Security Basics mailing list archives
Re: SMS Banking
From: "Tim Clewlow" <tim () clewlow org>
Date: Sat, 6 Feb 2010 18:04:13 +1100
One of the biggest problems will be a static pin. SMS's are stored on user's phones in plain text. Users can't be trusted to delete every message that they send. Users are also in the habit of leaving their phones about, where a villain could easily sift through the SMS log (conveniently sorted automatically by phone number) for messages to the bank, see the pin, and transfer funds. The attacker wouldn't necessarily have to be the one to receive funds. He could send hundreds of dollars to a random utility and cause a great deal of hassle for the victim. A more sophisticated version would have an attacker register a false "Utility" (from your example) and have money diverted to that account. The unprotected nature of SMS and mobiles in general makes this a very difficult problem, indeed. One solution would be to set up a series of "Security Questions," so that when the user sends a payment, the payment system responds with a question in another SMS. This question should be one that (theoretically) only the user knows. This wouldn't be foolproof, but it'd be much less vulnerable to crimes of opportunity like I mentioned above. Brad Reaves
You mentioned the "unprotected nature of SMS and mobiles in general" and others have brought up the fact that GSM itself can be trivially cracked ($1500 for a USRP, d/l some software, and anyone can do it). There is also the problem of phones getting cracked and client apps being compromised. It is not difficult to imagine a viral attack gathering authentication data from a known (banking) app on mobile devices and sending it all to a remote database. This makes me think that mobile communications in general, ie the infrastructure, the devices, and the software, are all in dire need of cryptographic hardening before critical systems (bank access, or otherwise) on mobile devices can be truly securely implemented. My 2c, Tim. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SMS Banking, (continued)
- Re: SMS Banking Agus 'Bosen' Supriadhie (Feb 05)
- Re: SMS Banking Doug Farre (Feb 05)
- RE: SMS Banking Thor (Hammer of God) (Feb 05)
- Message not available
- Re: SMS Banking Markus Matiaschek (Feb 05)
- RE: SMS Banking Craig S. Wright (Feb 08)
- RE: SMS Banking Thor (Hammer of God) (Feb 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- RE: [Full-disclosure] SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Markus Matiaschek (Feb 05)
- Re: SMS Banking Dennis Li (Feb 08)
- Re: SMS Banking Tim Clewlow (Feb 08)