RE: SMS Banking

The solution needs to be based on risk.

Where a system uses an SMS response with a separate system (such as a web
page), the probability that the banking user is compromised and a fraud is
committed, P(Compromise), can be calculated as:
P(Compromise) = P(C.SMS) x P(C.PIN)

Where: P(C.SMS) is the probability of compromising the SMS function and
P(C.PIN) is the compromise of the user authentication method

The user can be compromised by Trojan apps, poor pins that are pasted to a
monitor etc.

P(C.SMS) and P(C.PIN) are statistically independent and hence we can simply
multiply these two probability functions to gain P(Compromise). The reason
for this is that (at present) the SMS and web functions are not the same
process and compromising one does not aid in compromising another. With the
uptake of 4G networks this may change and the function will not remain as

It may be possible to compromise GSM, but the truth is that this must be
done from a select number of locations and the attacker also requires far
more information than the PIN and account number. This makes the attack far
more difficult and far costlier to the attacker.

This also means that the attack has to be targeted in place of scripted (as
many bots already are).

On the other hand, the probability that an SMS only system can be cracked is
simply the P(C.SMS) function and this is far lower than a system that
deploys multiple methods.

This SMS only means would not be a good means of authentication a user. As a
secondary factor, SMS adds complexity. By itself, SMS is a poor means of
controlling risk.

Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Markus Matiaschek
Sent: Saturday, 6 February 2010 9:08 AM
To: M.D.Mufambisi
Cc: pen-test@xxxxxxxxxxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: SMS Banking


I'd just like to make some comments, i didn't think about a solution
for your problem.

First of all i think that my Budi wibowo got something wrong regarding
who is sending the PIN.

Second, GSM is cracked: and can be
intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with
transaction numbers, TANs. German banks send mobileTANs to
preregistered cell phone numbers to allow a transaction (through
online banking though).
A "three-way-handshake" with a mTAN should pretty much prevent
transactions through spoofed numbers.

Markus Matiaschek
Absolute IT Consulting S.A.
San José, Costa Rica

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

Relevant Pages

  • RE: SMS Banking
    ... Where a system uses an SMS response with a separate system (such as a web ... multiply these two probability functions to gain P. ... It may be possible to compromise GSM, but the truth is that this must be ... Securing Apache Web Server with thawte Digital Certificate ...
  • Re: More SMS 2003 rebuilding questions . . .
    ... >> server was added in SP1, and if my hunch that the Recovery Expert Web ... Here's the process for exporting the SMS Certificates: ... Encryption Certificate" and "SMS Signing Certificate". ...
  • RE: SMS Banking
    ... SMS based solutions are inherently insecure; not just from the application level, but from the carrier level. ... You're assuming the carrier media is secure, which is not the case as Karsten showed at the CCC when he cracked GSM. ... Securing Apache Web Server with thawte Digital Certificate ...
  • Re: Inventory Protection and PKI certificate
    ... (Appendix B: SMS Certificate Infrastructure) ... you can delete the row for the client in the ... >> will again be populated with the new public key. ...
  • Re: Advanced Client Install for RIS Imaging
    ... one question is should i set the registry key as dormant or auto? ... I am looking to install a advanced client on a machine that is to be used as ... security certificate for the computer that it is installed on. ... Also - does anyone know if RIPREP will remove the SMS GUID when images are ...