Is SMS Verification Still a Useful Security Standard? Maybe Not.
The verification process at checkout can be a pain for consumers and merchants alike.
As a merchant, you don’t want to lose revenue and merchandise to fraudsters, but you also want to avoid rejecting legitimate buyers due to false positives. At the same time, consumers want a fast, simple checkout process that introduces as little friction as possible. Not to worry, though: SMS verification may offer a solution.
While imperfect as a standalone security service, SMS verification does provide its share of benefits for both parties. So, let’s take a moment to examine SMS verification codes as tools to reduce fraud risk and identify genuine customers.
- What is an Electronic Funds Transfer (EFT)?
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Payment Gateways Work & Why Merchants Need Them
- What Are Credit Card Networks? What Do Card Networks Do?
- What is VPOS? Why Use a Virtual Payment Terminal?
What is SMS Verification?
- SMS Verification
SMS Verification is a fraud prevention practice that allows merchants to send SMS (short message service) messages to a buyer’s device during the checkout process. The buyer will typically be asked to enter a 4- to 8-digit code sent via text as a way to verify the purchase.
[noun]/əs • əm • əs • vər • əf • ə • kā • SHən/
As the name implies, SMS verification involves sending a text message to the buyer as part of the customer verification process. You’ve probably encountered this before; maybe you tried to submit an online form or log in to an account, only to be prompted to type a code into your browser that was sent to you via text message. This is basically how SMS verification works.
The tool isn’t something you’d necessarily use to verify every purchase. However, it can be implemented as part of a first-line verification process for new buyers. Sending an SMS code may also eliminate the need to perform a manual review when buyers can’t be verified immediately.
How SMS verification Works
SMS verification is pretty simple, actually. You start by using conventional fraud detection tools, as well as fraud scoring, to gauge each transaction’s relative risk.
If the transaction has certain fraud indicators that pose a heightened risk level, you could then trigger an SMS verification code to send. This would be a one-time-use numeric code confirming the phone number connected to the user’s account.
Once a user signs in, they will receive a text message with an SMS authorization code. The user will then be prompted to enter that code directly into the app or website. The act of verifying the SMS code lets you authenticate the user. So, you may now process transactions from that user as normal.
This fraud prevention method is considered an “ownership-based” authentication factor because the user would need physical possession of the device in question to make purchases. Ownership-based authentication is generally the easiest to defeat. However, SMS verification is predicated on their being a second layer of authentication, in that the user also had to unlock the device in question. This is usually done by passcode or biometric scan, which are much stronger verification methods.
Using SMS verification, lets you authenticate many orders that would otherwise require human oversight to verify. It can even let you recover orders which might otherwise be rejected by fraud scoring technology.
Benefits of SMS Authentication
SMS verification can deter some common fraud tactics like account takeover and basic bot attacks. In theory, if the fraudster doesn’t have access to the device connected to a buyer’s account, they have no way to enter the authentication code and complete a fraudulent purchase.
Initially, merchants were concerned that requiring SMS verification for some purchases would introduce unnecessary friction and lead customers to abandon orders. However, contemporary customers are very familiar with SMS verification codes at this point. Many will see them in a positive light and appreciate that you’re taking extra steps to keep their accounts safe.
SMS verification codes work on all mobile devices. Plus, they’re relatively easy to incorporate into an existing checkout process. For consumers, the use of SMS as an authentication method only requires a few taps and is already well-recognized by the general public at large.
Does SMS Authentication Really Work?
Well… yes and no.
It’s true that SMS verification provides a good layer of security for transactions. However, SMS codes may not stop attacks in all circumstances. Plus, as an authentication method, it has more than its share of vulnerabilities and weak points.
To prevent tactics like account takeover, for example, the valid user must have connected their phone number to their account before making a purchase. Otherwise, asking the buyer to verify a code during checkout wouldn’t prevent fraud; a fraudster could simply substitute their own phone number for that of the user.
Based on a survey of over 400 merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.Access the FREE Report
That’s just one potential issue. In truth, there are several problems with SMS authentication. In fact, the National Institute of Standards and Technology (NIST) issued a statement back in 2016 discouraging merchants from using SMS authentication.
The NIST later softened their stance on the practice, suggesting it can be useful if combined with other verification factors. Still, it should be clearly stated that SMS authentication presents significant vulnerabilities as a standalone mechanism against fraud.
Downsides of SMS Authentication
Now that we understand that SMS isn’t really as secure as it’s cracked up to be, let’s discuss a few notable drawbacks to reliance on the system as an authentication method.
SMS verification can be hampered by:
Other SMS Threats Posed by SIM Hacking
SMS text messaging interception attacks are also a serious concern. SMS verification is powerless to prevent fraudulent transactions resulting from these attacks.
SIM hacking can be either a high- or low-tech venture. It may involve the spoofing of cell phone tower signals and SS7 systems that enable data roaming and other features found in private messages. Or, it could be as simple as stealing a device and swapping out a compromised SIM card.
Some common tactics include:
Although it is true that SMS verification can help protect individuals and merchants from fraud, it can’t do it solo… not effectively. Merchants who rely on SMS 2FA verification as their only method of customer authentication are leaving themselves wide open for several forms of attack.
Why is SMS Verification Still Popular?
As we’re pointing out, the security risks associated with SMS 2FA technology are now widely known. Yet, many merchants and consumers continue to see the practice as a safe and relatively low-friction method for validating customers.
Why is this the case?
Well, one of the most common reasons is that SMS is a familiar, widespread technology. Consumers are so used to the little code seeker popping up on their phones that the practice is readily recognizable and nearly ubiquitous. Merchants are well-aware that they can annoy fewer customers — and lose fewer sales — if they stick to methods which customers know and understand.
Additionally, SMS authentication is extremely simple to deploy and use. It requires very little human oversight or interaction to function as it should. For instance, everyone from managers and employees to consumers and merchants has become accustomed to 2FA sign-ins.
Users want a quick, seamless authentication experience across all platforms. Many see SMS verification as a perfect solution without necessarily considering the security risks.
Alternatives to SMS Verification
So, SMS verification may still have some utility, but it’s not a reliable, long-term solution. So then, what else can you deploy to verify buyers?
Of these non-SMS verification factors, apps like Google Authenticator, Lastpass, and Authyand are among the most recognizable and popular. These apps generate randomized, encrypted codes directly on a user’s device, or generate a code on the device that must be further verified by the user’s cellphone or another device. In this way, the user’s information must pass through two failsafes to gain access to any one account.
U2F token hardware is also a big step up from SMS verification, which could come in handy for in-store merchants. These are relatively more secure than smartphones alone, and work by inserting the physical tokenization hardware (like a flash drive) into the user’s device. While it is still possible to hack a U2F token, it is considerably harder to do so than an SMS system. Two U2F token products of note are FIDO and YubiKeys.
SMS verification is not strong enough to be considered a valid fraud prevention method on its own. It certainly shouldn’t be your “go-to” authentication solution. That said, if used in combination with other fraud tools and buyer validation methods, SMS verification can add an extra layer of security to everyday transactions.
SMS Can Still Be a Useful Addition… if Used Right.
You simply have to understand the shortcomings and find the best way to incorporate this technology.
One option some merchants have already embraced involves using in-app push authentications through the merchant’s branded app, rather than SMS messages. These can be more secure and more cost-effective, as you don’t have to pay for each SMS message. Even if you don’t have your own app, though, SMS can still be a useful method of blocking fraud and validating buyers if used effectively.
Conventional SMS messages must be part of a layered approach alongside other methods of identifying fraudsters and genuine customers. Validation codes can then be deployed dynamically based on risk, as determined by these other fraud tools.
You should also order the verification flow to optimize conversions and keep costs manageable. For instance, identifying SMS providers that have better per-message rates is one option. You must also be aware of message limitations to avoid unanticipated costs. And again, you can also keep costs low by minimizing the number of customers you message, which you can accomplish by simply deploying a multilayer fraud detection strategy.
A Multi-Layered Strategy is Best
A good, well-rounded fraud management strategy should incorporate numerous tools to provide a detailed impression of each transaction. Deploying tools that work together and complement each other makes it easier to spot common fraud red flags without generating false positives. This should include (but is not limited to):
- Address Verification Service (AVS)
- CVV verification
- Proxy piercing
- 3-D Secure 2.0
- Device fingerprinting
- Fraud blacklists
- Velocity limits
You should aim to verify fewer than 1% of total transactions through SMS verification. This is very achievable with a well-rounded arsenal of fraud detection tools in your corner.Have more questions about SMS verification or other fraud detection mechanisms? What about fraud that occurs after a transaction is complete? Get in touch with one of our industry experts and learn how you can put a stop to eCommerce fraud today.
What is SMS verification?
SMS verification is a fraud prevention practice that allows merchants to send SMS (short message service) messages to a buyer’s device during the checkout process. The buyer will typically be asked to enter a 4- to 8-digit code sent via text as a way to verify the purchase.
Is SMS verification secure?
Partially. However, there are several security concerns that could undermine SMS verification. It’s possible for fraudsters to use malware to intercept SMS messages and then spoof the consumer’s identity with a different SIM card.
Can a virtual number receive SMS?
Yes! Although any SMS messages or authentication prompts should be viewed only in-app, and never be forwarded to your phone or personal device.
Can SMS verification be hacked?
Unfortunately, yes. SMS verification codes can be hacked or spoofed through social engineering attacks, and various forms of SIM hacking (jacking, cloning, or swapping SIM cards).
Are there alternatives to SMS verification?
Yes. Merchants and consumers have access to several more contemporary authentication and password entry solutions. Examples include non-SMS 2FA apps, as well as U2F tokenization hardware.
What is SIM Swapping?
SIM swapping happens when a fraudster poses as a legitimate mobile phone customer and requests a replacement SIM card; typically for a device upgrade or replacement. If the phone network buys the story, the fraudster could change the legitimate user’s account address and other details then have the new SIM sent directly to the fraudster. All of this, and they didn’t even need to steal the phone.