<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Or your phone ends up in the wrong hands.<br>
<br>
On 12/10/2009 10:53 AM, Peter Beckman wrote:
<blockquote
cite="mid:alpine.BSF.2.00.0912101142430.72778@nog.angryox.com"
type="cite">On Wed, 9 Dec 2009, nick hatch wrote:
<br>
<br>
<blockquote type="cite">Hi all,
<br>
<br>
Reading the last thread on why SMS isn't/should be dead, I almost piped
up
<br>
with a thought before I realized I should probably check my
head-sphincter
<br>
interface, first.
<br>
<br>
Many banks use SMS messages as an out-of-band authentication factor for
<br>
online banking. (ie, they send a challenge code to the customers phone
in
<br>
response to an online banking request) If one assumes that cell phone
SMS
<br>
messages can't be intercepted out of the air by a forged device or
through
<br>
other means, they operate as a quasi-physical authentication factor,
which
<br>
is very valuable.
<br>
<br>
This would be a strong use case for SMS over email or other
general-purpose
<br>
communication mediums where the password or other knowledge can be
<br>
bootstrapped into access to the medium.
<br>
<br>
However, I'm not so sure this assumption is correct. Does anyone have
good
<br>
references for the security of SMS? The most I've been able to find is
this
<br>
Slashdot article [1].
<br>
<br>
-Nick
<br>
<br>
[1] <a class="moz-txt-link-freetext" href="http://it.slashdot.org/article.pl?sid=09/05/21/1858233">http://it.slashdot.org/article.pl?sid=09/05/21/1858233</a>
<br>
</blockquote>
<br>
Is SMS secure? No. But SMS is useful for an OTP (One Time Password)
such
<br>
as the banking industry is using.
<br>
<br>
SMS is not secure, in any way. Unless the banks have spent the tens,
if
<br>
not hundreds, of thousands of dollars to directly connect with private
<br>
non-Internet lines directly to the carriers, or has an encrypted
tunnel
<br>
between their operations and their aggregator, the SMS messages still
go
<br>
over the Internet to an aggregator (mQube, Mobile 365 (now Sybase
365)).
<br>
During that process it is possible to sniff that information.
<br>
<br>
It is also possible that any company involved in the delivery of that
SMS
<br>
is somehow comprimised or able to be, at which point the SMS can be
read.
<br>
Unless the SMS message is wrapped into a cryptographic tunnel between
<br>
endpoints, SMS must be assumed to be insecure.
<br>
<br>
The SMS is also delivered over the air, which means it can be
intercepted.
<br>
I know that there is some sort of authentication between the phone and
the
<br>
tower, but since SMS is part of informational messages sent between
the
<br>
tower and the phone, it may not be encrypted, and may be easily
sniffed.
<br>
If you know where the user and their phone is, and they left bluetooth
on,
<br>
you could, in theory, silence the phone, go to the bank, log in, send
the
<br>
OTP to the phone, sniff it, enter it, then delete (via bluetooth) the
SMS
<br>
from the phone, removing any trace indicating to the user that their
bank
<br>
account has just been hacked.
<br>
<br>
But with OTP, insecure is OK for banks it seems.
<br>
<br>
Annoying thing about OTP -- if you use a 3rd party service like
Mint.com
<br>
or PayTrust.com to fetch your eBills, turning on OTP kills those very
<br>
useful services.
<br>
<br>
Beckman
<br>
---------------------------------------------------------------------------
<br>
Peter Beckman Internet
Guy
<br>
<a class="moz-txt-link-abbreviated" href="mailto:beckman@angryox.com">beckman@angryox.com</a>
<a class="moz-txt-link-freetext" href="http://www.angryox.com/">http://www.angryox.com/</a>
<br>
---------------------------------------------------------------------------<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
</blockquote>
</body>
</html>