RE: Security Issues in Mobile Banking

["KoRe MeLtDoWn" <koremeltdown () hotmail com>]

This leaves open the issue of a criminal targetting someone; stealing their 
phone and hijacking their bank account/s - kinda like credit cards but 
without the understanding bank manager at the end huh?

Regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security
Owner/Operator
Auckland
New Zealand

http://www.koreworks.com/

Is your box REALLY secure?





> From: Aigar Käis <Aigar.Kais () emt ee>
> To: "MOHESOWA BYAS" <byasmohesowa () sbm intnet mu>
> CC: <security-basics () securityfocus com>
> Subject: RE: Security Issues in Mobile Banking
> Date: Wed, 12 Mar 2003 10:19:01 +0200
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
> mc8-f10.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 12 Mar 
> 2003 16:45:40 -0800
> Received: from lists.securityfocus.com (lists.securityfocus.com 
> [205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid 
> 036D48F2C8; Wed, 12 Mar 2003 17:31:42 -0700 (MST)
> Received: (qmail 13977 invoked from network); 12 Mar 2003 08:09:27 -0000
> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6334.0
> content-class: urn:content-classes:message
> Message-ID: <8EE3AA195E0FCE4EAA87626C20B68CED0F45EB () venus emt ee>
> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Security Issues in 
> Mobile Banking
> Thread-Index: AcLoAiNrrfARGXs0TNepzP9rk9tOrQAbWBHA
> Return-Path: 
> security-basics-return-18424-koremeltdown=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 13 Mar 2003 00:45:42.0198 (UTC) 
> FILETIME=[DFF9B560:01C2E8F9]
>
> Hi
>
>
> > User sends his user name and password to the service provider
> > as an SMS, the
> > ISP processes the request by running a script which initiates
> > an "https"
> > session with the Bank's Internet Banking Server, and does a
> > balance inquiry
> > using the username and password.
> >
> > If the credentials supplied are valid, then the balance info
> > is sent back to
> > the user as an sms.
> >
> > UserName & password is not encrypted on the ISP server which sends the
> > script, however they are replaced by **** in the log files
> >
> > We have some doubts as listed below:
> > 1. Is mobile banking a proven safe technology ?
>
> Mobile banking hasn't been around long enough to prove it's safe.
>
> > 2. Is this a common type of service or is it completely new?
>
> I'm not sure how common is this kind of approach but we have here also 
> several banks and telcos offering this kind of service to customers but 
> with slightly different logic.
> Client is not to required to add username and password with SMS. Instead 
> one with internet banking account must activate it's mobile banking 
> (M-commerce) features, select numbers who are allowed to make SMS based 
> query and what services are allowed.
> Now if one wants for example balance sheet or last transactions made, 
> simply sends SMS containing predetermined word. SMSC forwards it over the 
> encrypted tunnel to bank where it gets processed and sent back again over 
> encrypted tunnel to SMSC and to client.
>
>
>
> r.
>
> Aigar


_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail