RE: SMS protection

[Jesse Mundis <jesse () voltage com>]

Hi Marcel.

For any practical purpose, I'd have to suggest your assumptions are invalid.  In any sort of real world use, you will 
have to assume the user can be, or has already been tricked into installing some sort of app that requested the ability 
to read SMS messages.  Once that happens, your scheme is blown.  I'd never use such a system for anything but trivial, 
low-value, game-sign-ups and such.  Certainly not banking, or anything banking-like.

However, taking your assumptions as valid, it's still a bad idea.  SMS  have a number of weaknesses from a security 
standpoint.  See http://en.wikipedia.org/wiki/SMS#Vulnerabilities  Anyone with the right equipment should be able to 
pluck the contents of all the SMS texts flying past them out of the air easily.

So, while it might be difficult (with your assumptions) for any specific attacker to intercept any specific target, it 
should be easy for an arbitrary attacker to listen in on an arbitrary target.

If your task is to secure anything like banking, I wouldn't depend on SMS for my security if I were you.

Jesse Mundis
I do not speak for my employer.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Marcel Tudorache
Sent: Friday, October 21, 2011 10:58 AM
To: webappsec () securityfocus com
Subject: SMS protection

Hi,


I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application similar 
with online banking.

To make the analysis more targeted the following assumptions are made:
- I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume 
that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of 
trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
-bluetooth is off
- Wifi off...
- the attacker does not have phisycal access to the mobile phone

I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume that 
before allowing the access to the network of a cloned SIM card the operator might validate some signature of the 
sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar 
process).

The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to read 
the SMS of somebody else taking into account the above assumptions.

I think it should be pretty secure, what do you think?

Thank you very much,
Marcel



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1831 / Virus Database: 2092/4571 - Release Date: 10/24/11



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------