A few banks have recently introduced SMS authentication for their credit cards. Basically they’ll send an SMS (text message) to your mobile phone (cell phone, or handphone) to confirm a transaction. You reply to the SMS to approve the transaction.
It’s a security model called “Two Factor Authentication“. This means you need to be in possession of two “things” for a transaction to be approved. If someone stole your credit card details and made a transaction, e.g. online, you would receive an SMS on your phone and you’d know it was fraudulent. In this case you wouldn’t reply to the SMS and the transaction would be halted. And if you’re making the purchase yourself you can approve your own transaction.
The idea sounds good at first. And of course it has its own set of problems. More interesting is the reasons why these banks have introduced this technology.
- Only some transactions are protected using this method. It’s up to the banks but generally it seems that a large number of transactions will continue to function as before.
- For legitimate purchases it can be a nuisance
- It’s not a foolproof system
- As more people use the SMS option the costs to the bank will increase greatly and they would either end the service or pass on costs to their customers
Here’s an interesting comment published in this ZDNet article. Matthew Woodrow, Head of Information Security at Westpac, was quoted saying “It’s not to do with security at all… consumers have expectations of security levels while using their mobile phones to do their banking. So you’re not thinking about security at all, but you’re thinking about the product and what consumers want”. In other words a large bank’s security expert is admitting that SMS authentication is more about how customers “feel” about safety.
It seems to be a temporary fix to credit card fraud. Smart card technologies (chips embedded in the credit card) seem to be a better solution.
In summary security is often more about how it makes people “feel” rather than truly preventing crimes. It helps to see things for what they really are and not believe what you hear in ads.