SMS bank tokens vulnerable: RSA

Summary:Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.

Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.


(iPhone 4 image by Jorge Quinteros, CC2.0)

The tokens are designed to complement username and password log-in checks by requiring users to validate payments with unique numerical codes, in this instance sent by SMS.

It is becoming more popular, and the Commonwealth Bank of Australia claims to have 80 per cent of its customer base using tokens to validate third-party payments via SMS or through safer handheld token-number generators. The bank isn't forcing customers to use it, but those who don't will not be permitted to carry out high-risk transactions over NetBank.

RSA said in a 2011 predictions report that sending tokens via SMS will make phones a target.

"The use of out-of-band authentication SMS ... as an additional layer of security adds to the vulnerabilities in the mobile channel," the company said in its report.

"A criminal can … conduct a telephony denial-of-service attack which essentially renders a consumer's mobile device unavailable.

"SMS forwarding services are also becoming mainstream in the fraud underground and enable the [token] sent by a bank via text to a user's mobile phone to be intercepted and forwarded directly to the cyber criminal's phone."

The company said that mobile phone smishing attacks, or phishing scams sent via SMS, will also rise this year.

"Success rates are higher with a smishing attack compared to a standard phishing attack, as consumers are not conditioned to receiving spam on their mobile phone so are more likely to believe the communication is legitimate," the report said.

It said there are no effective technologies to prevent smishing.

The report also claimed that the infamous Zeus malware, widely blamed for most of the online transaction fraud, will merge with rival SpyEye to create a hybrid trojan.

It alleges that the new hybrid will include a kernel mode rootkit, improved HTML infection abilities and remote desktop access.

"Should [its creator] act on his plans, this already spells evolution in the type of commercially available malware likely to be sold in the underground in 2011," the report read.

Topics: Mobility, Security


Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.