RE: Security Issues in Mobile Banking

[Aigar Käis <Aigar.Kais () emt ee>]

Hi

 
> User sends his user name and password to the service provider 
> as an SMS, the
> ISP processes the request by running a script which initiates 
> an "https"
> session with the Bank's Internet Banking Server, and does a 
> balance inquiry
> using the username and password.
>
> If the credentials supplied are valid, then the balance info 
> is sent back to
> the user as an sms.
>
> UserName & password is not encrypted on the ISP server which sends the
> script, however they are replaced by **** in the log files
>
> We have some doubts as listed below:
> 1. Is mobile banking a proven safe technology ?

Mobile banking hasn't been around long enough to prove it's safe.

> 2. Is this a common type of service or is it completely new? 

I'm not sure how common is this kind of approach but we have here also several banks and telcos offering this kind of 
service to customers but with slightly different logic. 
Client is not to required to add username and password with SMS. Instead one with internet banking account must 
activate it's mobile banking (M-commerce) features, select numbers who are allowed to make SMS based query and what 
services are allowed.
Now if one wants for example balance sheet or last transactions made, simply sends SMS containing predetermined word. 
SMSC forwards it over the encrypted tunnel to bank where it gets processed and sent back again over encrypted tunnel to 
SMSC and to client.



r.

Aigar