General Musing

blaze your trail

More SMS banking by M&T #sms #bank #risk

with 2 comments

Brian Szymanski send a reply to me concerning another bank implementing SMS banking: M&T. Their demo, which you can find here, shows that currently you can only do balance inquiries, but it is a slippery road to implementing more features.

As I have stated numerous times before, SMS is not a secure method, even discounting the ability to snoop SMS. The sender number embedded in a sms is a 7-bit/11-byte length field containing a trailing F, specifications say this should be decimal semi-octets. What it doesn’t say, but is reasonably well known is that this is to all intents an alpha-numeric field which is set by the sender. This mean using this field you can spoof the sender, and using blind spoofing you may be able to fool the bank into performing a transaction. And if you are like many people you will not type the phone number when you reply you will reply to the message, so there is a possibility to blind spoof the user into performing a transaction or sending you transaction data. Which leaves the possibility of data leakage. Add that to the fact I can get the messages out of the air, and can either decrypt them or make rainbow tables[1]. There are so many attack vectors in SMS banking that I believe it’s not secure.

From GSM service security:

GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one.

If they stick to balance inquiries then it can be an acceptable risk, I even do balance inquiries using MSN with my bank, and this only slightly better security wise.

  1. Research May Hasten Death of Mobile Privacy Standard

Written by Daniël W. Crompton (webhat)

April 22, 2010 at 12:33 pm

Posted in business, finance, risk

Tagged with , , ,

2 Responses

Subscribe to comments with RSS.

  1. Thanks for posting this. I was so shocked when I saw my bank saying it did SMS banking, I thought there must be some clever trick to ensure security. Not so – instead it’s just hiding the risk by not allowing you to do certain transactions. So, if I’m snooping SMS and I find out the phone number and account balance of people walking by, that’s a pretty serious opportunity to do real harm, not just a privacy leak.

    brian szymanski

    April 22, 2010 at 1:45 pm

    • As I said in my previous comment you can get account balance, with simple social engineering, from a bank when you have an account number. With most US banks you can call up the local branch to check whether a certain check will not bounce, this is a trick that is also used when creating fake checks or defrauding credit cards. It is not that hard to find out what somebody’s account balance is, this doesn’t make it any easier or harder.

      When you check the demo again, and with the MSN option my bank offers, they do NOT give out the full account number. And as long as they don’t allow transactions this falls under acceptable risk for you and for the bank, as it’s not any less risky than the current situation you subscribe to.

      Unless you can give me an example to the contrary.


      April 22, 2010 at 4:00 pm

Please Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: