Australian Telcos Declare SMS Unsafe For Bank Transactions 42
littlekorea writes "Australia's telcos have declared that SMS technology should not be used by banks to verify identities for online banking transactions, in a bid to wash their hands of culpability for phone porting hacks. But three of Australia's largest four banks insist they will continue to use SMS messages to carry authentication codes for transactions."
Re:repeat after me... (Score:2, Informative)
The problem is that superficially, a phone looks like a great second factor. You know your password, and you have your phone. Unfortunately, in practice, it is not a second factor at all because the phone is a party to the communication of the first factor (password/PIN), so compromising the phone compromises a second factor implicitly. Fundamentally, no phone can ever be a second factor for authentication purposes, period, so long as it is possible to enter your password or PIN through that phone.
The ability to clone phones is just the icing on the cake. It's the beach ball floating through the gaping hole that nobody noticed previously that calls attention to the flaw in the minds of people who were otherwise not sufficiently security-minded to see it.
Re:Not surprised... (Score:5, Informative)
They also seem to think that inputting your password with an on-screen html keyboard using your mouse will provide *ANY* extra security.
The one thing that i'm happy about is that unlike commonwealth bank, they are not integrating facebook with their online banking system.
Just let that one sink in a little bit.... integrating FaceBook with your online banking