[clug] Internet banking and browser compatibility

Robert Edwards bob at cs.anu.edu.au
Sun Feb 15 22:54:46 GMT 2009

Sam Couter wrote:
> Tim Murphy <tim at murphy.org> wrote:
>> The final step in the transaction is to enter a code which  is sent to your 
>> mobile.  The code times out after a very short amount of time (~1 minute I 
>> believe).
> Very handy when SMSs can take weeks to arrive, or just not arrive at
> all.

It is also interesting to note with SMS authentication that the bank
is implicitly trusting the authentication mechanisms of each and every
telco for your bank account security. We seem to have this assumption
that SMSs are hard to capture...

What about: (ring telco) "Ahh, just lost my mobile, wonder if you could
transfer my number to this other SIM I happen to have, just for a while
as I need to take some important calls...". A bit of social engineering
later... bingo! you can get the SMS from the bank, authenticate the
transfer of huge money and then (woops) lose the incriminating SIM
and/or phone.

Now, of course, no Telco would change a phone number from one SIM to
another without strong authentication... right?


Bob Edwards.

More information about the linux mailing list