Posts Tagged ‘us’
Brian Szymanski send a reply to me concerning another bank implementing SMS banking: M&T. Their demo, which you can find here, shows that currently you can only do balance inquiries, but it is a slippery road to implementing more features.
As I have stated numerous times before, SMS is not a secure method, even discounting the ability to snoop SMS. The sender number embedded in a sms is a 7-bit/11-byte length field containing a trailing F, specifications say this should be decimal semi-octets. What it doesn’t say, but is reasonably well known is that this is to all intents an alpha-numeric field which is set by the sender. This mean using this field you can spoof the sender, and using blind spoofing you may be able to fool the bank into performing a transaction. And if you are like many people you will not type the phone number when you reply you will reply to the message, so there is a possibility to blind spoof the user into performing a transaction or sending you transaction data. Which leaves the possibility of data leakage. Add that to the fact I can get the messages out of the air, and can either decrypt them or make rainbow tables. There are so many attack vectors in SMS banking that I believe it’s not secure.
From GSM service security:
GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one.
If they stick to balance inquiries then it can be an acceptable risk, I even do balance inquiries using MSN with my bank, and this only slightly better security wise.
They are collecting one little green plastic army man figure for each of the fallen troops in the Iraqi War. It […] started after reading about a class doing something similar for holocaust survivors in Tennessee.
Although it does have something ironic some of the comment left suggest that the teacher has a political agenda, which is refuted in other comments. In my opinion war is always political and any memorial is political.
Read the rest of this entry »
After the House approves overhaul of wiretap laws I was pointed to this article Obama Camp Says It: He’ll Support Filibuster Of Any Bill Containing Telecom Immunity. Apparently Obama (his campaign) had already said in October of 2007 that they would.
Sadly as I read in the NYT Senate Approves Bill to Broaden Wiretap Powers In fact “…on Wednesday, he [Obama] ended up voting for what he called ‘an improved but imperfect bill’ after backing a failed attempt earlier in the day to strip the immunity provision from the bill through an amendment.” Clinton voted against the bill.
And don’t forget to use tag your election posts too. (Tagging 2008)