Today, security concerns are on everyone’s minds, both consumers and companies that handle their personal information. While we’re all aware of security risks via telephone or email (how many Nigerian princes are there, exactly?), fewer consumers are aware of the risks with other channels, including those becoming more popular for customer support.
Text messaging is one of our favorite communications channels today. It’s brief and to the point, as well as effortless. It’s instantaneous and synchronous (meaning you can have a live conversation, unlike email), and eliminates most of the need for polite small-talk (unlike telephone). Aspect’s Consumer Experience Index compiled earlier this year found that 38 percent of consumers would rather use messaging apps like Facebook Messenger or WhatsApp to engage with customer service versus phone calls. Text is also becoming one of the primary factors in double- and triple-factor security authentication, as anyone who has ever reset a password using a code sent by text knows.
But the question is, how secure is SMS, or text?
In a recent blog post, Aspect’s Keiron Dalton noted that despite the popularity of companies delivering one-time passwords to customers via SMS to authenticate their credentials, the National Institute of Standards and Technology (NIST) recently came a step closer to banning SMS-based two-factor authentication. Why? It’s simply not secure enough.
“The draft NIST Special Publication 800-63-3: Digital Authentication Guideline, has called for the deprecation of SMS-based two factor authentication, identifying its inherent security flaws,” wrote Dalton. “The guideline asserts that U.S. government service providers should start to phase out using SMS as the second factor when confirming user identities because of the possibility that one-time codes could be intercepted or redirected.”
One of the practices that is compromising the security of SMS password authentication is the practice of SIM swap fraud in which fraudsters unlawfully obtain an identical SIM card to a mobile user and re-direct communications, including their text messages, away from the intended recipient and towards the fraudsters, which allows hackers to reset victims’ passwords and drain their bank accounts.
This isn’t necessarily the end of SMS for security purposes, however. Dalton noted that SMS can and should continue to play a central role in the authentication process, as long as companies such as banks are willing to spend a little extra time checking and supporting interactions in a way that doesn’t compromise contact center solutions or customer convenience and ease of transaction. There are technologies today that promote undetectable verification, but don’t create friction at any point during the customer experience.
“Aspect Verify is one such tool that supports verification with additional checks to identify the right information, context and user behaviors,” wrote Dalton. “These checks must be largely imperceptible to the customer, lest they interrupt their user experience. Examples include deploying sophisticated fraud detection techniques such as SIM Swap and divert detection, as well as location checks using readily available mobile data, to ascertain user identity.”
As with any communications channels, SMS can be misused by those who seek to gain from them (as can the telephone, email and even postal mail). For companies wishing to retain this very easy and convenient way of communications for customer support as well as security, a few technology precautions in their contact center solutions can go a long way toward keeping SMS secure.