Malaysian Banks Stop Using SMS for Two Factor Authentication

Banks in Malaysia are ending the practice of authenticating users by one time passwords (OTPs) sent via SMS following an order from Bank Negara Malaysia (BNM), the country’s central bank. Malaysian banks must instead demand a stronger form of authentication, such as requiring customers to install and use authentication apps on their mobile phones. Customers will also be limited to using only one nominated phone or secure device for authentication.

The authentication changes occurring in Malaysia have been touted well in advance. The central bank’s governor, Nor Shamsiah Mohd Yunus, explained why the country will improve the security around authentication of banking transactions in a speech she gave to a financial crime exhibition in September 2022.

Scams and cybercrimes have been on the rise of late, not just in Malaysia but all around the world. This is a concerning development which Bank Negara Malaysia takes seriously. This is especially so where these cases concern financial scams. We have been and will continue to step up efforts to combat financial scams, and in doing so collaborate with other stakeholders. These include rolling out preventive measures, pursuing more effective and coordinated enforcement actions, and raising public awareness.

BNM requires banks in Malaysia to adopt high standards of security, especially for internet and mobile banking services. From time to time, BNM also issues security advisories to the financial industry highlighting the latest modus operandi of scammers and additional security measures that banks need to implement to protect their customers’ savings.

The reality, however, is that methods used by criminals will continue to evolve. BNM therefore continuously intensifies efforts and take steps to combat scams by introducing additional controls and safeguards from time to time.

Standard Chartered Bank warned customers in April that they would no longer receive SMS OTPs to authenticate transactions and will instead need to switch to token-based authentication via their SC Mobile app. Their announcement directs customers to an FAQ which stated a strict deadline for the transition.

By 30 April 2023, all transactions can only be authorised through the SC Mobile Key.

The exploitation of vulnerable forms of authentication like SMS OTPs is known to be an issue but some want to delay a transition away from SMS authentication for short-sighted reasons. It is telling that many countries have officials who like to talk about the global rise in network-enabled crime but then offer nothing but limp-wristed ‘solutions’ that do little but distract attention from their failure. Any clod can promise to spend more on consumer awareness schemes or expensive technological boondoggles like STIR/SHAKEN but to really prioritize crime prevention we must accept some customers will be temporarily inconvenienced by the need to download and familiarize themselves with apps. This short-term pain will leave them significantly more protected in the long run.

Malaysia’s policy is indicative of a growing international rift in attitudes towards information security and fraud prevention. Countries that benefited most from the great leapfrog to mobile networks are pressing ahead with reforms that are vital to securing transactions. Meanwhile, so-called security experts in Western countries still seek to persuade more people and institutions to adopt SMS for two-factor authentication as if they are ahead of the curve. There is no excuse for not being more ambitious; the FBI started warning of the need to switch from SMS to more secure forms of authentication back in 2019. To effect an immediate drop in crime we need to stop anticipating the delivery of wonder technologies and instead concentrate on sensible improvements that can be implemented now at little cost. Malaysia is showing the way forward, though some other countries will be reluctant to follow.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.