Device Binding Security Attack through SMS in iOS App

Question

We have created an app for banks. In that apps we are doing device binding with phone number and device details through text SMS.

Now attackers somehow used SMS forwarding technique to bind his own device with victim phone number.

We are not sure about the attacker's modus operandi to use victim phone number to bind his own devices.

We believe that attacker might be using iMessage to sync the SMS from the App after sent the SMS and forwarding the same SMS to victim.

Note: In our App, we used MFMessageComposeViewController class to send message for device binding to the bank.

We are looking for the solution. So attacker cannot used/copy the text message from SMS created within the app for device binding and forward to victim.

Answer 1

As has been pointed out in the comments, you simply can't use SMS, either for registrations or providing OTPs for transactions/logons as there are too many attack vectors. The following would be more secure for registration:

• Use a time-limited qr code or one-time code displayed to the user somewhere in their internet banking profile or if they do not have internet banking, in the branch. This approach is recommended.
• Complete registration in-app through a combination of security questions and a pin emailed to them. If no email, once again in-branch only.

Once registration is complete, you should use push notifications rather than SMS for OTPs etc. It is also recommended not to include an OTP in the push notification itself but simply have the push notification prompt the app to request an OTP over https.