German Banks to Discontinue SMS Code Authorization
Several German banks have announced plans to stop using one-time SMS passwords as a method for user authentication and transaction confirmation. This decision is driven by new European Union regulations that will take full effect on September 14, 2019.
According to Handelsblatt, Postbank will discontinue support for one-time SMS passwords in August, Raiffeisen Bank and Volksbank will follow in the fall, and Consorsbank will do so by the end of the year. Deutsche Bank and Commerzbank also plan to phase out SMS code support, but have not yet announced specific dates. Other banks, such as DKB and N26, have never used this technology, while ING has not made any public statements about its plans.
Background: EU Payment Services Directive (PSD2)
In 2015, the EU revised its original 2007 Payment Services Directive, which regulates online payments within the EU, and released an updated version known as PSD2. This directive requires the implementation of strong customer authentication mechanisms. According to the European Banking Authority (EBA), which introduced technical standards for PSD2 in June, current SMS-based authorization methods do not meet the new requirements.
Security Concerns with SMS Codes
In recent years, there has been a rise in attacks using the “SIM swapping” method, where a fraudster tricks a mobile operator into transferring a user’s phone number to another SIM card. This allows the attacker to access the user’s online bank accounts and cryptocurrency exchanges.
Cybersecurity experts have been warning against the use of one-time SMS passwords for several yearsβnot just because of SIM swapping attacks, but also due to inherent and unfixable vulnerabilities in the SS7 protocol, which is used to configure most telephone exchanges worldwide. These vulnerabilities allow attackers to secretly hijack a user’s phone number, track the owner, and authorize online payments or login requests, often without the provider’s knowledge.
Recommended Alternatives
Cybersecurity specialists recommend using authenticator apps or hardware tokens instead of SMS-based authentication for improved security.
About the European Banking Authority (EBA)
The European Banking Authority (EBA) is an independent EU authority responsible for prudential regulation and supervision of the European banking sector. Its goal is to maintain financial stability in the EU and ensure the integrity, efficiency, and orderly functioning of the banking sector.