[VoiceOps] SMS receive security

Lee Riemer lriemer at bestline.net
Thu Dec 10 11:58:20 EST 2009 

Or your phone ends up in the wrong hands.

On 12/10/2009 10:53 AM, Peter Beckman wrote:
> On Wed, 9 Dec 2009, nick hatch wrote:
>
>> Hi all,
>>
>> Reading the last thread on why SMS isn't/should be dead, I almost 
>> piped up
>> with a thought before I realized I should probably check my 
>> head-sphincter
>> interface, first.
>>
>> Many banks use SMS messages as an out-of-band authentication factor for
>> online banking. (ie, they send a challenge code to the customers 
>> phone in
>> response to an online banking request) If one assumes that cell phone 
>> SMS
>> messages can't be intercepted out of the air by a forged device or 
>> through
>> other means, they operate as a quasi-physical authentication factor, 
>> which
>> is very valuable.
>>
>> This would be a strong use case for SMS over email or other 
>> general-purpose
>> communication mediums where the password or other knowledge can be
>> bootstrapped into access to the medium.
>>
>> However, I'm not so sure this assumption is correct. Does anyone have 
>> good
>> references for the security of SMS? The most I've been able to find 
>> is this
>> Slashdot article [1].
>>
>> -Nick
>>
>> [1] http://it.slashdot.org/article.pl?sid=09/05/21/1858233
>
>  Is SMS secure?  No.  But SMS is useful for an OTP (One Time Password) 
> such
>  as the banking industry is using.
>
>  SMS is not secure, in any way.  Unless the banks have spent the tens, if
>  not hundreds, of thousands of dollars to directly connect with private
>  non-Internet lines directly to the carriers, or has an encrypted tunnel
>  between their operations and their aggregator, the SMS messages still go
>  over the Internet to an aggregator (mQube, Mobile 365 (now Sybase 365)).
>  During that process it is possible to sniff that information.
>
>  It is also possible that any company involved in the delivery of that 
> SMS
>  is somehow comprimised or able to be, at which point the SMS can be 
> read.
>  Unless the SMS message is wrapped into a cryptographic tunnel between
>  endpoints, SMS must be assumed to be insecure.
>
>  The SMS is also delivered over the air, which means it can be 
> intercepted.
>  I know that there is some sort of authentication between the phone 
> and the
>  tower, but since SMS is part of informational messages sent between the
>  tower and the phone, it may not be encrypted, and may be easily sniffed.
>  If you know where the user and their phone is, and they left 
> bluetooth on,
>  you could, in theory, silence the phone, go to the bank, log in, send 
> the
>  OTP to the phone, sniff it, enter it, then delete (via bluetooth) the 
> SMS
>  from the phone, removing any trace indicating to the user that their 
> bank
>  account has just been hacked.
>
>  But with OTP, insecure is OK for banks it seems.
>
>  Annoying thing about OTP -- if you use a 3rd party service like Mint.com
>  or PayTrust.com to fetch your eBills, turning on OTP kills those very
>  useful services.
>
> Beckman
> --------------------------------------------------------------------------- 
>
> Peter Beckman                                                  
> Internet Guy
> beckman at angryox.com                                 
> http://www.angryox.com/
> ---------------------------------------------------------------------------
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>    
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20091210/ad9a5d2e/attachment.html>

More information about the VoiceOps mailing list