Security Basics mailing list archives
RE: Security Issues in Mobile Banking
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Thu, 13 Mar 2003 06:21:19 +0000
This leaves open the issue of a criminal targetting someone; stealing their phone and hijacking their bank account/s - kinda like credit cards but without the understanding bank manager at the end huh?
Regards, Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator Auckland New Zealand http://www.koreworks.com/ Is your box REALLY secure?
From: Aigar Käis <Aigar.Kais () emt ee> To: "MOHESOWA BYAS" <byasmohesowa () sbm intnet mu> CC: <security-basics () securityfocus com> Subject: RE: Security Issues in Mobile Banking Date: Wed, 12 Mar 2003 10:19:01 +0200 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.26]) by mc8-f10.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 12 Mar 2003 16:45:40 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid 036D48F2C8; Wed, 12 Mar 2003 17:31:42 -0700 (MST)Received: (qmail 13977 invoked from network); 12 Mar 2003 08:09:27 -0000 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com X-MimeOLE: Produced By Microsoft Exchange V6.0.6334.0 content-class: urn:content-classes:message Message-ID: <8EE3AA195E0FCE4EAA87626C20B68CED0F45EB () venus emt ee>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security Issues in Mobile BankingThread-Index: AcLoAiNrrfARGXs0TNepzP9rk9tOrQAbWBHAReturn-Path: security-basics-return-18424-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 13 Mar 2003 00:45:42.0198 (UTC) FILETIME=[DFF9B560:01C2E8F9]Hi > User sends his user name and password to the service provider > as an SMS, the > ISP processes the request by running a script which initiates > an "https" > session with the Bank's Internet Banking Server, and does a > balance inquiry > using the username and password. > > If the credentials supplied are valid, then the balance info > is sent back to > the user as an sms. > > UserName & password is not encrypted on the ISP server which sends the > script, however they are replaced by **** in the log files > > We have some doubts as listed below: > 1. Is mobile banking a proven safe technology ? Mobile banking hasn't been around long enough to prove it's safe. > 2. Is this a common type of service or is it completely new?I'm not sure how common is this kind of approach but we have here also several banks and telcos offering this kind of service to customers but with slightly different logic. Client is not to required to add username and password with SMS. Instead one with internet banking account must activate it's mobile banking (M-commerce) features, select numbers who are allowed to make SMS based query and what services are allowed. Now if one wants for example balance sheet or last transactions made, simply sends SMS containing predetermined word. SMSC forwards it over the encrypted tunnel to bank where it gets processed and sent back again over encrypted tunnel to SMSC and to client.r. Aigar
_________________________________________________________________Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Current thread:
- Security Issues in Mobile Banking MOHESOWA BYAS (Mar 11)
- Re: Security Issues in Mobile Banking Valter Santos (Mar 13)
- <Possible follow-ups>
- RE: Security Issues in Mobile Banking Aigar Käis (Mar 12)
- RE: Security Issues in Mobile Banking KoRe MeLtDoWn (Mar 13)