top of page

Define Confidentiality in the context of SCA. How can it be maintained if SMS OTP is used?

In computer security, confidentiality means that access to information is restricted. As an example personal security credentials and transaction details are covered by confidentiality. Confidentiality is often mentioned in the same context as integrity. While integrity requires that the information hasn’t been tampered with, confidentiality requires that the unencrypted data can’t be accessed by an unauthorized 3rd party. Cryptography can be used to ensure [authenticity], [integrity] and confidentiality during the transmission of messages over a network, and is required for payment transactions.<br/><br/>

For confidentiality there are some extra technical requirements, as the confidential information has to be entered or read by a human. Humans are quite bad at entering or reading encrypted information, which means that the information has to be entered and read in clear text. The PSP must also ensure confidentiality during the authentication and transaction verification process, where the information is presented to the customer. This can be a challenge on a device controlled by a customer, such as a PC or a smartphone. A common attack is to record the credentials (such as a PIN or password) during entry, letting a 3rd party impersonate the customer from another device, which is why binding the device to the customer is very important.<br/><br/>

That confidentiality is required becomes a problem if one-time-PIN codes sent with SMS are used, as SMS messages are sent in clear text over the mobile network, and can be easily intercepted by malware on a smartphone. SMS messages have traditionally been used to confirm the possession of the device, as the assumption has been that only the correct phone can receive the message. With the message being sent in clear text, and not encrypted, this becomes problematic as the confidentiality of the message can’t be guaranteed. As an alternative to sending a SMS, it is recommended to use an SDK so that the integrity and confidentiality of the OTP can be ensured. It is even better to use biometry rather than a PIN.

bottom of page