[VoiceOps] SMS receive security

Peter Beckman beckman at angryox.com
Thu Dec 10 11:53:41 EST 2009

On Wed, 9 Dec 2009, nick hatch wrote:

> Hi all,
> Reading the last thread on why SMS isn't/should be dead, I almost piped up
> with a thought before I realized I should probably check my head-sphincter
> interface, first.
> Many banks use SMS messages as an out-of-band authentication factor for
> online banking. (ie, they send a challenge code to the customers phone in
> response to an online banking request) If one assumes that cell phone SMS
> messages can't be intercepted out of the air by a forged device or through
> other means, they operate as a quasi-physical authentication factor, which
> is very valuable.
> This would be a strong use case for SMS over email or other general-purpose
> communication mediums where the password or other knowledge can be
> bootstrapped into access to the medium.
> However, I'm not so sure this assumption is correct. Does anyone have good
> references for the security of SMS? The most I've been able to find is this
> Slashdot article [1].
> -Nick
> [1] http://it.slashdot.org/article.pl?sid=09/05/21/1858233

  Is SMS secure?  No.  But SMS is useful for an OTP (One Time Password) such
  as the banking industry is using.

  SMS is not secure, in any way.  Unless the banks have spent the tens, if
  not hundreds, of thousands of dollars to directly connect with private
  non-Internet lines directly to the carriers, or has an encrypted tunnel
  between their operations and their aggregator, the SMS messages still go
  over the Internet to an aggregator (mQube, Mobile 365 (now Sybase 365)).
  During that process it is possible to sniff that information.

  It is also possible that any company involved in the delivery of that SMS
  is somehow comprimised or able to be, at which point the SMS can be read.
  Unless the SMS message is wrapped into a cryptographic tunnel between
  endpoints, SMS must be assumed to be insecure.

  The SMS is also delivered over the air, which means it can be intercepted.
  I know that there is some sort of authentication between the phone and the
  tower, but since SMS is part of informational messages sent between the
  tower and the phone, it may not be encrypted, and may be easily sniffed.
  If you know where the user and their phone is, and they left bluetooth on,
  you could, in theory, silence the phone, go to the bank, log in, send the
  OTP to the phone, sniff it, enter it, then delete (via bluetooth) the SMS
  from the phone, removing any trace indicating to the user that their bank
  account has just been hacked.

  But with OTP, insecure is OK for banks it seems.

  Annoying thing about OTP -- if you use a 3rd party service like Mint.com
  or PayTrust.com to fetch your eBills, turning on OTP kills those very
  useful services.

Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
-------------- next part --------------
VoiceOps mailing list
VoiceOps at voiceops.org

More information about the VoiceOps mailing list