Comments on: Safe Banking by SMS? http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/ Linux, politics, and other interesting things Thu, 09 Feb 2012 01:09:24 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: etbe http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/comment-page-1/#comment-17938 etbe Sun, 08 Feb 2009 07:42:05 +0000 http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/#comment-17938 Mark: Do you have a URL with information about this? A quick google search doesn't find any pages which mention this. Mark: Do you have a URL with information about this? A quick google search doesn’t find any pages which mention this.

]]> By: Mark http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/comment-page-1/#comment-17835 Mark Wed, 04 Feb 2009 02:02:12 +0000 http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/#comment-17835 As a follow up, yesterday a customer with the Commonwealth Bank in Australia had $90,000 removed from their account - by a hacker that somehow intercepted the SMS call and transfered funds, without the knowledge of the customer. Clearly SMS messaging as a form of verification is a step above entering an AccountID and Password, but these days it is still an open door for smart hackers. Check out the various software available online that can hack into mobile phones. As a follow up, yesterday a customer with the Commonwealth Bank in Australia had $90,000 removed from their account – by a hacker that somehow intercepted the SMS call and transfered funds, without the knowledge of the customer.

Clearly SMS messaging as a form of verification is a step above entering an AccountID and Password, but these days it is still an open door for smart hackers. Check out the various software available online that can hack into mobile phones.

]]> By: krzysiek http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/comment-page-1/#comment-10650 krzysiek Fri, 16 Nov 2007 22:38:17 +0000 http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/#comment-10650 SMS includes a short description of transaction (accounts numbers and amount of money to transfer) Of course account is secured also by main password (not sent by SMS) And its free in mBank. Sample SMS and more info here: http://www.mbank.com.pl/eng/safety/sms_codes.html SMS includes a short description of transaction (accounts numbers and amount of money to transfer)
Of course account is secured also by main password (not sent by SMS)
And its free in mBank.

Sample SMS and more info here:
http://www.mbank.com.pl/eng/safety/sms_codes.html

]]> By: Jonathan Brugge http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/comment-page-1/#comment-10645 Jonathan Brugge Fri, 16 Nov 2007 21:29:03 +0000 http://etbe.coker.com.au/2007/11/17/safe-banking-by-sms/#comment-10645 At my bank in The Netherlands, SMS has been used for some years already. It avoids (most of) the problems you mention. The message contains an ID for the transaction, the amount to be transferred and the six digit code. A man-in-the-middle attack is difficult, because you'd need to be both in the middle of the internet connection and the GSM connection. Tampering with the amount is impossible because it is included in the message. Inserting a fraudulent transaction is impossible because transactions have an ID, which is both in the message and on the screen. The only possible problem is if someone has both your phone and your passwords - but that doesn't differ from the situation without SMS. My bank doesn't charge for the SMSs, so that's no problem. When you're on vacation (or some other place where you expect not to be able to use your phone), you can get a short list of pregenerated codes, so you can do transactions without your phone for a while. All in all, it works pretty well for me. It might be even safer if the generated code is a function of the receiving bank account and maybe some other parameters - they might even be doing that, but using some other mechanism for the pregenerated codes. At my bank in The Netherlands, SMS has been used for some years already. It avoids (most of) the problems you mention. The message contains an ID for the transaction, the amount to be transferred and the six digit code. A man-in-the-middle attack is difficult, because you’d need to be both in the middle of the internet connection and the GSM connection. Tampering with the amount is impossible because it is included in the message. Inserting a fraudulent transaction is impossible because transactions have an ID, which is both in the message and on the screen.

The only possible problem is if someone has both your phone and your passwords – but that doesn’t differ from the situation without SMS.

My bank doesn’t charge for the SMSs, so that’s no problem. When you’re on vacation (or some other place where you expect not to be able to use your phone), you can get a short list of pregenerated codes, so you can do transactions without your phone for a while. All in all, it works pretty well for me. It might be even safer if the generated code is a function of the receiving bank account and maybe some other parameters – they might even be doing that, but using some other mechanism for the pregenerated codes.

]]>