Multiple German banks have announced plans to drop support for SMS-based one-time passcodes (OTP) as a login authentication and transaction verification method.
Postbank plans to drop support in August, while Raiffeisen Bank and Volksbank plan to do so in the fall, Handelsblatt reports.
Deutsche Bank and Commerzbank also plan to drop support for SMS OTP but have not announced a deadline, while Consorsbank plans to discontinue it by the end of the year.
Other banks like DKB and N26 have never deployed the technology, while ING has not made any public statements on its plans.
New legislation entering into effect
The reason why German banks are dropping support for SMS OTP is because of legislation that the EU passed in 2015, set to enter into effect on September 14, this year.
In 2015, the EU revised the Payment Services Directive (PSD), a set of rules that govern online payments in the EU, and issued an updated version called the PSD2. This legislation also included a clause for strong customer authentication (SCA) mechanisms.
Per the new PSD2, any financial or commercial operation carried out by EU consumers must be authorized using an SCA-compliant mechanism.
The German banks were the first ones to respond to this new development and the looming PSD2 implementation deadline.
Per Handelsblatt, most of the queried banks were migrating to using an offline token generator, which many banks have used before, authenticator apps, or visual-challenge apps that use colored squares or QR codes.
A long time coming
The move away from SMS-based OTP is a long time coming. Over the past few years, attacks known as SIM swapping have been increasing.
The cyber-security industry has been warning against the insecurity of SMS OTP for years now, as well, but not because of SIM swapping attacks -- which are virtually social engineering attacks.
The cyber-security industry has been warning against securing systems with SMS-based authentication because of inherent and unpatchable weaknesses in the SS7 protocol used in the backbone of all mobile telephony networks for years.
Vulnerabilities in this protocol allow attackers to silently hijack a user phone number, even without a telco's knowledge, allowing threat actors to track users or authorize online payments or login requests.
All in all, SMS was never that secure to begin with and should have never been used so extensively. While two-step verification and two-factor authentication is recommended, security experts have been warning against relying on SMS as "the second factor."
Instead, experts recommend using authenticator apps or hardware security tokens, two of the methods that German banks are now rolling out to secure their systems and replace SMS-based authentication.
Is your phone listening to your conversations? Paranoid's guide to settings you can change