Remove SMS authentication and implement a more secure login flow

Based on the discussion here:

and here:

https://community.curve.com/t/we-re-changing-how-you-log-into-curve/30651/94

I would like to suggest the removal of SMS for any and all forms of authentication as it is an incredibly insecure way to log in to a financial product.
SIMjacking is a serious and very frequent issue, very easy for a scammer to accomplish and can take over financial products and email accounts fairly easily, if the user has not secured them in other ways.

Cyber security experts all the way up to the GCHQ keep warning against using SMS for any form of financial transaction verification, for example here is a tweet linking one such warning:

A lot more advice against SMS can be found from many cyber security experts.

It is admittedly not easy to design a secure login flow that is also user-friendly enough to not put off customers. The obvious choice of hardware tokens would be beyond most average customers (plus it necessitates extra expenditure on the customer’s end which is never a good thing to ask).
Nevertheless, banks have made it a habit of sending hardware devices (either TOTP generators or HOTP card readers) for web banking login, showing that they are taking security seriously, to the level of mildly inconveniencing customers in order to keep them safe.

Starling Bank has gone even further - you cannot login to the app on a new device unless you submit a video of yourself quoting a passcode that appears on screen. This takes a while the first time you do it (if you buy a new phone, factory-reset etc), but the app remains always logged in afterwards so it’s a very small inconvenience).

For the Curve app login, the first factor could be a password or email link. The 2nd factor could be a hardware token like a Yubikey (perhaps offered for free in paid tiers?), or a TOTP code (customers should be well used to these by now as a lot of online services use them and strongly recommend them).
This is obviously only for the first login to a new device; fingerprint or local PIN can be used from there onwards.

With regards to transaction confirmation, if 2FA were to be applied to them, an in-app push notification would be the best way to do this.

100% agree, any service I use that only has phone number for 2fa gives me anxiety. I would much rather have Google authenticator. You don’t even have to use Google’s own authenticator app to use it.

Things I would rather use for recovery:

1- Google authenticator
2 - Email - this over SMS every day of the week. My email is secured by 2fa/3fa without a phone number.
3 - Hardware key

I still don’t understand under which insanity anyone thought SMS 2fa was a good idea for a financial product or anything involving vast amounts of personal data.


Edit: even better, let us use 2 or 3 depending on our preference. I.e. for recovery I need my email and Google Auth OR my hardware key and email. Or various combinations.

1 Like

Social Recovery is a good one if you have family or friends that have curve. Nominate N number of people who also have curve and need permission from at least 2 (or more if preference) via in app notification to recover your account. I.e. I nominated my mum, sister and 3 friends that have curve who live all over the place. For some reason I’ve locked myself out of my account, I cordinate with my mum and sister to approve a notification in their apps that gets me back in to mine and prove its me trying to access the account. I don’t think this has been done in banking/ott banking. I still prefer all of the other ideas I suggested but I thought this idea would be a bit different and get people thinking. Still my least preferred option as it has the requirement of having friends or family also use curve where as email/hardware keys/Google Auth doesn’t.

2 Likes

I’d love to see more secure primary and secondary authentication methods in the Curve app (password + Google Authenticator being preferred, should be possible to completely turn off SMS, even as a backup option).

It’s a bit ironic that this very community forum supports more secure authentication methods (you can even enable 2FA with Google Authenticator, in case you didn’t know) than the Curve app where we store all our cards…

4 Likes

Spoiler alert, Curve don’t care. Security features has never been a priority for Curve. Only reason they have 3DS is regulatory compliance, they implemented it the last possible second and with major deficiencies, such as this

6 months later, SMS is still used to verify transactions. As predicted, Curve doesn’t care about security.

Yes, I’ve noticed in-app notification is back as an option, but the scammer can still select SMS in the 3DS prompt, rendering it useless.