Home page logo

basics logo Security Basics mailing list archives

Re: SMS Banking
From: "Tim Clewlow" <tim () clewlow org>
Date: Sat, 6 Feb 2010 18:04:13 +1100

One of the biggest problems will be a static pin.
SMS's are stored on user's phones in plain text. Users can't be
trusted to delete every message that they send.
Users are also in the habit of leaving their phones about, where a
villain could easily sift through the SMS log (conveniently sorted
automatically by phone number) for messages to the bank, see the
pin, and transfer funds.
The attacker wouldn't necessarily have to be the one to receive
funds. He could send hundreds of dollars to a random utility and
cause a great deal of hassle for the victim.
A more sophisticated version would have an attacker register a false
"Utility" (from your example) and have money diverted to that

The unprotected nature of SMS and mobiles in general makes this a
very difficult problem, indeed. One solution would be to set up a
series of "Security Questions," so that when the user sends a
payment, the payment system responds with a question in another SMS.
This question should be one that (theoretically) only the user
knows. This wouldn't be foolproof, but it'd be much less vulnerable
to crimes of opportunity like I mentioned above.

Brad Reaves

You mentioned the "unprotected nature of SMS and mobiles in general"
and others have brought up the fact that GSM itself can be trivially
cracked ($1500 for a USRP, d/l some software, and anyone can do it).
There is also the problem of phones getting cracked and client apps
being compromised. It is not difficult to imagine a viral attack
gathering authentication data from a known (banking) app on mobile
devices and sending it all to a remote database.

This makes me think that mobile communications in general, ie the
infrastructure, the devices, and the software, are all in dire need
of cryptographic hardening before critical systems (bank access, or
otherwise) on mobile devices can be truly securely implemented.

My 2c, Tim.

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]