German banks are moving away from SMS one-time passcodes

New EU legislation might help kill SMS 2FA / 2SV / OTP.

German banks say "nein" to SMS one-time passcodes New EU legislation might help kill SMS 2FA / 2SV / OTP.

Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method.

Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports.

Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year.

Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans.

New legislation entering into effect

The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year.

In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.

Per the new PSD2, any financial or commercial operation carried out by EU consumers must be authorized using an SCA-compliant mechanism.

The European Banking Authority (EBA) was tasked with enforcing the revised PSD2 and issue a regulatory technical standard, which it did last month, in June.

According to this document, SMS-based OTP is not PSD2 SCA compliant, in most of its current deployments.

SCA compliance per PSD2

The German banks were the first ones to respond to this new development and the looming PSD2 implementation deadline.

Per Handelsblatt, most of the queried banks were migrating to using an offline token generator, which many banks have used before, authenticator apps, or visual-challenge apps that use colored squares or QR codes.

A long time coming

The move away from SMS-based OTP is a long time coming. Over the past few years, attacks known as SIM swapping have been increasing.

Cybercriminals have realized that they could trick telco operators into transferring a user's phone number to a new SIM card, during which time they could take over a user's online accounts -- including those at banks and cryptocurrency exchanges.

The cyber-security industry has been warning against the insecurity of SMS OTP for years now, as well, but not because of SIM swapping attacks -- which are virtually social engineering attacks.

The cyber-security industry has been warning against securing systems with SMS-based authentication because of inherent and unpatchable weaknesses in the SS7 protocol used in the backbone of all mobile telephony networks for years.

Vulnerabilities in this protocol allow attackers to silently hijack a user phone number, even without a telco's knowledge, allowing threat actors to track users or authorize online payments or login requests.

These vulnerabilities have not gone unnoticed in Germany. In May 2017, BSI, the Germany cyber-security agency, warned that cyber-criminals could use SS7 to intercept SMS messages used in online banking.

All in all, SMS was never that secure to begin with and should have never been used so extensively. While two-step verification and two-factor authentication is recommended, security experts have been warning against relying on SMS as "the second factor."

Instead, experts recommend using authenticator apps or hardware security tokens, two of the methods that German banks are now rolling out to secure their systems and replace SMS-based authentication.

Related cybersecurity coverage: