Hi all, Reading the last thread on why SMS isn't/should be dead, I almost piped up with a thought before I realized I should probably check my head-sphincter interface, first. Many banks use SMS messages as an out-of-band authentication factor for online banking. (ie, they send a challenge code to the customers phone in response to an online banking request) If one assumes that cell phone SMS messages can't be intercepted out of the air by a forged device or through other means, they operate as a quasi-physical authentication factor, which is very valuable. This would be a strong use case for SMS over email or other general-purpose communication mediums where the password or other knowledge can be bootstrapped into access to the medium. However, I'm not so sure this assumption is correct. Does anyone have good references for the security of SMS? The most I've been able to find is this Slashdot article [1]. -Nick [1] http://it.slashdot.org/article.pl?sid=09/05/21/1858233
On 12/9/09 10:24 PM, nick hatch wrote:
Reading the last thread on why SMS isn't/should be dead, I almost piped up with a thought before I realized I should probably check my head-sphincter interface, first.
It's always wise to check for Recto-cranial Inversion Syndrome.
However, I'm not so sure this assumption is correct. Does anyone have good references for the security of SMS? The most I've been able to find is this Slashdot article [1].
Since SMS is used as a third or sometimes fourth authentication step, I don't think that it lends itself to being usefully cracked. Someone would have to know the username, password, and cell number of the target account (sometimes the PIN also), and that's simply unlikely except in the case of specific high-value targets. Those accounts already employ additional levels of security (banks don't expose million-dollar accounts to basic online access). -- Carlos Alvarez TelEvolve 602-889-3003 Advanced phone services simplified
On Wed, 9 Dec 2009, nick hatch wrote:
Hi all,
Reading the last thread on why SMS isn't/should be dead, I almost piped up with a thought before I realized I should probably check my head-sphincter interface, first.
Many banks use SMS messages as an out-of-band authentication factor for online banking. (ie, they send a challenge code to the customers phone in response to an online banking request) If one assumes that cell phone SMS messages can't be intercepted out of the air by a forged device or through other means, they operate as a quasi-physical authentication factor, which is very valuable.
This would be a strong use case for SMS over email or other general-purpose communication mediums where the password or other knowledge can be bootstrapped into access to the medium.
However, I'm not so sure this assumption is correct. Does anyone have good references for the security of SMS? The most I've been able to find is this Slashdot article [1].
-Nick
Is SMS secure? No. But SMS is useful for an OTP (One Time Password) such as the banking industry is using. SMS is not secure, in any way. Unless the banks have spent the tens, if not hundreds, of thousands of dollars to directly connect with private non-Internet lines directly to the carriers, or has an encrypted tunnel between their operations and their aggregator, the SMS messages still go over the Internet to an aggregator (mQube, Mobile 365 (now Sybase 365)). During that process it is possible to sniff that information. It is also possible that any company involved in the delivery of that SMS is somehow comprimised or able to be, at which point the SMS can be read. Unless the SMS message is wrapped into a cryptographic tunnel between endpoints, SMS must be assumed to be insecure. The SMS is also delivered over the air, which means it can be intercepted. I know that there is some sort of authentication between the phone and the tower, but since SMS is part of informational messages sent between the tower and the phone, it may not be encrypted, and may be easily sniffed. If you know where the user and their phone is, and they left bluetooth on, you could, in theory, silence the phone, go to the bank, log in, send the OTP to the phone, sniff it, enter it, then delete (via bluetooth) the SMS from the phone, removing any trace indicating to the user that their bank account has just been hacked. But with OTP, insecure is OK for banks it seems. Annoying thing about OTP -- if you use a 3rd party service like Mint.com or PayTrust.com to fetch your eBills, turning on OTP kills those very useful services. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Or your phone ends up in the wrong hands. On 12/10/2009 10:53 AM, Peter Beckman wrote:
On Wed, 9 Dec 2009, nick hatch wrote:
Hi all,
Reading the last thread on why SMS isn't/should be dead, I almost piped up with a thought before I realized I should probably check my head-sphincter interface, first.
Many banks use SMS messages as an out-of-band authentication factor for online banking. (ie, they send a challenge code to the customers phone in response to an online banking request) If one assumes that cell phone SMS messages can't be intercepted out of the air by a forged device or through other means, they operate as a quasi-physical authentication factor, which is very valuable.
This would be a strong use case for SMS over email or other general-purpose communication mediums where the password or other knowledge can be bootstrapped into access to the medium.
However, I'm not so sure this assumption is correct. Does anyone have good references for the security of SMS? The most I've been able to find is this Slashdot article [1].
-Nick
Is SMS secure? No. But SMS is useful for an OTP (One Time Password) such as the banking industry is using.
SMS is not secure, in any way. Unless the banks have spent the tens, if not hundreds, of thousands of dollars to directly connect with private non-Internet lines directly to the carriers, or has an encrypted tunnel between their operations and their aggregator, the SMS messages still go over the Internet to an aggregator (mQube, Mobile 365 (now Sybase 365)). During that process it is possible to sniff that information.
It is also possible that any company involved in the delivery of that SMS is somehow comprimised or able to be, at which point the SMS can be read. Unless the SMS message is wrapped into a cryptographic tunnel between endpoints, SMS must be assumed to be insecure.
The SMS is also delivered over the air, which means it can be intercepted. I know that there is some sort of authentication between the phone and the tower, but since SMS is part of informational messages sent between the tower and the phone, it may not be encrypted, and may be easily sniffed. If you know where the user and their phone is, and they left bluetooth on, you could, in theory, silence the phone, go to the bank, log in, send the OTP to the phone, sniff it, enter it, then delete (via bluetooth) the SMS from the phone, removing any trace indicating to the user that their bank account has just been hacked.
But with OTP, insecure is OK for banks it seems.
Annoying thing about OTP -- if you use a 3rd party service like Mint.com or PayTrust.com to fetch your eBills, turning on OTP kills those very useful services.
Beckman ---------------------------------------------------------------------------
Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On 12/10/09 9:53 AM, Peter Beckman wrote:
The SMS is also delivered over the air, which means it can be intercepted. I know that there is some sort of authentication between the phone and the tower, but since SMS is part of informational messages sent between the tower and the phone, it may not be encrypted, and may be easily sniffed.
On GSM networks, the SMS is not encrypted. I don't know about CDMA networks. While intercepting GSM messages is non-trivial, it's not hugely difficult either if you're ready to spend some cash and time to do it. Still, this would have to be a very targeted attack in the context of one-time tertiary authentication data, and not useful in general. -- Carlos Alvarez TelEvolve 602-889-3003 Advanced phone services simplified
participants (4)
-
beckman@angryox.com -
carlos@televolve.com -
lriemer@bestline.net -
nicholas.hatch@gmail.com