Security Basics mailing list archives
Re: Security Issues in Mobile Banking
From: Valter Santos <vsantola () devfusion net>
Date: 12 Mar 2003 15:53:34 +0000
On Tue, 2003-03-11 at 06:21, MOHESOWA BYAS wrote:
We have some doubts as listed below: 1. Is mobile banking a proven safe technology ? 2. Is this a common type of service or is it completely new? 3. Are there any known security incidents using this service? 4. What features should we consider to make a risk assessment of the service being proposed? 5. Any other items that must be considered?
Hi there, I'm talking from Portugal, and we have a bank here offering such service, but I really doubt about the security of such application. Let me explain this a little better. Suppose we have the following circuit flow for this application: SMS client -> [telecom bearer] -> SMSC -> [SMSC bearer] -> SMS gw -> [HTTP] -> Bank Server this is the normal schema used for such application, where - the telecom bearer is the protocol used by the operator for its communication (eg, UCP/EMI2, SMPP, etc) - the SMSC bearer is the protocol used by the SMS Center to talk with application gateways (eg, TCP or UDP) Supposing that the application is well designed in a security stand point, and the security between the SMSC and the Bank server is guaranteed [and in most cases this is *NOT* true 8-(], this circuit as an important security flaw that is the communication between the SMS client (phone device) and the SMSCenter. The technology used nowadays for SMS does not have any encryption feature so, all the communications are passed in plain from the phone to the SMS Center. Normally, what the developers of such applications think about this is that this type of communication is hard to sniff and no one will get the trouble to sniffing it... this is a bad practice and I doubt that SMS traffic is hard to sniff for someone working as telecom engineer. Another issue is that all SMS messages are logged by default at the SMS Center, so, all login information from users of such application is available fro SMSC operators... this flaw is even more annoying when the application is used in conjunction with the login platform of the main web banking system, which is the case here. This allows not only to compromise the SMS banking platform but also the web banking one and all the accounts that the user has registered in the application. However, the future should be better. Now that new phones are java enable, or use more polished operating systems such as symbian or even linux, I guess that new versions of this type of application will be able to use encryption even so the operator bearer don't offer it. There are some projects trying to implement such thing, and I hope that they will succeed, I remember to see at sourceforge one of such projects, google for SMS encryption to find it. hope this help /valter -- ---..---..---..---..---..---..---..---..---..---..---..---..---- Valter Santos vsantola () devfusion net ||| http://devfusion.net/~vsantola/keys/ (@ @) ------------------------------------------oOO--(_)--OOo---------
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Security Issues in Mobile Banking MOHESOWA BYAS (Mar 11)
- Re: Security Issues in Mobile Banking Valter Santos (Mar 13)
- <Possible follow-ups>
- RE: Security Issues in Mobile Banking Aigar Käis (Mar 12)
- RE: Security Issues in Mobile Banking KoRe MeLtDoWn (Mar 13)