sign up log in
Want to go ad-free? Find out how, here.

Text messaging isn't secure and shouldn't be used by banks, or anyone, for verification: TCF boss Paul Brislen says

Banking / news
Text messaging isn't secure and shouldn't be used by banks, or anyone, for verification: TCF boss Paul Brislen says

Text messages shouldn’t be used as a form of verification as they are training consumers “to do the wrong thing” and potentially softening them up to be scammed, the head of the New Zealand Telecommunications Forum says.

Text scams appear to be rampant in 2023, with Waka Kotahi NZ Transport Agency, Inland Revenue and BNZ some of the organisations being imitated by criminal groups.

BNZ has warned its customers this week to be wary of text messages purportedly from the bank after a customer had more than $40,000 taken through a text scam.

The BNZ customer was sent a text which claimed a new device had been added to their account, which also contained a link. Once the customer hit the link, and entered their account details on the page opened from the faked bank text, money in their bank account was moved out by the scammer.

Chief executive of the NZ Telecommunications Forum (TCF) which represents the industry, Paul Brislen, said any organisation that needed customers to verify information, including banks, should not be using text messaging. 

He said it was more secure to use authentication apps and to keep communication through a company’s website or app, rather than pushing out text messages which are also being used by scammers to rip off New Zealanders.

Brislen said organisations’ use of text messaging was driving consumer behaviour.

“[Text] is very useful, but it's not terribly secure …  When a company sends out a text message and they use a different number each time, or they send out text message alerts saying ‘here's a link to our competition’, or they say ‘ring this number’. All of this is driving that behaviour that we don't want from the customers, which is 'I've received a message, I follow the process.' It's training people to do the wrong thing.”

The Department of Internal Affairs (DIA) annual report for 2021/22 showed it received more than 944,000 reports of email and text scam messages, largely put down to the arrival in 2021 of malware called Flubot which infected mobile devices through text messages.

Much like the BNZ scam, the Flubot text messages contain a link, and when that link is opened, an application is downloaded that infects the device with the Flubot malware.

In the prior year of 2020/21, DIA said more than 50,000 email and text scam messages had been reported to it.

Complaints about text and email scams also rose year-on-year, with DIA receiving more than 1000 complaints in its 2021/22 annual report, compared with 394 for 2020/21.

DIA offers a text-scam reporting service, where people can forward a scam text to 7726. Mobile network operators get updates on scams reported through the 7726 text number as part of their scam-mitigation, and can then investigate and block mobile text numbers.

Too many cooks in the kitchen?

DIA is one of a number of regulators involved in combating scams, including the NZ Police, Computer Emergency Response Team NZ (Cert NZ), the Financial Markets Authority (FMA), the Commerce Commission and the Ministry of Business, Innovation and Employment's Consumer Protection unit.

There has been concern that New Zealand is falling behind in combating scammers, and that NZ regulators and banks have left systemic gaps which criminals can exploit, such as not introducing name and number account checking.

The amount New Zealanders are losing to scams each year isn't clear, with the Banking Ombudsman Nicola Sladden saying bank data estimated losses at $200 million annually.

Chair of the Banking Ombudsman scheme, Miriam Dean KC, recently called on everyone involved in the fraud fight to do their bit, including telcos, Waka Kotahi and Inland Revenue. She said all involved must work together to combat the sophisticated frauds being perpetrated against New Zealanders, with devastating consequences.

The Ministry of Justice's Crime and Victim Survey showed fraud and deception crimes rose 77% to 510,000 for the year ended November 2022, a 77% increase. Fraud and deception was now the most common type of offence in New Zealand, followed by burglaries (288,000 offences) and physical offences (253,000). But most people did not report fraud and deception crimes to the police.

Cert NZ reported financial losses as a result of cyber crimes rose 66% in the first quarter of 2023.

Telcos on top of it

Brislen said the telecommunications industry was doing its part to fight against scammers. TCF introduced in 2022 its own two-factor authentication for number porting, when people want to shift a cell phone number from one provider to another, after that process had been exploited to defraud people.

Brislen said number porting had been used by criminals to take control of people’s phones, and their banking. Now, anyone wanting to switch their phone number had to go through a two-step process.

“Mobile operators and banks have reported that the incidence of using porting as a mechanism to commit fraud has dramatically decreased,” the TCF said in its latest annual report.

Brislen said it held regular briefings with DIA, banks, insurance companies and telcos to work through what is being seen in terms of scams, and what can be done.

The TCF had a Scam Prevention Code which meant providers had to take proactive steps to avoid and reduce scams, as well as reactive steps to identify, verify and take action on scam calls and texts to both mobile phones and landlines. 

It monitored scam calling and text notifications to collaborate with the banking and government sector to identify and block scam activity across the telecommunications networks. 

“Over the past 12 months, 2,208 scam fixed line call notifications have been sent via the TCF notification email for review and action,” its annual report said.

The sector was also identifying and blocking 0800 spoofing bank scams. This type of scam lets fraudsters seem legitimate by using a bank’s 0800 number as Caller ID, pretending to alert the consumer of an issue and convincing them to share personal and financial details. 

“The TCF has initiated a call block on these numbers from upstream carriers, who usually carry international traffic into New Zealand. This enables the banks to continue to use the 0800 numbers for their New Zealand customer base safely, whilst eliminating incoming international fraudulent activity.”

Telco Spark said it worked to limit the number of scam calls customers receive by monitoring unusual calling activity and blocking offending numbers.

Spark blocked access to URLs featured in scam texts to prevent customers inadvertently clicking on the links, and where possible, its security and fraud teams worked with law enforcement to identify and shut down scamming operations, "but this is challenging when they are located offshore".

"Because we cannot stop scamming from occurring, we are focused on empowering our customers to be vigilant when it comes to scams to help prevent them falling victim."

And what of the impersonated?

Government agencies, and their activity cycles, are being targeted by scammers. Waka Kotahi scam texts often involve an alleged bill that needs to be paid for a car registration, or a toll that needs to be paid, for example.

Waka Kotahi said in an emailed statement that it was working with NZ Police, Cert NZ and Netsafe to combat scammers, “but they are relentless and persistent, no sooner is one phony website taken down or blocked than another one appears”.

The agency encouraged anyone who had received texts, emails or other communications which they think may be suspicious, to let Waka Kotahi know straight away.

It had a dedicated on-line form where people can report suspected phishing scamsand “we can confirm if it’s legitimate or a scam”. 

“The sooner we know about it, the faster we can act to protect you and everyone else.”

Inland Revenue was also frequently impersonated by scammers. It said it did not use text for authentication, but used text messages to let people know there was an item or issue for them to address in their myIR online account.

“IR uses targeted text messaging to remind customers of their obligations, entitlements, due dates and when there is important correspondence in their myIR account for them to view … IR does not include links in their text messages and always encourages customers to log in to their secure online account, myIR, to provide personal information, check accounts and to communicate with us. We never ask for bank account details or credit card information in a text.”

What do banks say about two-factor authentication and text messages?

Interest.co.nz asked NZ’s big four banks whether using two-factor authentication and text messages weakened fraud protections for consumers.

ASB said it offered multiple forms of second factor authentication including in-app push notifications, a hard token and SMS/text. 

“Previously we were seeing SMS codes intercepted through Sim Swap/porting fraud, but the New Zealand telco industry made some positive changes and instances of this have greatly reduced.”

It said fraudsters were using increasingly complex phishing and social-engineering tactics to get customers to share second factor authentication with them, which was more difficult to combat. 

“No form of second factor authentication is foolproof but it is one important way we are reducing the instances of fraud and scams.”

BNZ, subject of the latest outbreak of scam texts, said it had been working with telcos to stop scammers impersonating its 0800 number, and had reduced the cases of BNZ’s number being spoofed by 50%. 

“Ultimately, the best defence against scams is in the hands of New Zealanders. If they know what to look for, and can recognise the signs of a scam, they’re less likely to fall victim. Scammers rely on people not picking up on the red flags.”

It said people should never open links or attachments in emails or text messages from unknown senders, and should always check the sender’s email address for accuracy, especially if the email seems suspicious.

“BNZ will never ask for your bank account or PIN number by email or text message. Never provide this information in response to an email or text.”

ANZ, New Zealand’s largest bank, said its customers should be wary of unexpected phone calls, text messages and social media interactions.

“It’s also important to remember that under no circumstances will a bank ask for a password, pin, two-factor authentication codes or remote access to devices.”

One scam centre to rule them all - maybe

At the launch of the Banking Ombudsman's new TV show with Nigel Latta, Dean said New Zealand should look to introduce and set up a dedicated anti-scam unit such as has been done in Singapore.

The Anti-Scam Command was launched in Singapore in March 2022, a “nerve centre for investigating scam related cases”, bringing together different parts of the police service and partnering with local and foreign banks, card companies and fintech firms to “swiftly freeze accounts, recover funds and reduce losses suffered by victims”.

Dean said to date the anti-scam centre had frozen more than 40,000 bank accounts and recovered more than $300 million Singaporean dollars on behalf of victims.

NZ Police Minister Ginny Andersen said the Government hadn't specifically considered the model used in Singapore, but she was open to new ideas, and "am keen to keep across best practice from other jurisdictions to see what lessons we can learn that might apply in the New Zealand context".

Andersen said in an emailed statement that the Government "remained alert and committed to addressing the risks that an increase in scams and phishing attacks has presented in recent years".

The Government had invested in improving its systems including work on a single reporting platform to consolidate the reporting of cyber incidents, and a victim remediation service to provide better support to victims of cyber incidents.

"MBIE’s Consumer Protection team also provides information on scams and runs an annual Fraud Awareness Week campaign."

NZ banks seemed supportive, with ANZ already stating it would support such a new setup.

Westpac's Head of Fraud and Financial Crime Operations, Peter Barnes, said it was "always happy to explore collaboration to tackle fraud and scams".

"We are a member of industry forums that combat financial crime including the NZ Fraud Strategy Group and the Financial Crime Prevention Network (FCPN). FCPN’s members include NZ Police, Customs and other major banks. We continue to work internally to combat the rise in frauds and scams and also monitor developments internationally as we look to enhance our systems and capabilities in this area."

ASB said the Singaporean model was a great example of the varied regulatory response to fighting fraud and scams it was following around the world.

"ASB is very supportive of a government led programme of initiatives to reduce the impact of scams on New Zealanders and complement the work already underway by banks and telcos in this space. We would be pleased to engage with any plans in this area."

BNZ, too, said it would support the appointment of a lead agency to help coordinate the fight against scams, but said privacy laws, market competition rules, and other regulatory considerations would need to be worked through, and any changes would need to be implemented carefully to avoid creating an extra layer of complexity that could slow bank investigations.

"It’s crucial that banks are always the first port of call for scam victims as the faster customers get in touch, the sooner we can get the fund recovery process underway, which helps increase the chances of recovering their funds."

Brislen, however, doesn't see much value in a new Singapore-type anti-scam unit. He said the players involved already worked very closely together, pointing to how regulators and telcos had pulled together quickly to combat Flubot, and its six-weekly fraud catchups, for example.

"I'm not convinced we're don't do the stuff they do in Singapore here. I guess it might be a matter of scale."

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

18 Comments

“No form of second factor authentication is foolproof..."

Rabobank's Digipass is a stand-alone second-factor device that has to be in the hand of the account holder to access anything. What is the un-foolproof bit with that? (Just for my info)

Up
1

No different to a phone with access to 2FA. Perhaps its only advantage is that it is not as susceptible as a phone.   

Up
0

Which I guess was my thinking. It's 'dumb', like any banks' NetGuard card is - not connected to anything else, as a phone, tablet or pc is.

Up
2

My (limited) knowledge on the topic is that it is much more secure than traditional user/pass as there's another factor to account for, and therefore computers can't simply spam a login endpoint with user/pass requests until one works. But still not perfect. It's still open to a number of different threats depending on the method of 2fa.

For example, the digipass is likely more secure than a text message code, as the latter can easily be intercepted or the sim could be taken from your device and used on another device to obtain the 2fa code.

Some 2fa apps notify you to authenticate a login, but may not give details as to which auth requested 2fa. For example, you may be asked to open an authenticated app such as YoutTube and approve the login attempt by tapping "OK", without knowing which login attempt you're authenticating.

More secure (and I assume this is digipass) is a auth code presented in the screen of the authentication app which you manually enter in to an input on the site or app you're logging in to. I believe this can still be intercepted, however some next level hackery required and not necessarily going to happen to your private bank account. Never say never.

Best protection is MFA, and a long long long password. But that all depends on how difficult you want your login experience to be.

Edit: to actually answer your question. Somebody can gain access to your device, then they have your digipass. It's not fool-proof it just adds a level of complexity to gaining authentication. So if you leave your phone unlocked, basically you're a fool and nobody can protect that vulnerability.

Up
1

The Digipass isn't on or connected to any other device. It's a stand-alone piece of 'dumb' hardware that has random codes generated at each occasion one is needed to coincide with the issuing banker's records.

Besides, whenever I need to transfer funds to a party that isn't one of my set counterparties, I have to use a similar stand-alone device/card to authorise the new payee. I fail to see how funds could be transferred without that 2FA on a completely separate authentication medium. But I guess there's a way around that, or we wouldn't be having this discussion.

Up
1

Ahh I see - I just went and watched the intro video.

So first vulnerability would be the obvious, somebody has the digipass and the pin to generate a 2fa code.

Second would be that the code generated by the digipass is likely the output of an algorithm which encodes your activation key along with a number of other randomised variables such as the timestamp etc. That method can then be identically produced on the Rabobank server to verify that not only are you authenticating using your activated device, but your authentication code is valid and not expired. If the method of encryption is discovered and deciphered, then that method of 2fa is vulnerable as it can be replicated on an entirely different device.

The enigma is a great example of this, though that is two way encryption. Where two machines can create and decipher a code independently. In your example, both machines are trying to create the same code via some cipher (activation code, date etc) and if it matches, it authenticates.

For your sanity, there are methods of encryption which are one way and at this stage impossible to decipher.

Up
0

You need to type in a pin to access the digipass code. It locks you out after too many attempts so it can't be brute forced. So just having it doesn't help, you need the code. Unlike a netpass card which isn't protected at all. It is very similar to Googles authenticator  or apps like authy

Up
0

Yep:

So first vulnerability would be the obvious, somebody has the digipass and the pin to generate a 2fa code

Up
0

The Digipass isn't on or connected to any other device. It's a stand-alone piece of 'dumb' hardware that has random codes generated at each occasion one is needed to coincide with the issuing banker's records.

Yes. Sometimes the dumb stuff is actually a better solution than the smart stuff. 

Up
0

Yes 100% - that's why I always make sure my brain is some part of the authentication process!

Up
1

Edit: to actually answer your question. Somebody can gain access to your device, then they have your digipass. It's not fool-proof it just adds a level of complexity to gaining authentication. So if you leave your phone unlocked, basically you're a fool and nobody can protect that vulnerability.

Agree with this. 

Up
0

BNZ has warned its customers this week to be wary of text messages purportedly from the bank after a customer had more than $40,000 taken through a text scam.

The victim Savannah is a property manager and landlord in Queenie. Previously CEO of a company in Sydney called 'Trading Pursuits' - described as a market trading education company whose mission is to teach ordinary people how to trade the financial markets with knowledge, confidence and enthusiasm. 

Up
1

In other words an idiot with no clue telling other people how to manage their affairs. Sounds normal.

Up
2

Undeniably mobile phones, attachments and all in sundry have been of massive benefit full stop. Unfortunately though right from the start human nature has not always provided the discipline to manage the convenience either safely or securely. The instant contact and demand for attention can see normal prudence abandoned. Without going into the peril of being financial duped, a very early example of that failing, a resultant tragedy, of a young mother so eager and occupied with an incoming call, turned her back on her infant who then drowned when the pram rolled into the lake in the park where she was walking. 

Up
0

Trading Pursuits is showing on google as permanently closed, thats another way of saying the business ran out of clients and the staff moved on. I presume there was more than one staff member, perhaps only a CEO.

Up
0

I found it interesting that as I am reading this article about scams, the bottom of the screen keeps popping up one of those a scam-ish looking advertisement that encourages me to click on some handy links for: 

How do I report a scam email

Scam call lookup

List of scam callers

and

Forex Rate for the Iraqi Dinar

 

Up
0

NZ's largest payroll provider, (which I believe is NZ's largest IT company), processing many, many $$million per week, has just introduced compulsory txt authentification of users. Whoops

Up
0

I am still waiting for my NZ bank to introduce Time-based One-Time Password (TOTP).

(Changes after a set period, such as 60 seconds. and stop using the stupid text messages.)

 

 

Up
0