WebApp Sec mailing list archives

Re: SMS protection

From: Fyodor <fygrave () gmail com>
Date: Tue, 25 Oct 2011 08:11:19 +0800

Well, keep in mind that as SMS traverses through Telco, it is being
stored/transmitted as plain text, so the only part of communication
path that goes over encrypted link is handset <--> base station. (and
this part of the crypto is known to be flawed as well).

anyway, to make things short - SMS might be good enough to act as 2nd
factor auth (i.e. one time passwords) but I wouldn't solely relay on
its security much.

if that helps,
-Fyodor

On Sat, Oct 22, 2011 at 1:57 AM, Marcel Tudorache
<marceltudorache () yahoo com> wrote:

Hi,

I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application
similar with online banking.

To make the analysis more targeted the following assumptions are made:
- I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume
that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of
trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
-bluetooth is off
- Wifi off...
- the attacker does not have phisycal access to the mobile phone

I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume
that before allowing the access to the network of a cloned SIM card the operator might validate some signature of the
sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar
process).

The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to
read the SMS of somebody else taking into account the above assumptions.

I think it should be pretty secure, what do you think?

Thank you very much,
Marcel

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




-- 
http://www.o0o.nu



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

SMS protection Marcel Tudorache (Oct 24)
- RE: SMS protection Jesse Mundis (Oct 26)
- Re: SMS protection Fyodor (Oct 26)
  - Re: SMS protection Marcel Tudorache (Oct 29)
- Re: SMS protection Francois Yang (Oct 26)
- Re: SMS protection Robin Wood (Oct 26)
- Message not available
  - Re: SMS protection Marcel Tudorache (Oct 29)