Security Issues in Mobile Banking

From: MOHESOWA BYAS (byasmohesowa@sbm.intnet.mu)
Date: 03/11/03

  • Next message: Kenzo: "Re: sniffing packets on a switch" 
    From: MOHESOWA BYAS <byasmohesowa@sbm.intnet.mu>
To: security-basics@securityfocus.com
Date: Tue, 11 Mar 2003 10:21:41 +0400

    Hi,

    There is one ISP offering SMS Based Banking, whereby customers who already
    have an Internet Banking account can send an sms based query, and get their
    balance as an sms reply

    User sends his user name and password to the service provider as an SMS, the
    ISP processes the request by running a script which initiates an "https"
    session with the Bank's Internet Banking Server, and does a balance inquiry
    using the username and password.

    If the credentials supplied are valid, then the balance info is sent back to
    the user as an sms.

    UserName & password is not encrypted on the ISP server which sends the
    script, however they are replaced by **** in the log files

    We have some doubts as listed below:
    1. Is mobile banking a proven safe technology ?
    2. Is this a common type of service or is it completely new?
    3. Are there any known security incidents using this service?
    4. What features should we consider to make a risk assessment of the service
    being proposed?
    5. Any other items that must be considered?

    Thanks for your feedback!
    Regards

    ###########################################

    This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
    For more information, connect to http://www.F-Secure.com/

  • Next message: Kenzo: "Re: sniffing packets on a switch"

    Relevant Pages

    • RE: Security Issues in Mobile Banking
      ... > ISP processes the request by running a script which initiates ... > using the username and password. ... > the user as an sms. ... Instead one with internet banking account must activate it's mobile banking features, select numbers who are allowed to make SMS based query and what services are allowed. ...
      (Security-Basics)
    • Re: Fake or anonymous text messages craze ;-(
      ... Any internet site that allows you to send SMS ... can actually specify the sender without verification. ... just like when you surf the internet, everything can be traced to your ISP ... and from then on to you (you meaning, whoever has opened an account with the ...
      (uk.telecom)
    • Re: Vodafone mobile - whats happened?
      ... used to trigger them to send me the balance (perhaps by SMS), ... seems to do today is send me to a huge and unhelpful generic website. ...
      (uk.telecom.mobile)
    • Re: Best deal for SMS, say 2-5/day, on PAYG?
      ... >The SMS from O said it will stop on 9th August. ... >I suppose I can keep checking the balance to see... ... YMMV. ... Prev by Date: ...
      (uk.telecom.mobile)
    • Re: Voda PAYG dongle
      ... machine, but installs no software, so I have no idea how to check balance, ... use SMS etc..! ... The guy in the shop said I have 2 weeks to return it, ...
      (uk.telecom.broadband)