WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMS protection

From: Francois Yang <francois.y () gmail com>
Date: Mon, 24 Oct 2011 21:07:37 -0500
I would not trust SMS by itself.
I would suggest you choose an SMS authentication solution that allows
you to add a pin or passcode along with the sms txt message.
Something like what RSA offers. sorry I'm only familiar with RSA's
solution, but I know other vendors offer similar functions.
If you tied a Pin or passcode, it doesn't matter if an attacker or
malicious person gets the sms txt because they would still need to
know the PIN/passcode and the userID.
Of course nothing's perfect, but it's better than just SMS by itself.

To answer your question, I think it's secure enough, but then again
think about how many banks don't use SMS, two factor auth or one time
passwords.

Frank


On Fri, Oct 21, 2011 at 12:57 PM, Marcel Tudorache
<marceltudorache () yahoo com> wrote:

Hi,


I was wondering how secure is an SMS to be used as authentication/transaction signing means for an application 
similar with online banking.

To make the analysis more targeted the following assumptions are made:
- I understand that the new smartphones can get viruses, but I would like to analyse the simple case where we assume 
that the user does his due dilligence and either does not navigate on the internet or navigates on limited number of 
trusted websites, so the assumption is that the user does not have an trojan/malware/virus on the smartphone.
-bluetooth is off
- Wifi off...
- the attacker does not have phisycal access to the mobile phone

I think that the SIM card is pretty difficult to be hacked, from my smart card experience(limited), I would assume 
that before allowing the access to the network of a cloned SIM card the operator might validate some signature of the 
sim-card (I guess that when the operator issues SIM cards they sign them with their private key... or a similar 
process).

The question is merely about the intrinsic security of receiving an SMS, and how easy would be for an attacker to 
read the SMS of somebody else taking into account the above assumptions.

I think it should be pretty secure, what do you think?

Thank you very much,
Marcel



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------






This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: