Improving user account security

We've recently shipped a number of security improvements for how users sign in to Teller: TOTP as a 2nd factor, an account recovery flow, an SMS OTP roaming check, and other authentication and sign-up changes.

TOTP 2nd factor

You can now use a TOTP app, e.g. Google Authenticator to generate time-based one-time passwords as your 2nd factor. To enable TOTP on your account, install a TOTP app on your phone, go to the user settings page, select the TOTP option, scan the QR code into your TOTP app, and enter your password to confirm the change.

Back in the earliest days of our private beta Teller initially mandated TOTP as the 2nd factor but it didn't test well with users. You won't be surprised by this if you've ever been the owner of a GitHub Org and had to enforce a 2FA policy. Teller moved to OTP via SMS so that we didn't lose a bunch of users while also providing some kind of 2nd factor.

Despite its shortcomings SMS OTP provided good UX and an acceptable level of risk considering the sophistication of our earliest users (software developers), and that it wasn't yet possible to reset passwords or to initiate payments. As Teller continues to develop these assumptions no longer hold and given that NIST has since deprecated authentication via SMS we have brought back TOTP.

We strongly encourage you to switch your 2nd factor to TOTP and away from SMS OTP.

SMS OTP roaming check

One of the drawbacks of using SMS as a 2nd factor is that it means you're effectively delegating your security policy to a 3rd party that you don't control and can't ensure performs competently. A major problem with SMS is that attackers have gained access to the signalling network that network operators use to route calls and messages to you no matter where you are, even if you're on the other side of the world. This network, known as SS7 was designed a very long time ago in a time where the threat model was very different, consequently anyone with access to the network is de facto trusted. Once an attacker has access to SS7 they are able to fool your home network into thinking you're roaming on their phoney network. Your home network will now helpfully forward all of your calls and SMS to the attacker.

We now check if your mobile number is roaming before sending one-time passwords via SMS. We will no longer send one-time passwords via SMS while your number is roaming on a foreign network.

This does not completely eliminate the problems with SMS OTP, they're still vulnerable to an attacker who successfully manages to impersonate you to your network, convince them you've lost your SIM card and have them transfer your number to an attacker controlled SIM card. They're also still vulnerable to any malware on the device that could intercept your SMS (although if your device is compromised, all bets are off anyway).

Again we strongly encourage you to switch your 2nd factor to TOTP and away from SMS OTP.

Account recovery

You can now reset the password on your Teller account by telling us the telephone number registered with the account, whether or not you have any bank accounts connected to it, and if so the account number, sort code and ledger balance of one of the connected accounts. You can find out the ledger balance of a connected bank account by logging on to your bank's online banking, using their mobile banking app, or by doing it the old fashioned way and calling them or visiting a branch. By being able to tell us your bank account details and a current ledger balance you demonstrate sufficient control of a connected bank account for us to let you reset your password.

Resetting your password does not log you in or reset the 2nd factor. If you've forgotten your password and lost control of your 2nd factor contact support and we will try to help as best we can.

Changes to login and signup

When we originally built the user authentication flow, we wanted it to be as frictionless as possible. The user would enter their telephone number, Teller then sent the user a OTP via SMS, the user would enter the OTP, and if there was an existing account for that number Teller would ask you for your password. If there wasn't an account we would ask you to choose a password and automatically create an account and log you in.

The problems with this approach is that we would send an SMS before the user had authenticated meaning we had essentially published an endpoint that allowed an attacker in theory to spam anyone with messages from Teller, and less importantly cause Teller to incur unlimited expense from this unauthorised usage. This never happened but we wanted to change it before it did. The easiest way to solve the issue would be to require valid password before sending the OTP SMS, unfortunately we'd just be replacing one problem with another, i.e. an easy way for attackers to quickly enumerate whether a given phone number was associated with a Teller account. We decided to solve this issue by splitting up account creation and user login into separate features.

As always we welcome your comments and questions. Please write to us at help@teller.io.