Slashdot Mirror
Australian Telcos Declare SMS Unsafe For Bank Transactions
littlekorea writes "Australia's telcos have declared that SMS technology should not be used by banks to verify identities for online banking transactions, in a bid to wash their hands of culpability for phone porting hacks. But three of Australia's largest four banks insist they will continue to use SMS messages to carry authentication codes for transactions."
something you know, something you have, and something you are
Sent from someone else's phone.
Have gnu, will travel.
From the department of No Shit Sherlock!
For those that were not previously aware, banking via email or smartphone is begging to have your account emptied.
I'm not at all surprised that the banks here don't follow that advice. :-(
Westpac seems to think that a six digit password (upper-case characters and digits only) is enough for online banking.
Geek by Nature - Linux by Choice.
Symantec VIP
https://www.symantec.com/verisign/vip-authentication-service
Google Authenticator
http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
coming from banks that only allow 6-8 alphanumeric characters and no specials for passwords
n/t
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It would be nice if one could add a standardized encryption/signing layer on top of MMS (or SMS if one stitched together multiple messages.) That way, an app from the bank could look at incoming messages, verify they were genuine (regardless of what the phone number states), decrypt them with the user's key, and pass the authentication info to the user.
Fake SMS attempts would be detected/ignored, and an attacker able to get access to text messages wouldn't have the ability to decode them unless they also had access to the phone and the app's private key (which would be unique and generated on each device.)
Where I live, more people have cellphones than homekeys.
As far as banking security is concerned, my bank does use SMS's to verify large transactions. You confirm the transaction normally on the computer, but the final commit is postponed until a simple handshake is completed using a cell phone.
The main point of this SMS scheme is to cover the case where your computer has been highjacked. You are entering the right codes but unknowingly are confirming a different transaction. The SMS contains the transaction seen by the bank. You can then check that the recipient and sum match what you had entered on the computer.
The problem is the customer misinterprets the SMS as a secondary authentication. No, the computer transaction already authenticated you. Because of the misinterpretation, the customer is prone to just blindly wave the transaction through without checking the recipient account number. Well, at least the customer had a chance to intervene...
The best answer to this was IBM's ZTIC. The ZTIC is a simple device, and the KISS principle is important when it comes to security.
You plug it in to a USB port, it authenticates and has a direct secure channel to the bank regardless how compromised the computer it is plugged to might be.
Then, when you do a bank transaction, the ZTIC will pop up a display confirming the transaction, the parties involved, the direction, the time, and the amount. A transfer of a complete bank account to Nigeria is fairly obvious unless someone just blindly hits the "approve" button like the guy on the Drivetime commercial.
The worst malware can do is cut the path between the ZTIC and the bank's computers which means the transaction doesn't get confirmed and thus doesn't happen.
Someone transferred her number and she didnt notice? And she runs a business?
Not getting any calls wasnt a clue enough?
Who logs in to gdm? Not I, said the duck.
Secure Computing and iTnews.com.au have led a campaign to convince Australia's telcos to include extra security questions during the mobile phone number porting process to ensure fraudsters can't take control of a victim's phone number to gain access to SMS verification codes.
Let me guess. Secure Computing and iTnews.com.au work closely with Telstra and Optus right?
Here in Australia, thanks to consumer protection legislation changing mobile providers is a breeze. You ring up the provider you wish to change to and you ask to be ported. They send you an SMS and ask your personal details and old providers account number and then switch you over. It's both secure and easy (they need your phone number, old provider details and personal details to switch you over). You're now with another provider. You don't need to cancel with your old provider, they do that for you. Your number stays the same. The two biggest Telcos (Telstra and Optus) hate it as there's no lock in. They have to compete on price and service.
So Telstra and Optus lobby hard to ban number porting. They make up bullshit such as "OMG allowing people to switch phone providers is dangerous!!!!". They get their friends in the media to chant the same thing. "Ban number porting!!!"
The reality is that the banks don't use SMS confirmations for anything more than a 3rd layer of security. They don't ask you to transmit anything over the SMS service, it's simply used by them to send you message that a transaction is taking place along with a key that you have to type into online banking (after logging in securly) to allow that transaction to proceed. Essentially it's traditional "login over https" style banking with an extra layer of SMS notifications when you do transactions. It doesn't need the SMS security itself to be bomb-proof as that's just the last step.
So all this talk of restricting number porting is ridiculous. Good on the Communications Alliance (who are mostly made up of smaller Telcos that like number porting) for not bowing to the pressure and bullshit spouted by here by iTnews.com.au. It really isn't an issue, in fact i think other countries should adopt similar consumer protection laws where switching providers whilst retaining the old mobile number is a breeze.
My bank went for a similar device. Trouble was, it wasn't supported by linux. Even a windows computer would have required a proprietary driver and application. I will trust my money to the bank, but I sure as hell won't trust the bank enough to install their software on my computer. Had to switch banks.
Is ZTIC supported by Fedora out of the box?
This seems more a case of social engineering than exploiting the lack of SMS security.
The main Issue as I see it is that Vodafone ported over the number to a new phone, while talking to an unverified person. They may have verified him, but only with some weak details that were publicly available.
/. always reaches for the tech solution first.
Obligatory - http://xkcd.com/538/
Hell not just that. SMS is one small step of internet banking. You still need the banks userID and password to log into online banking before you even make use of the SMS transaction confirmations. There's also a lot of requirements for number porting as it is too - accountID and details with the old provider and there's SMS notices sent when the porting is attempted too.
So this woman was socially engineered out of the following - Her real name, address and DOB (fair enough, this is publically available), her old mobile providers details and accountID (someone go through her bin?), her banks clientID and password (she fall for a fake bank email?), she didn't notice the SMS announcements that she'd be ported to a new provider next month (wtf?) and finally she didn't notice a lack of calls coming in.
At some point you have to say fuck it, there's no way to protect people like this. Even if it was made more difficult to port numbers she's clearly stupid enough to give away any and all information asked of her.
I wish I knew... I assume that it would be Linux friendly.
What would be an ideal is a ZTIC-like device as one offering, but if it requires a driver, perhaps an for a smartphone that uses OpenPGP packets over MMS might be passable. Since the app would use the phone's IP stack to communicate, it would be fairly secure, barring a compromise of the device.
Plus, since the app is only communicating with the bank, it could have the fingerprints of any public keys built in, so a compromised CA would have zero effect on the communications channel.
I guess it takes longer for some obvious things to sink in down under. SMS insecure? Never heard that before. (ROFL)
I don't know where you live, but I can say definitively(*) that (most, and probably all of) the Australian Banks do consider it as secondary authentication.
Most of them see the out-of-band transaction confirmation as an added benefit rather than the primary goal.
(*) I helped design these systems for 2 banks, and the projects were always referred to as Two/Multi-Factor-Authentication projects.
No, You have the option of using a mobile telephone (no, like the rest of the world we dont call them "cell" phones) or can opt for the other method (either a one time pad or RSA token depending on the bank).
Calling someone a "hater" only means you can not rationally rebut their argument.
So if I can't keep up with who has my current phone number its the vendor at fault? The fact they all have multiple databases that they can't keep continuity between is their fault - swapping phones and not updating my number is my fault. Lets criticise them for REAL failures in Information Security.
Westpac doesn't allow you to use the clipboard on their complaints page - yet claims on Twitter it is to enhance security... you can copy/paste into the loan application and login pages - I'm glad secure complaints are more important that secure logins. Additionally Westpac allows known-to-be-skimmed cards to continue to be used (albeit not via SOME online vendors) and will occasionally acknowlege that refunds/card replacements is their only real security plan.
NAB have scripted their site so PDF delivery will only work/be available if you are using Adobe products, otherwise will default to plain text files. When challenged they concede that it is the case that its "too complicated" to explain to a highly qualified IT professional why this is, or to pass on the workaround which they informed the customer they have in their knowledge base. Apparently security via obscurity is acceptable in the banking sector.
Commonwealth Bank - has only fairly recently realised criminal history / background checks for your contractors are actually a legal requirement (or was it the third party who was missing those checks), and oh my - look at all that "security".
Two InfoSec pro's post as anons... there's a joke in that.
There's no joke in the fact that the two factor is using pre-broken algorithms and is only usually offered to business customers.