FNB recently announced a number of major changes to its consumer banking process – including the phasing out of email and SMS notifications.
The latest changes are related to online shopping and the issuing of one-time PINs (OTPs).
Previously, FNB sent an OTP via SMS or email to customers to confirm transactions made on online stores, but it has now replaced this with an Online Secure feature.
Online Secure requires all FNB customers to authenticate their purchases via a push notification delivered through the FNB mobile app.
If there is no app available for which to send this notification, the system falls back onto SMS.
Importantly, FNB said it was changing its OTP system for security reasons – citing the security risks of email verification.
“Receiving OTP via email is being discontinued in line with the bank’s strategy to discontinue communication via this format for safety measures,” FNB said.
To understand why FNB views email and SMS notifications as a security risk, we spoke to FNB Head of Digital Channels Giuseppe Virgillito.
Data breaches and compromised credentials
Virgillito told MyBroadband that the bank aims to move all communication onto its banking app due to the threat to channels such as email posed by cybercriminals.
“Our strategy is to help our customers with contextual solutions through a trusted platform, as such we are working to get all communication onto this trusted platform,” he said.
“Data breaches with respect to email accounts pose a significant threat as cybercriminals can take control of your email account to intercept financial information like statements and OTPs.”
“In addition, there may be enough information to leave customers vulnerable to vishing, phishing or change of banking detail scams,” Virgillito said.
There are significant risks posed by the exploitation of these channels to trick customers into divulging their details to criminals.
For example, a common and effective phishing attack is to impersonate a legitimate bank by spoofing their email address and mimicking an official security email.
A link contained in this email could then direct customers to a fake version of their online banking portal, which would steal their credentials upon entry.
There is also the danger of SIM-swap fraud, which criminals use to steal your number and access the medium by which you verify banking transactions.
“SIM swaps are another reason to migrate to secure communication on the platform. Because of SIM swaps, cybercriminals can intercept your OTP,” Virgillito said.
By using the FNB banking app instead, these risks are for the most part either mitigated or assumed by the bank itself, reducing its reliance on the security of third-party platforms.
“The FNB App offers the advantage of not being susceptible to SIM swaps or vulnerability from data breaches perpetrated on third-party email providers,” FNB said.
“Our multi-layered security approach on the FNB App makes it a safer and more secure option than both email or SMS communication.