Why SMS banking is still a bad idea

Bank with Capital One and you can have account information sent to you by text. In March 2017, the bank started piloting Eno, an SMS-based chatbot customers use to check balances, view transactions, and process similar requests. Users love it, spokesperson Shelley Solheim says, sharing that 95 percent recommend the bot and that since launch, “Eno [has] exchanged hundreds of thousands of texts.”

Sounds great from a marketing perspective, but what about security? “Obviously as a highly regulated bank, security and data privacy is a top concern for Capital One,” says vice president of conversational AI products Ken Dodelin. But experts say texting any financial info — no matter how basic — isn’t advisable. In addition to security issues all chatbots face, textbots come with SMS-specific concerns. For starters, text messages get stored on your phone, and depending on device settings, they’re also uploaded to an iCloud or Google Cloud-like service. 

Is texting financial data ever safe?

“The short answer is no,” says Jim Lewis, solutions director for financial technology company SEI, “It’s one of the least secure ways of delivering information.” For a while, it was popular for banks to text, especially to verify whether a charge was yours. He says most are moving away from the technology now — especially after the National Institute of Standards and Technology (NIST) deprecated two-factor text authentication in 2016.

Dodelin says, “We had folks from across the company — as is the case with any of our new innovations — poke and prod this from every possible angle.” Solheim adds that security professionals are embedded in all phases of Capital One’s product development efforts.

The idea of poking and prodding is actually one of the risks concerning Lewis: Someone could just poke your SIM card straight out of your phone. “You lose your phone and somebody grabs the SIM card out of it, throws it in another phone, and now you’re basically that phone, you’re that person,” he explains.

Steal someone’s phone and credit card, and fraud alert texts become moot, but they were how Eno started. “The thing I like to say is we actually launched a chatbot many, many years ago and we just didn’t know it,” Dodelin says, referencing Capital One’s fraud alert texts. People were supposed to answer “confirm” or “deny,” but he says around 20 percent didn’t: “A large number of them were people trying to say, ‘yes,’ ‘yeah, that was me’ — ‘confirmed’ spelled wrong…or even, ‘yeah, that’s the purse I bought in Philadelphia last week when I was visiting my sister.’ What we noticed was, hey, there’s an opportunity here.” So, Capital One took it. Today a team of engineers, designers, and product managers works exclusively on Eno.

Note this does not include security professionals. When asked for more info, Dodelin responded, “Like I said, we had folks from across the company poking and prodding at this. In addition to that, we even did some presentations for some of our regulators in advance of releasing it so they could see what was coming down the pipe.”

Who regulates consumer data sent by SMS?

These regulators, Capital One spokesperson Jackie Welch clarifies, were from the Office of the Comptroller of the Currency (OCC) and the Federal Reserve (the Fed). Those agencies don’t vet data security. The Fed, which did not respond to a request for interview, oversees safety of the nation’s banking system. The OCC — a branch of the U.S. Department of Treasury — ensures safe banking operations with an emphasis on making sure customers receive fair treatment.

Beyond NIST guidance, Lewis doesn’t know of any federal agency overseeing financial text security; neither does the government. While reporting, the Federal Trade Commission (FTC) referred CSO to the Consumer Financial Protection Bureau (CFPB) where a representative said, “My guess would have been FTC.” The OCC has no comment.

“From a regulation perspective, the big piece you have is data,” Lewis explains, noting law focuses on “what data needs to be provided to certain users” or on “where data resides, not where it’s delivered.” The EU’s General Data Protection Regulation (GDPR), he continues, is a great example: “Their regulation is not about how do you access the data. It’s where does it reside and when I need to remove it, I need to be able to remove it.”

Limiting customer actions limits risk

Capital One does require customers to log in the first-time they text Eno, using site credentials. “There are certain times when you may be prompted for it again,” Dodelin explains. “Sometimes when you’re logging into a site, they’ll ask you to check your phone or whatever, just to step up the authentication. We have measures like that in place.”

Beyond this, Eno’s strongest line of defense is limiting what customers can do with the bot, like view transactions and pay bills, but not transfer funds. “We were very intentional about the use cases that we chose,” Dodelin notes. “This is a contained informational tool.”

Information is exactly what hackers want. “Bad actors can intercept SMS-based OTPs [one time passcodes] via message forwarding or malicious software running on a device,” says Brian Ross, vice president of product for PrivaKey, an authentication and authorization provider. “Fraud alert text messages that are just messages can be intercepted, but they don’t necessarily provide a direct threat to account takeover [or] theft of information, services, or value.”

It’s the interaction, Ross continues, that creates vulnerability. This goes beyond the person who stole your card and phone responding, yes, that’s my charge. In single row attacks targeting specific individuals, he says, “With a couple of compromised vulnerabilities, a system could monitor SMS traffic for OTPs and then try to leverage phone numbers or other information to gain a user id, resulting in an account takeover.”

Note these concerns — as well as Lewis’ — are specific to text. Non-text chatbots and phone apps don’t share these problems. “With your apps, we have full control over the end-to-end encryption, which SMS is supposed to have,” Lewis explains. “Whereas with our apps, even though it’s on the browser side on the client’s phone or laptop or whatever, we can still encrypt all the data movement between the two.” Engineers can build in data tiers and architecture layers, he adds, as well as see denial of service attacks. With texting, this isn’t possible.

That’s not to say Eno doesn’t provide value. Feedback is positive, according to Dodelin, and customers “just really like the ability to send a quick text, get the information they need, and move on.”

“You can see the value in it and utility in it. [Texting is] so valuable and so accessible that you want it to work,” says Lewis. But his company won’t use it: “It just doesn’t make sense, because there are so many holes there today.”