[VoiceOps] SMS receive security

nick hatch nicholas.hatch at gmail.com
Thu Dec 10 00:24:14 EST 2009


Hi all,

Reading the last thread on why SMS isn't/should be dead, I almost piped up
with a thought before I realized I should probably check my head-sphincter
interface, first.

Many banks use SMS messages as an out-of-band authentication factor for
online banking. (ie, they send a challenge code to the customers phone in
response to an online banking request) If one assumes that cell phone SMS
messages can't be intercepted out of the air by a forged device or through
other means, they operate as a quasi-physical authentication factor, which
is very valuable.

This would be a strong use case for SMS over email or other general-purpose
communication mediums where the password or other knowledge can be
bootstrapped into access to the medium.

However, I'm not so sure this assumption is correct. Does anyone have good
references for the security of SMS? The most I've been able to find is this
Slashdot article [1].

-Nick

[1] http://it.slashdot.org/article.pl?sid=09/05/21/1858233
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20091209/dca7beff/attachment.html>


More information about the VoiceOps mailing list