Home page logo

basics logo Security Basics mailing list archives

Re: SMS Banking
From: Brad Reaves <bgreaves421 () yahoo com>
Date: Fri, 5 Feb 2010 06:13:00 -0800 (PST)

One of the biggest problems will be a static pin.
SMS's are stored on user's phones in plain text. Users can't be trusted to delete every message that they send.
Users are also in the habit of leaving their phones about, where a villain could easily sift through the SMS log 
(conveniently sorted automatically by phone number) for messages to the bank, see the pin, and transfer funds.
The attacker wouldn't necessarily have to be the one to receive funds. He could send hundreds of dollars to a random 
utility and cause a great deal of hassle for the victim.
A more sophisticated version would have an attacker register a false "Utility" (from your example) and have money 
diverted to that account.

The unprotected nature of SMS and mobiles in general makes this a very difficult problem, indeed. One solution would be 
to set up a series of "Security Questions," so that when the user sends a payment, the payment system responds with a 
question in another SMS. This question should be one that (theoretically) only the user knows. This wouldn't be 
foolproof, but it'd be much less vulnerable to crimes of opportunity like I mentioned above.

Brad Reaves


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]