Slashdot Mirror
Investigators Replicate Nokia 1100 Banking Hack
Ian Lamont writes "Investigators have duplicated an online banking hack using a 2003-era Nokia mobile phone. Authorities had been aware for some time that European gangs were interested in buying the phone, and were finally able to confirm why: It can be used to access victims' bank accounts using "special software written by hackers." The hack apparently works by letting criminals reprogram the phones to use someone else's phone number and receive their SMS messages, including mTANs (mobile transaction authentication numbers) from European banks. However, the only phones that work are 1100 handsets (pictures) made in a certain factory. Nokia had claimed last month it had no idea why criminals were paying thousands of euros to buy the old handsets."
Correct. The real defect here isn't the phone, it's the system it's spoofing. This phone just makes it easier to construct the spoof.
If you mod me down, I shall become more powerful than you could possibly imagine.
I'm guessing it won't take long for these phones to be outlawed in the EU though.
Yeah, legal prohibition is an excellent way to prevent people from using something. It works so fantastically well for drugs, guns and pirated music/movies.
The secret to creativity is knowing how to hide your sources. - Albert Einstein
A number of people in IT seem to believe that the only acceptable form of security - particularly as it relates to anything remotely important - is one which is not susceptible to any sort of attack, real or theoretical, until some time after the heat death of the universe.
Banks don't. They know full well that there will always be a certain amount of fraud no matter what you do.
Every change you want to make to the bank's system costs - in man hours to develop, test and deploy the fix and also in terms of the risk of something going wrong when you come to deploy, Most of these costs can be boiled down to cold hard cash. If making the necessary changes will cost more than the amount of fraud it's expected to prevent, don't be surprised to see nothing change.
Rest assured that these people count cash all day long, they can certainly work out exactly how much such changes will cost.
It's not the phone.
A phone is nothing but a transceiver.
It's the system we have for identifying phones, and the practice of letting people bank over it (or sending authentication pins for pc banking to phones).
Using a phone number as a method of authentication is inherently flawed. The practice will continue, however, because the plebes want easy more than they want secure. After all, it'll never happen to them.
If all the carriers discontinued service to these models they would render them useless.
I wasn't aware that the model of the phone was part of the GSM protocol. Even if it was, if you can program the phone to lie about the IEMI or IMSI, then you can program the phone to lie about the phone model to the provider.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
A reasonable person, in the eyes of the law, would not believe if I came up to them at an outdoor cafe and said "Want a 55" LED TV for $300? Meet me in the parking lot in 5 minutes" that they were buying anything other than illegally obtained or acquired property.
A reasonable person selling his Nokia 1100 (currently settling in the market for around $70) would assume that if they got, say an offer of $150, that the buyer might be an aficionado of old school cellular technology.
A reasonable person selling his Nokia 1100 would not "ask no questions" about a bidding war on their phone which saw it run into the five digit territory. A reasonable person would also have doubts about such money, and the motivations of a buyer. Whilst under no obligation to investigate either, a reasonable person, in the eyes of the law, would have "concerns" about whether the payment they were about to receive was the proceeds of a crime, or similar.