Posts Tagged ‘gsm’
USSD is part of the GSM standard which tends more towards a real-time messaging service, unlike SMS no data is stored on the mobile or network. All the data still goes over the same channel over the GSM network, and thus is still inherently insecure, due to the fundamental flaws in the GSM encryption methodology.
One of the advantages over SMS is that nothing sits in between to store messages, so they must be answered immediately. The back end application is responsible for the message handling, as it is completely session oriented. There is both a push and pull method, which means communication is initiated from the mobile or network. IMHO this still leaves it susceptible to a man-in-the-middle attack.
Do banks consider this acceptable risk? Or do they just not know the whole truth?
I just finished watching Citizen Engineer, I’m in love. No honest, there is just something about a girl and her soldering iron. There are two things which are discussed in this first episode Phones
- SIM Card Hacking
- Payphone Hacking
The first subject is handled a little too fast for my liking and doesn’t cover all the interesting parts, although it is mostly left up the the viewer to try it themselves. Payphone Hacking is covered in depth, it’s divided into 3 sections:
- Hooking the Payphone up to VoIP
- Fixing the Payphone so it accepts quarters
- Creating a system which can be bypassed with a Redbox
It’s geeky, but it’s fun!
I mentioned the insecurity of mobile payment systems before in Rabobank has insecure SMS banking. Apparently the RBI has the same reservations I do. In the article RBI puts a temporary halt on Mobile Payment Services explains.
They haven’t stopped regular services such as requesting bank balance, but they have halted signing off on permitting projects to go life until the final guidelines have been issued, micropayments and larger transactions.
From the draft guidelines:
It is suggested that the banks issue a new mobile pin (mPIN). […] Banks and the various service providers involved in the m-banking should comply with the following security principles and practices with respect to mPIN : […]
Protect the mPIN using end to end encryption
They don’t seem to require One Time Passwords, which I would certainly have as a requirement, and I hope they don’t consider A5 to be end-to-end encryption. Nokia and Visa already started working on a secure payment system in 2007 using RFID.1
The Rabobank has a new service called Rabo SMS Betalen, the purse can be accessed by SMS.
- Alice sends a message to 6689 with the phone number and amount in the body, either +316-<number> or 06-<number>
0612345678 15 Thanks for the money, Bob.
- Alice receives a confirmation SMS from 6689 with an OTP (One Time Password)
- Alice sends the OTP back by SMS to 6689 confirm the transaction
- Bob, the recipient, receives a confirmation SMS from 6689 that money has been transferred from Alice’s phone number
There are a number of issues with this, primarily that it is possible to perform a man-in-the-middle attack on this system with less than $1000 worth of equipment.
From GSM Security:
GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one.