This was published 1 year ago
Two-factor authentication overseas: SMS security issue catches out Australian travellers overseas
By Katherine Scott
Jacob Murray-White used a local SIM when travelling in Europe, but soon found he couldn't book anything online because he couldn't receive security codes via SMS.Credit: Jason South
After researching the costs of international roaming for a five-week family trip to Europe, Jacob Murray-White settled on a European SIM card – its £10 ($17.50) a month plan being significantly cheaper than the $10 a day charged by his telco.
Despite the financial benefit, the decision proved problematic from the get-go.
"On day-one, we climbed up Edinburgh Castle and got to the entry and noticed a sign saying you have to buy your tickets online," said Murray-White.
The Melbourne-based IT director tried to do so on his phone, but after adding his credit card details he was prompted to enter a confirmation code – which was sent to his Australian phone number.
"Credit cards are fine when you're travelling around and you want to pay for a pint or for lunch, but if you're forced to do an online purchase – all the museums, musicals, tourists sites – you can't do it," said Murray-White of the fraught two-factor security SMS authentication process.
The traveller described the SMS ordeal as "a nightmare", recalling how he was forced to ring a family member in England to make purchases for him at various times.
Melbourne retiree Kairen Harris, 63, found herself in the same predicament last year when visiting family in the United Kingdom over three-and-a-half months.
"Mostly I was borrowing cash from family to avoid the saga of my card being rejected," said Harris.
Her bank, ING, explained there was no workaround for this – customers needed an Australian mobile number to receive SMS security codes, or to phone the bank each time they put through a transaction.
"To resolve this, my sister lent me her UK credit card for all real-time payments required. When I went to transfer funds to her from Australia [via online banking], I couldn't do that either as SMS verification was required for new payee," said Harris. "She had to wait more than three months for reimbursement."
Both Murray-White and Harris had advised their banks of their travel plans. This can help to avoid some, but not all, transactions being stopped. The fraud detection controls set by financial institutions that trigger SMS codes are kept under wraps for security reasons.
Two-factor authentication is considered best practice from a cyber security standpoint. Its use has become ubiquitous in the wake of a number of large scale data breaches in recent times.
Dr Cassandra Cross, associate professor at the School of Justice with Queensland University of Technology, said given the prevalence of data breaches and cyber security conversations happening, there's more awareness of two-factor authentication.
"More people are taking up the option, and many companies are now mandating its use, when previously it was a choice," said Cross.
This added security screen is particularly pertinent while abroad.
"People are more open to using unsecured WiFi spots when overseas compared to when we're at home and have control over that," said Cross.
Few banks allow customers to update verification channels to a foreign SIM. (ANZ customers can do so via their internet banking profile).
So what is the solution if you have an upcoming trip overseas?
One alternative is to request a bank authentication token – a small device that generates a one-time password (OTP) in place of SMS code. They tend to be hard to come by, mostly offered in exceptional circumstances.
Authenticator apps and banking apps can receive verification codes with a foreign SIM (check with your bank), though banks tend to favour SMS code verification over this. Email verification is rarely an option.
Some currency cards do allow email verification, however an analysis of a host of popular travel money cards by comparison website Canstar Blue found that none of those examined offer this.
Some local providers offer global roaming packs that let you keep your Australian phone number while travelling overseas. Australia Post's International Roaming Plan starts from $5 valid for 30 days but only includes 500MB data. Felix Mobile's roaming pack includes 4GB data valid for 365 days from $20. Vodafone lets customers on an ongoing plan access roaming for $5 daily for a maximum of 90 days per calendar year.
Canstar finance expert Steve Mickenbecker said despite this option being more costly than a foreign SIM, it does pose the safest solution.
"It resolves the dual problem of allowing financial transactions whilst overseas and at the same time controlling telco costs," said Mickenbecker.
Sign up for the Traveller newsletter
The latest travel news, tips and inspiration delivered to your inbox. Sign up now.