“We have just sent a code to your mobile phone” Oh damn!

Synopsis

It’s critical for Falkland Islanders to be able to fully participate in the world of on-line services which are now driven by concerns of security as never before. None of us can avoid this. Two-Step Authentication based on SMS texts lies at its heart. This maybe one of my shorter posts but it is right up there in importance. There is little benefit in increasing satellite capacity or spending millions of Pounds on a new 4G mobile service if hidden issues like this are not properly addressed.

Background

SMS texting is not simply about sending messages to friends these days as that has pretty much been replaced by apps such as WhatsApp, Telegram, Messenger, Hangouts and Snapchat. This says a lot about the telecommunications industry’s ability to develop Internet ‘Over-the-Top’ applications.

SMS texting is now something that is much, much, more important to Falkland Islands’ consumers and businesses alike.

Read the question raised in today’s Sunday Times on the right to understand why this is so. Have you experienced this recently?

Source: Sunday Times May 6th, 2019

It all starts with ‘One-Time Codes’.

One-Time Codes (OTPs) are typically sent via an SMS text to a consumer’s mobile phone or smartphone. This is used as an additional authentication step utilizing a random string of digits – usually 6 numbers – to allow access to an on-line service or application.

This is getting more and more common as the Internet has led to a dramatic increase in financial fraud. Sometimes it is an optional choice for the user but it is getting more common that it is mandatory. If this does not work then you are in trouble if you need to undertake an on-line transaction such as transferring money from your bank account. It’s not possible to avoid these days.

The example below that additional authentication been recently introduced for the LinkedIn business social-media site.

The One-Time-Code as used on LinkedIn

It is also a key solution if Facebook detects access from a device it doesn’t recognise it’ll ask you to enter a code send vis an SMS text.

Facebook’s Two-Factor Authentication

This is Vodafone’s security code page needed to access my mobile account.

Vodafone’s security code

How HSBC uses One-Time Passwords:

Log on with SMS OTP option is available for 2 cases.

  • You can log on to internet banking with SMS OTP if you do not have an active Secure Key or Digital Secure Key
  • You can log on to Internet Banking with SMS OTP, if you don’t have access to your Secure Key or Digital Secure Key.

For both cases, you will have limited access to Internet Banking Transactions

This level of additional security is becoming very common now and the process of sending a is called Two-Step Authentication (2SA) or Two-Factor Authentication (2FA). I won’t go into the technical difference here.

What is Two-Step Authentication (2FA)?

The first level of authentication is usually a password or possibly something only the user possesses – an ATM card, smart card or keypad. The second is the one-time-code. With-out both of these authentication factors working, the user cannot access the service or withdraw cash from a bank account. The goal of 2FA, especially within the online and mobile space, is to reduce instances of online fraud involving monetary or identity theft.

In the last two or three years, many social networks, online shopping websites and financial institutions have begun to use 2FA as the standard method for resetting passwords, authorizing users, and validating transactions. Delivery of these 2FA codes over SMS is generally seen as being reliable and quick and it uses a medium that virtually every mobile device can support.

Of course, the availability of these qualities is not the case in the Falkland Islands according to consumer reports.

Requirements for reliable delivery of 2FA codes

Delivery of a 2FA code through SMS texting demands a reliable and quick delivery network. This means that the path from, say, a bank to Sure Falkland Islands should be as direct as possible via approved, reliable and predictable latency routes.

In most of the world ‘best-practice’ requires operators to use application-to-person (A2P) networks rather than person-to-Person (P2P) consumer networks. A2P requires all parties to sign an AA.19 Agreement as discussed in the post Do you have difficulty receiving or sending overseas SMS texts?

There are quite a few issues about ‘short code’ countries and ‘long code’ countries but I won’t go into any detail about that here as its quite complicated as short codes do not cross country boundaries. That would require a long 101 post!

In the last few years and with growing frequency of the use of 2FA, organizations have been attempting to deliver 2FA codes via long codes utilizing the national person-to-person (P2P) network. These are not approved routes and are often blocked as spam by inter-operator gateway hub providers as well as MNOs using various antispam filters. I certainly believe that this is what has been happening in the Falkland Islands unless proved otherwise.

The use of approved A2P routes is paramount for the quick and reliable delivery of 2FA and codes to users. Understandably, most of these codes expire after a short period of time (the majority in 5 minutes or less). Consequently, it’s essential for the message to be delivered quickly from the website owners’ servers to their users.

Conclusions about 2FA and the Falkland Islands

SMS texts have explosively evolved from a simple messaging system as invented by Vodafone in the early 80s to being the key data transport mechanism in the 21st century for authentication across a range of on-line services.

It is of paramount importance that Sure Falkland Islands recognizes this fact and puts considerable effort into creating a reliable, low-latency infrastructure that is connected back via reliable A2P SMS links to all the four major Mobile Network Operators in the UK or a single SMS aggregation such as SAP.

According to comments made in the Communications Week public meeting, over £3m has been spent in deploying a 4G network in Stanley but without these ‘back office’ capabilities it will be as frustrating as driving a three-wheeled Maserati as it will not be possible use many, if not most, overseas financially based on-line services.

Welcome to the grown-up data world of 4G. It’s not just about putting up towers and base stations, there is a whole world of other stuff that needs to be implemented to make it usable. It’s not about strategy, it’s about building telecommunications services that are ‘fit-for-purpose’. It’s also not about the affordability or otherwise of signing A2P SMS delivery Agreements with UK mobile network operators or an SMS gateway hub such as SAP as it’s too important for that.

A quote by SAP in regard to SMS and 2FA says it all:

At the most basic level, a 2FA implementation should ensure a high degree of likelihood that the message containing the token will arrive to the mobile devices. Unfortunately, some implementations do not meet this fundamental requirement.
To be effective, 2FA over SMS has stringent service requirements, putting greater demands on messaging providers to ensure timely delivery while also maintaining service integrity.

I hope Sure Falkland Islands takes the opportunity to explain to its customers how and when 2FA will be properly supported on its 4G service infrastructure.

Chris Gare, May 2019 Copyright: OpenFalklands.com

3 Replies to ““We have just sent a code to your mobile phone” Oh damn!

  1. Did I say that I make use of YubiKey 2FA.

    In short, it’s fantastic and does not rely on a mobile phone signal – which is something that we don’t have at South Harbour.

    The keys are usb, lighting and touch types, and I’ve been using them for some years now.
    More and more services are allowing these keys to supply the second factor of authentication.

    One other intriguing thing is that the YubiKey process allows ‘one’ to set up ‘ones’ own server to authenticate against. Now that’s a thought for a Falklands local service not reliant on satelites OR mobile coverage.

  2. If there are issues in receiving SMS messages you may want to consider alternatives (especially as the SMS message authentication solution is considered the weakest of the alternatives).

    Alternatives to receiving OTP codes via SMS messages are (1) OTP codes generated by an authenticator app installed on your mobile device (2) OTP codes generated by a hardware token.

    Other alternative authentication methods involve using OOTP pushing (sending the codes via the google and apple push services), using FIDO keys and biometric authentication solutions (such as fingerprint reading, face recognition etc).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.