Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMS Banking

From: Markus Matiaschek <mmatiaschek () gmail com>
Date: Fri, 5 Feb 2010 16:08:09 -0600
Hi,

I'd just like to make some comments, i didn't think about a solution
for your problem.

First of all i think that my Budi wibowo got something wrong regarding
who is sending the PIN.

Second, GSM is cracked: http://reflextor.com/trac/a51 and can be
intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with
transaction numbers, TANs. German banks send mobileTANs to
preregistered cell phone numbers to allow a transaction (through
online banking though).
A "three-way-handshake" with a mTAN should pretty much prevent
transactions through spoofed numbers.

regards,
Markus Matiaschek
Absolute IT Consulting S.A.
San José, Costa Rica

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: