Re: Security Issues in Mobile Banking

[Valter Santos <vsantola () devfusion net>]

On Tue, 2003-03-11 at 06:21, MOHESOWA BYAS wrote:
> We have some doubts as listed below:
> 1. Is mobile banking a proven safe technology ?
> 2. Is this a common type of service or is it completely new? 
> 3. Are there any known security incidents using this service?
> 4. What features should we consider to make a risk assessment of the service
> being proposed?
> 5. Any other items that must be considered?

Hi there,

I'm talking from Portugal, and we have a bank here offering such
service, but I really doubt about the security of such application. Let
me explain this a little better. 

Suppose we have the following circuit flow for this application:

     SMS client  -> [telecom bearer] -> SMSC -> [SMSC bearer] -> SMS gw
-> [HTTP] -> Bank Server


this is the normal schema used for such application, where 
  
  - the telecom bearer is the protocol used by the operator for its
    communication (eg, UCP/EMI2, SMPP, etc)

  - the SMSC bearer is the protocol used by the SMS Center to talk with
    application gateways (eg, TCP or UDP)


Supposing that the application is well designed in a security stand
point, and the security between the SMSC and the Bank server is
guaranteed [and in most cases this is *NOT* true 8-(], this circuit as
an important security flaw that is the communication between  the SMS
client (phone device) and the SMSCenter.

The technology used nowadays for SMS does not have any encryption
feature so, all the communications are passed in plain from the phone to
the SMS Center. Normally, what the developers of such applications think
about this is that this type of communication is hard to sniff and no
one will get the trouble to sniffing it... this is a bad practice and I
doubt that SMS traffic is hard to sniff for someone working as telecom
engineer.

Another issue is that all SMS messages are logged by default at the SMS
Center, so, all login information from users of such application is
available fro SMSC operators... this flaw is even more annoying when the
application is used in conjunction with the login platform of the main
web banking system, which is the case here. This allows not only to
compromise the SMS banking platform but also the web banking one and all
the accounts that the user has registered in the application.

However, the future should be better. Now that new phones are java
enable, or use more polished operating systems such as symbian or even
linux, I guess that new versions of this type of application will be
able to use encryption even so the operator bearer don't offer it. 

There are some projects trying to implement such thing, and I hope that
they will succeed, I remember to see at sourceforge one of such
projects, google for SMS encryption to find it.


hope this help
/valter


-- 


---..---..---..---..---..---..---..---..---..---..---..---..----
Valter Santos

vsantola () devfusion net                         |||
http://devfusion.net/~vsantola/keys/          (@ @)                 
------------------------------------------oOO--(_)--OOo---------

Attachment: signature.asc
Description: This is a digitally signed message part