Is it possible to secure Internet banking with SMS?
As secure tokens are too expensive ($10 or more in bulk) and considered to be too difficult to use by many (most?) customers banks have sought out other options. One option that has been implemented by the National Australia Bank and will soon be available from the Commonwealth Bank is SMS authentication of transfers.
The idea is that when you issue an online banking request you receive an SMS with a password and then have to enter that password to authenticate it. If you receive an unexpected password then you know you have been attacked. I wonder how much information is in the SMS, does it include the amount and where the money is to be transferred (in the case of a funds transfer – the operation most likely to be used by attackers)? If the full details are not included then an attacker could hijack an active session, get the user to enter the password, and then act as if the user entered the password incorrectly. The user would then request a new SMS and complete their desired transfer without realising that they just authorised a transfer to Russia…
If the full details are recorded will the user look at them? Online banking fraud often involves transferring the funds to an idiot in the same country as the victim. Then the idiot sends the money to the attacker in some other manner which is more difficult to track. I wonder whether an attacker could divert the funds transfer to one of the idiots in question and have the victim not realise that the wrong account number was used.
Another issue is that of SMS interception. Anyone who can hack the network of a phone company could steal money from any bank account in the country! For wealthy people there is also the possibility of stealing their mobile phone and making funds transfers before they report the theft. Another possibility is to register for a new phone company. Last time I changed phone companies it took about an hour for the new company to have the phone number and I don’t recall the phone company doing anything to verify that I owned the number in question. If an attacker had a credit card with the same name as the victim (names are not unique so this is not impossible or even inherently illegal) they could open a new phone service and steal the number. Someone who’s mobile phone stops working probably wouldn’t assume that it was part of a bank fraud scheme and act accordingly, in fact if they don’t use their mobile phone later it might be several days before someone contacts them in some other manner and mentions that they weren’t answering their mobile phone.
A final possibility is the situation where a mobile phone is connected to a computer. Devices that combine mobile phone and PDA functionality are becoming common. A trojan horse program that offered to do something useful when a mobile phone was connected to the PC via a USB cable might fool some users. All that would be required is a few minutes of the phone being connected if the attacker already has the password for online banking. Maybe they could even make it appear that the bank was demanding that the phone be connected to the PC – that should fool users who don’t understand how SMS authentication works.
It seems to me that SMS authentication is an improvement (it adds an external device which usually can’t be directly manipulated by the attacker) but is far from perfect security.
I previously wrote about the bad idea that you can bank with an infected computer [1]. SMS authentication is a good step towards making things more difficult for attackers (which is always a good idea) but doesn’t really secure the system. Also it costs 5 cents for each SMS, I expect that the banks will want their customers to pay for this – I would rather pay for a $10 token up-front.
At my bank in The Netherlands, SMS has been used for some years already. It avoids (most of) the problems you mention. The message contains an ID for the transaction, the amount to be transferred and the six digit code. A man-in-the-middle attack is difficult, because you’d need to be both in the middle of the internet connection and the GSM connection. Tampering with the amount is impossible because it is included in the message. Inserting a fraudulent transaction is impossible because transactions have an ID, which is both in the message and on the screen.
The only possible problem is if someone has both your phone and your passwords – but that doesn’t differ from the situation without SMS.
My bank doesn’t charge for the SMSs, so that’s no problem. When you’re on vacation (or some other place where you expect not to be able to use your phone), you can get a short list of pregenerated codes, so you can do transactions without your phone for a while. All in all, it works pretty well for me. It might be even safer if the generated code is a function of the receiving bank account and maybe some other parameters – they might even be doing that, but using some other mechanism for the pregenerated codes.
SMS includes a short description of transaction (accounts numbers and amount of money to transfer)
Of course account is secured also by main password (not sent by SMS)
And its free in mBank.
Sample SMS and more info here:
http://www.mbank.com.pl/eng/safety/sms_codes.html
As a follow up, yesterday a customer with the Commonwealth Bank in Australia had $90,000 removed from their account – by a hacker that somehow intercepted the SMS call and transfered funds, without the knowledge of the customer.
Clearly SMS messaging as a form of verification is a step above entering an AccountID and Password, but these days it is still an open door for smart hackers. Check out the various software available online that can hack into mobile phones.
Mark: Do you have a URL with information about this? A quick google search doesn’t find any pages which mention this.