Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Australia Cellphones Handhelds Security The Almighty Buck IT

Australian Telcos Declare SMS Unsafe For Bank Transactions 42

littlekorea writes "Australia's telcos have declared that SMS technology should not be used by banks to verify identities for online banking transactions, in a bid to wash their hands of culpability for phone porting hacks. But three of Australia's largest four banks insist they will continue to use SMS messages to carry authentication codes for transactions."
This discussion has been archived. No new comments can be posted.

Australian Telcos Declare SMS Unsafe For Bank Transactions

Comments Filter:
  • something you know, something you have, and something you are
    • Re: (Score:2, Funny)

      by Anonymous Coward

      technology, motivation, stupid

      Ugh, captcha: diploma.

    • Re: (Score:2, Informative)

      by dgatwood ( 11270 )

      something you know, something you have, and something you are

      The problem is that superficially, a phone looks like a great second factor. You know your password, and you have your phone. Unfortunately, in practice, it is not a second factor at all because the phone is a party to the communication of the first factor (password/PIN), so compromising the phone compromises a second factor implicitly. Fundamentally, no phone can ever be a second factor for authentication purposes, period, so long as it is pos

      • Fundamentally, no phone can ever be a second factor for authentication purposes, period, so long as it is possible to enter your password or PIN through that phone.

        Not at all. If you never enter your bank password or pin through the phone in the first place, there is no way a compromised phone will be able to obtain it. I do all of my online banking from a computer, so a second factor being the phone would work fine (unfortunately only the least important of my three banks uses two factor).

        • by dgatwood ( 11270 )

          Not at all. If you never enter your bank password or pin through the phone in the first place, there is no way a compromised phone will be able to obtain it. I do all of my online banking from a computer, so a second factor being the phone would work fine (unfortunately only the least important of my three banks uses two factor).

          Fair point. But that kind of negates the purpose of all the mobile banking apps at that point, which the banks are eager to promote because they think it makes them look more in to

      • by Anonymous Coward

        It's the beach ball floating through the gaping hole that nobody noticed previously that calls attention to the flaw in the minds of people who were otherwise not sufficiently security-minded to see it.

        It is no such thing.

        I've worked on a number of Multi Factor Authentication projects at 2 different Australian banks (1 major, 1 minor) and had numerous in-depth conversations with other banks, and we were well aware of these sorts of issues. If anything, I'm more surprised that this (number porting) hasn't h

        • It's still dificult to understand.

          The paper table of codes that is used by some banks is way safer, more reliable, and somewhat cheaper than the SMS code. Also, it is about as much easy to use as the SMS code. Yet, lots of banks prefer SMS.

          I blame MBAs for that.

  • Sent from someone else's phone.
  • I'm not at all surprised that the banks here don't follow that advice.
    Westpac seems to think that a six digit password (upper-case characters and digits only) is enough for online banking. :-(

    • by Krojack ( 575051 )

      My bank seems to think using your debit card number and pin are enough.

    • Re:Not surprised... (Score:5, Informative)

      by norpy ( 1277318 ) on Thursday November 08, 2012 @06:38PM (#41926133)

      They also seem to think that inputting your password with an on-screen html keyboard using your mouse will provide *ANY* extra security.

      The one thing that i'm happy about is that unlike commonwealth bank, they are not integrating facebook with their online banking system.
      Just let that one sink in a little bit.... integrating FaceBook with your online banking

      • by Anonymous Coward

        I once used a credit union where they used an on-screen keyboard that moved a little bit in a random direction each time you clicked on it. I imagine using the mouse would prevent keyloggers from getting your password, and the random movement would prevent logging of the position of the cursor when clicking from being useful.

    • by mjwx ( 966435 )
      No, You have the option of using a mobile telephone (no, like the rest of the world we dont call them "cell" phones) or can opt for the other method (either a one time pad or RSA token depending on the bank).
  • by mlts ( 1038732 ) * on Thursday November 08, 2012 @05:30PM (#41925251)

    It would be nice if one could add a standardized encryption/signing layer on top of MMS (or SMS if one stitched together multiple messages.) That way, an app from the bank could look at incoming messages, verify they were genuine (regardless of what the phone number states), decrypt them with the user's key, and pass the authentication info to the user.

    Fake SMS attempts would be detected/ignored, and an attacker able to get access to text messages wouldn't have the ability to decode them unless they also had access to the phone and the app's private key (which would be unique and generated on each device.)

  • Someone transferred her number and she didnt notice? And she runs a business?
    Not getting any calls wasnt a clue enough?

    • by SpazmodeusG ( 1334705 ) on Thursday November 08, 2012 @06:52PM (#41926281)

      Hell not just that. SMS is one small step of internet banking. You still need the banks userID and password to log into online banking before you even make use of the SMS transaction confirmations. There's also a lot of requirements for number porting as it is too - accountID and details with the old provider and there's SMS notices sent when the porting is attempted too.

      So this woman was socially engineered out of the following - Her real name, address and DOB (fair enough, this is publically available), her old mobile providers details and accountID (someone go through her bin?), her banks clientID and password (she fall for a fake bank email?), she didn't notice the SMS announcements that she'd be ported to a new provider next month (wtf?) and finally she didn't notice a lack of calls coming in.

      At some point you have to say fuck it, there's no way to protect people like this. Even if it was made more difficult to port numbers she's clearly stupid enough to give away any and all information asked of her.

  • by SpazmodeusG ( 1334705 ) on Thursday November 08, 2012 @06:08PM (#41925783)

    Secure Computing and iTnews.com.au have led a campaign to convince Australia's telcos to include extra security questions during the mobile phone number porting process to ensure fraudsters can't take control of a victim's phone number to gain access to SMS verification codes.

    Let me guess. Secure Computing and iTnews.com.au work closely with Telstra and Optus right?

    Here in Australia, thanks to consumer protection legislation changing mobile providers is a breeze. You ring up the provider you wish to change to and you ask to be ported. They send you an SMS and ask your personal details and old providers account number and then switch you over. It's both secure and easy (they need your phone number, old provider details and personal details to switch you over). You're now with another provider. You don't need to cancel with your old provider, they do that for you. Your number stays the same. The two biggest Telcos (Telstra and Optus) hate it as there's no lock in. They have to compete on price and service.

    So Telstra and Optus lobby hard to ban number porting. They make up bullshit such as "OMG allowing people to switch phone providers is dangerous!!!!". They get their friends in the media to chant the same thing. "Ban number porting!!!"

    The reality is that the banks don't use SMS confirmations for anything more than a 3rd layer of security. They don't ask you to transmit anything over the SMS service, it's simply used by them to send you message that a transaction is taking place along with a key that you have to type into online banking (after logging in securly) to allow that transaction to proceed. Essentially it's traditional "login over https" style banking with an extra layer of SMS notifications when you do transactions. It doesn't need the SMS security itself to be bomb-proof as that's just the last step.

    So all this talk of restricting number porting is ridiculous. Good on the Communications Alliance (who are mostly made up of smaller Telcos that like number porting) for not bowing to the pressure and bullshit spouted by here by iTnews.com.au. It really isn't an issue, in fact i think other countries should adopt similar consumer protection laws where switching providers whilst retaining the old mobile number is a breeze.

    • by PCM2 ( 4486 )

      So all this talk of restricting number porting is ridiculous. Good on the Communications Alliance (who are mostly made up of smaller Telcos that like number porting) for not bowing to the pressure and bullshit spouted by here by iTnews.com.au. It really isn't an issue, in fact i think other countries should adopt similar consumer protection laws where switching providers whilst retaining the old mobile number is a breeze.

      I don't know if switching mobile providers and keeping the same number is "a breeze" in the US, but I've done it a few times. You can even switch from a landline to a mobile phone and keep your same number, in many cases. There are no fees involved, unless you break a contract.

      That said, there definitely is something fishy about this story. Do a Google search for "mobile phone porting fraud" and most of the results you get back are from .au domains. I don't know if that points to a misguided media (or marke

  • This seems more a case of social engineering than exploiting the lack of SMS security.

    The main Issue as I see it is that Vodafone ported over the number to a new phone, while talking to an unverified person. They may have verified him, but only with some weak details that were publicly available.

    /. always reaches for the tech solution first.

    Obligatory - http://xkcd.com/538/ [xkcd.com]

  • I guess it takes longer for some obvious things to sink in down under. SMS insecure? Never heard that before. (ROFL)

You know you've landed gear-up when it takes full power to taxi.

Working...