Emirates NBD makes Smart Pass mandatory
The security measure replacing OTP texts for online transactions prevents SIM swap fraud, but requires a smartphone or tablet
Emirates NBD now requires its customers to use Smart Pass, a device-specific security measure that generates a new token every time they want to complete an online or mobile transaction – a sign that one-time password texts are no longer enough protection due to an increase in SIM swap fraud.
Those calling the bank’s customer service number will be greeted with the message: “Smart Pass is becoming mandatory. Activate Smart Pass from your mobile banking app and create your four-digit pin. Use Smart Pass pin, fingerprint or face recognition to authorise all your digital banking transactions.”
Smart Pass, which takes the place of OTP codes sent by text, does not require an internet connection, but it does require a smartphone or tablet, which some customers have complained about.
The system was introduced earlier this year as an optional added security measure. It has become a requirement as of July and the bank has been informing and updating customers in “staggered phases,” an Emirates NBD spokesperson said.
“As part of its commitment towards safe banking, Emirates NBD has taken the lead in informing and educating customers on security risks, and continues to strengthen its banking platforms and processes,” the bank said in a statement e-mailed to The National.
The Smart Pass provides two-factor authentication to authorise transfers and payments, with the user’s login and password being the first security measure. While many UAE banks use the OTP as a second measure, fraudsters can duplicate the SIM of a mobile number by requesting a replacement and receive those texts without the owner’s knowledge or authorisation.
“The problem we have with SMS authentication is what we call a SIM swap,” said Damon Madden, a principal fraud consultant with ACI Worldwide in Dubai. “Rather than the OTP going directly to the consumer, it’s going to the criminal who’s facilitating or trying to commit the crime against the bank.”
“We’ve seen a lot of this globally, so it’s not unique to the UAE,” he added, saying that it has “definitely been increasing in the last several years”.
Some banks, such as HSBC, provide a physical device known as a secure key that resembles a small calculator for customers to self-generate tokens. However, these are "cumbersome, you have to carry it with you and it's not that convenient," Mr Madden said. HSBC in Europe and the US provides customers with the option of a digital secure key if they opt not to use the physical device.
Smart Pass can be activated on only one mobile device or tablet through the Emirates NBD mobile banking app. The system generates a six-digit token that is valid for 60 seconds before it disappears and generates a new one. It is accompanied by the message “do not share this with anyone” in capital letters.
MT, an Emirates NBD customer who preferred to remain anonymous, said he does not own a smartphone or tablet, as he is “very happy with a basic phone”. The new Smart Pass requirement is now causing him problems.
“Simply, if you do not have a smartphone, you cannot do online banking,” said Mr T, a senior wealth manager with a financial services company. “I have no option but to call each time I wish to do an online transfer.”
Mr T said this is especially inconvenient because he travels regularly and needs to make transfers while abroad. He also complained that the bank did not inform him of the change. “There has been no communication of any sort with me as a customer,” he said.
When contacted by The National, an Emirates NBD call centre representative said clients who do not have a smart device will not be able to activate Smart Pass and would need to submit a request to give them temporary access until they get one.
In an e-mailed statement, an Emirates NBD spokesperson said: “Online banking customers who do not wish to use a smartphone will soon be able to apply at a bank branch for a hardware token that offers strong two-factor authentication by generating a new, secure and individual OTP for each transaction.”
Updated: January 6, 2020 11:34 AM