Yearly Archives: 2014

SMS Tokens – A False sense of Security

John is on his way to work, his wife reminds him to pay the month’s rent, John decides to make that payment before he leaves for work. To make a funds transfer, John will first have to log into his internet banking, then select his estate agent’s payee details. As soon as he is about to click pay, John receives an SMS with a security code, which will need to be keyed into the transaction in order to complete payment. Some banks will make a phone call out to their customer as a second factor of authentication. This ensures that as a second attempt via a different channel other than the app has been made to confirm a transaction with the customer, adding a second layer of security.

This added protection by John’s bank, to confirm his identity via a channel of device john carries with him & “independent” to his computer along with John’s Username & Password is popularly known as Two-Factor Authentication.
Ever carried a small device in your key chain that generates 6 to 8 digits? An access token contains the security credentials for a login session and identifies the user, as a second factor.

So how can someone get access to your SMS on your phone?
To deliver single-use SMS passwords, the SMS has to travel through various networks from the firm’s headquarters, to a wholesale SMS gateway, international SMS network and finally down the line of the local phone company. Following are some of the ways cybercriminals can take advantage of this situation to hack into a mobile phone.

Network exploit
A hacker takes advantage of vulnerability or flaw of user’s web browser on mobile device in WiFi communication to attack victims. Hackers send malicious code/data from malicious logic websites to victim’s browser after user browses the malicious page and the malicious code will take over the control to get all sensitive data on the victim’s device.
Social engineering
Hackers use hyped contents to attract, manipulate, or persuade people into revealing confidential information through deception such as phishing for the purpose of information gathering, fraud, or access rights.
Virus hosted on a legitimate code, is a software designed specifically to damage or disrupt a system.
In Australia the Comms Alliance, The lobby group for Australian telcos, declares SMS banking unsafe and calls upon Australian banks to seek out alternative technologies of authentication.10 Along with security concerns there are certain inconveniences using SMS. Travel is at the top of the list: SMS doesn’t work universally when abroad.

After struggling with the hotel or airport wifi registration, bank’s systems provide added inconvenience. For some networks, SMS can be delayed by hours or days, sometimes never arriving at all. Many people swap their SIM cards when travelling to avoid the excessive roaming charges and there is extra inconvenience in swapping SIM cards back again just to log into a bank account. Worst of all, if you are tethering with a SIM card from the country you are visiting, then it is impossible for you to receive the SMS message from the bank on your regular SIM card while simultaneously maintaining the SSL connection to their website over your new SIM card.

A more likely reason why it has become popular amongst banks is that many lenders want to ensure they have mobile phone numbers to contact customers when loan or credit card payments are missed. Making the mobile phone number mandatory for login ensures they almost always have the correct phone number for almost 100% of customers. It is not clear that this benefit justifies the failure to provide proper security and the inconvenience when travelling though.

The only potential benefit to SMS authentication is that it weeds out some of the most amateur attempts to compromise your bank account, but this is a false sense of security.

In recent years, those tasked with managing IT and security has had to contend with changes that have been fundamental and fast in coming. Today’s technology environments bear little resemblance to those of even a few years ago, and the pace of innovation continues to accelerate. Historical forms of authentication were never meant for the networked landscape we live in today, At this point in the data security environment most people are aware that a single installed antivirus system is not enough to protect a given endpoint.