly referred to as Regulatory Technical Standards or RTS SCA&CSC) impose Strong Customer Authentication (SCA) for most electronic transactions, requiring the use of at least two independent elements from the categories of “knowledge”, “possession” or “inherence”.
Does the SMS, generally used to transmit a one-time password (OTP – One Time Password), qualify as an element of possession? The answer is nuanced and depends entirely on the security architecture implemented by the Payment Service Provider (PSP).
I. The Fundamental Requirements of the Possession Factor
For a method, including the receipt of a code by SMS, to be considered a possession factor (something that only the user possesses), the PSP must comply with strict security requirements set out in Article 7 of the RTS.
The PSP must:
1. Take measures to mitigate the risk that the elements of the “possession” category may be used by unauthorized third parties.
2. Implement measures to prevent their duplication.
An authentication code may be generated on the basis of solutions such as one-time password (OTP) generation. If the code received by SMS is generated by the device that the user possesses, it initially meets the basic definition of the possession factor.
II. The Core of the Issue: The Independence Requirement (Article 9 of the RTS)
The validity of SMS is primarily challenged by the second pillar of SCA: the independence of the elements.
Payment Service Providers (PSPs) must ensure that, from a technological and algorithmic standpoint, the compromise of one element does not call into question the reliability of the others.
However, in common practice, the SMS is received on the same mobile phone (multi-purpose device) as the one used to initiate the payment (or, in the case of a banking application, to enter the “knowledge” element, such as a password). If the phone is compromised (by malware, for example), the attacker could potentially access both factors (the knowledge and the OTP code received by SMS), thereby breaking the required independence.
III. The Critical Case of the Multi-Purpose Device
In order to manage this heightened risk, the RTS imposes very specific security measures when one of the Strong Customer Authentication (SCA) elements or the authentication code itself is used through a multi-purpose device.
PSPs must take security measures to reduce the risk arising from the alteration of this multi-purpose device.
These mitigation measures must imperatively include the following elements:
1. The use of separate secure execution environments through the software installed on the multi-purpose device.
2. Mechanisms to ensure that the software or the device has not been altered by the payer or by a third party.
3. In the event of alterations, mechanisms to mitigate the consequences.
Thus, for SMS to be compliant as a possession factor on a phone also used for initiation, the PSP must implement sophisticated software mechanisms that create a logical separation and ensure that the receipt of the code via SMS cannot be intercepted or read by the same process or malware that compromises the payment session.
Summary: Compliance Depends on Implementation
Although authentication codes (such as OTPs) may be used for SCA, the use of SMS as a possession factor is only compliant if PSPs scrupulously adhere to the independence requirements, in particular by implementing the separate secure execution environments required by Article 9(3) of the RTS for multi-purpose devices. Without these technical guarantees of independence, SMS alone is insufficient to validate regulatory SCA.
This is a Frequently Asked Questions (FAQ) section aimed at clarifying the situation of victims of fraudulent transfers where authentication was performed using a one-time code transmitted by SMS (SMS-TAN or OTP by SMS).
The information below is based on the Payment Services Directive 2 (PSD2) (Directive 2015/2366/EU) and its Delegated Regulation (EU) 2018/389 (Regulatory Technical Standards or RTS on SCA).
FAQ: Fraudulent Transfers Authenticated by SMS
1. What is Strong Customer Authentication (SCA) and how is SMS related to it?
Strong Customer Authentication (SCA) is a security requirement imposed by PSD2 for most electronic transactions. It is defined as authentication based on the use of at least two elements belonging to the following categories:
- Knowledge (something only the user knows).
- Possession (something only the user possesses).
- Inherence (something the user is).
These elements must be independent, so that the breach of one does not compromise the reliability of the others.
A one-time password (OTP) sent by SMS is considered an element of possession. The element of possession is not the SMS itself, but rather the SIM card associated with the relevant mobile phone number. For this element to be valid, its use must be subject to measures aimed at preventing its reproduction.
2. Is SMS-TAN still considered a compliant Strong Customer Authentication (SCA) method?
The compliance of SMS is nuanced and subject to criticism on security grounds.
SMS-TAN (or mTAN, for mobile Transaction Authentication Number) is an acronym designating a one-time password (OTP – One Time Password) transmitted by text message (SMS) to a user’s mobile phone. SMS-TAN (or mTAN) has been considered increasingly insecure, particularly by authorities such as the German Federal Office for Information Security (BSI). The European Banking Authority (EBA) has clarified that SMS-TAN would not be considered SCA-compliant in certain architectures.
In practice, many banks, particularly in Germany, have ceased offering or plan to discontinue this option due to increased security risks and to comply with PSD2.
3. How can fraudsters intercept the SMS authentication code?
The sources describe several common attack vectors that exploit the vulnerability of SMS within the SCA framework:
- Compromise of the multi-purpose device: If the payment is initiated via a mobile phone or smartphone, a hacker only needs to compromise that device to obtain all the information necessary for the fraudulent transaction. The malware can potentially access both the knowledge element (banking application password) and the OTP code received by SMS, thereby breaking the SCA independence requirement.
- SIM swap attacks: Attackers can perform SIM swaps to impersonate the victim’s phone and thereby receive and validate the fraudulent transaction.
- Exploitation of SS7 vulnerabilities: Criminals have exploited long-known security flaws in the SS7 protocol (Signaling System 7, used by mobile operators) to bypass authentication. This vulnerability notably allows call forwarding (Rufnummerumleitung) to be set up and SMS messages to be rerouted to a number chosen by the fraudster. German customers have been affected by attacks using these flaws to drain bank accounts.
4. What are the specific security requirements if SMS is used on a smartphone?
If the authentication code (such as OTP by SMS) is used through a multi-purpose device (a mobile phone or tablet that is used both to initiate the payment and to receive the code), the Payment Service Provider (PSP) is subject to very strict security measures to reduce the risk arising from the alteration of that device.
To ensure the independence of the elements as required by Article 9 of the RTS, the PSP must imperatively provide for:
- The use of separate secure execution environments through the software installed on the multi-purpose device.
- Mechanisms to ensure that the software or device has not been altered.
- Mechanisms to mitigate the consequences in the event of alterations.
Without the implementation of these sophisticated technical guarantees ensuring logical separation of the factors, the SCA independence requirement is not fulfilled.
5. What remedies may I have if my bank used a non-compliant SMS method?
Although the sources do not describe in detail the compensation procedure for victims, they indicate a key principle related to SCA compliance:
- If the payer’s payment service provider does not require strong customer authentication (SCA), the payer shall not bear any financial loss, unless he or she has acted fraudulently.
If a PSP used an SMS-based authentication process that did not comply with the strict independence and security requirements set out in Article 9 of the Delegated Regulation for multi-purpose devices, this could indicate a failure to effectively apply regulatory SCA, potentially opening the way for a claim against the PSP.
PSPs are further required to put in place transaction monitoring mechanisms to detect unauthorized or fraudulent payment operations, taking into account risk factors such as known fraud scenarios or signs of malware infection.
In summary: Using SMS as a possession factor on a smartphone for a transaction is comparable to storing two security keys (password and SMS code) in the same unlocked drawer of a house (the phone). The regulation (PSD2) requires the bank to ensure that these keys are kept in separate reinforced rooms (secure execution environments). If this separation does not exist, security is compromised, and the authentication is not considered strong and independent.
