General Musing

blaze your trail

Rabobank has insecure SMS banking

with 4 comments

The Rabobank has a new service called Rabo SMS Betalen, the purse can be accessed by SMS.

  1. Alice sends a message to 6689 with the phone number and amount in the body, either +316-<number> or 06-<number>

    0612345678 15 Thanks for the money, Bob.

  2. Alice receives a confirmation SMS from 6689 with an OTP (One Time Password)
  3. Alice sends the OTP back by SMS to 6689 confirm the transaction
  4. Bob, the recipient, receives a confirmation SMS from 6689 that money has been transferred from Alice’s phone number

There are a number of issues with this, primarily that it is possible to perform a man-in-the-middle attack on this system with less than $1000 worth of equipment.

From GSM Security:

GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext-only attack, and in February 2008, Pico Computing, Inc revealed its ability and plans to commercialize FPGAs that allow A5/1 to be broken with a rainbow table attack. The system supports multiple algorithms so operators may replace that cipher with a stronger one.

I wonder who sold them this idea?
Technorati technorati tags: , , , , ,

Written by Daniël W. Crompton (webhat)

July 9, 2008 at 12:20 pm

Posted in finance, risk

Tagged with , , , , ,

4 Responses

Subscribe to comments with RSS.

  1. It is true that sms banking can be risky not only in the above way, but also in a case where the cell phone gets stolen and thus the secure data can be recovered from the sent transactions and inbox. While searching for an answer to this, I found that one of the bank called Barclays offers its customers mobile banking through USSD mode which works like balance enquiry and doesnt store anything on the cell phone. Its definately more secure than sms and faster in response time. The following online demo might explain all the security measures taken by bank while implementing USSD

    Abhishek Rao

    July 30, 2008 at 12:54 pm

  2. using sms for banking is one of the stupidest ideas i can imagine. my bank, m and t bank of buffalo, ny, usa, is now doing it too. with no additional security or one time passwords whatsoever. the only thing they do is omit personally identifiable information, but with a cell phone number, how hard is that to track down? Not to mention the problems SMS spoofing introduces. See the video here:

    only a fool would sign up for this service. and i’ve accelerated my plans to leave this bank.

    brian szymanski

    April 21, 2010 at 7:46 am

    • Thanks for the video.

      I just watched it, and it’s not so bad really. You can’t do payments over this, not unlike some of the other mobile banking services I’ve profiled. My current bank has a way to access your current account details using MSN, although they do mask account numbers.

      With a little social engineering you can get all these details from your bank over the telephone. I will post it with attribution in the next few days.


      April 22, 2010 at 11:29 am

  3. […] SMS banking by M&T #sms #bank #risk By webhat Brian Szymanski send a reply to me concerning another bank implementing SMS banking: M&T. Their demo, which you can find […]

Please Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: