Blog | G5 Cyber Security

Bank E-mail OTPs: Are They Secure?

G5 Cyber Security

TL;DR

Yes, receiving a one-time password (OTP) by e-mail in addition to SMS is generally less secure than relying solely on SMS. While not catastrophic if done correctly alongside other security measures, it introduces significant risks due to the vulnerabilities of e-mail and potential for account takeover.

Why E-mail OTPs Are Riskier

  1. E-mail is Less Secure: Unlike SMS (though also flawed), e-mail isn’t designed as a high-security channel. It’s susceptible to several attacks:
    • Phishing: Attackers can mimic bank emails, tricking you into revealing your OTP on fake websites.
    • Account Takeover: If someone gains access to your e-mail account (through weak passwords or phishing), they automatically have access to your OTPs.
    • Man-in-the-Middle Attacks: Interception of emails is possible, though less common with modern encryption (HTTPS).
  2. Delayed Delivery: E-mail delivery isn’t instant. This delay can slow down legitimate transactions and potentially allow attackers more time to intercept or exploit the OTP.
  3. Forwarding & Rules: Users often forward emails or set up rules that could inadvertently expose OTPs.

Why Banks Might Use Both (and What They Should Do)

Banks use both SMS and e-mail for redundancy – if one channel fails, the other is available. However, this shouldn’t be at the expense of security.

  1. Multi-Factor Authentication (MFA): The best approach is to use multiple MFA methods, not just SMS and e-mail. Examples include:
    • Authenticator apps (Google Authenticator, Authy)
    • Hardware security keys (YubiKey)
    • Biometrics (fingerprint, facial recognition)
  2. Transaction Monitoring: Banks should monitor transactions for suspicious activity and flag potentially fraudulent ones.
  3. Rate Limiting: Limit the number of OTPs sent per time period to prevent brute-force attacks.
  4. Short OTP Validity: Keep OTPs valid for a very short duration (e.g., 30 seconds).
  5. Device Binding: Link trusted devices to user accounts, reducing the risk of unauthorized access from new devices.
  6. E-mail Security Best Practices: Encourage users to:
    • Use strong, unique passwords for their email accounts.
    • Enable two-factor authentication on their email accounts.
    • Be cautious of phishing emails.

What You Can Do

  1. Prioritize Authenticator Apps: If your bank offers it, use an authenticator app instead of SMS or e-mail OTPs.
  2. Strong Passwords & MFA on Email: Protect your email account with a strong password and enable two-factor authentication.
  3. Be Vigilant: Carefully examine any emails from your bank for signs of phishing (poor grammar, suspicious links). Never click links in unsolicited emails.
  4. Report Suspicious Activity: Immediately report any unauthorized transactions or suspicious emails to your bank.

Technical Considerations (for IT Professionals)

If you’re responsible for implementing OTP systems:

  1. Avoid Plain Text E-mail: Always use encrypted connections (TLS/SSL) when sending OTPs via email.
  2. Implement DMARC, SPF, and DKIM: These e-mail authentication protocols help prevent spoofing and phishing attacks. 
    # Example SPF record for your domain
  3. Regular Security Audits: Conduct regular security audits of your OTP system to identify and address vulnerabilities.
  4. Consider FIDO2/WebAuthn: Explore more secure authentication methods like FIDO2/WebAuthn, which use hardware security keys or platform authenticators.
Exit mobile version