SMS bank tokens vulnerable: RSA

SMS bank tokens vulnerable: RSA

Summary: Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.

TOPICS: Mobility, Security

Mobile phone attacks will increase this year as criminals attempt to intercept SMS-based authentication tokens, according to security company RSA.


(iPhone 4 image by Jorge Quinteros, CC2.0)

The tokens are designed to complement username and password log-in checks by requiring users to validate payments with unique numerical codes, in this instance sent by SMS.

It is becoming more popular, and the Commonwealth Bank of Australia claims to have 80 per cent of its customer base using tokens to validate third-party payments via SMS or through safer handheld token-number generators. The bank isn't forcing customers to use it, but those who don't will not be permitted to carry out high-risk transactions over NetBank.

RSA said in a 2011 predictions report that sending tokens via SMS will make phones a target.

"The use of out-of-band authentication SMS ... as an additional layer of security adds to the vulnerabilities in the mobile channel," the company said in its report.

"A criminal can … conduct a telephony denial-of-service attack which essentially renders a consumer's mobile device unavailable.

"SMS forwarding services are also becoming mainstream in the fraud underground and enable the [token] sent by a bank via text to a user's mobile phone to be intercepted and forwarded directly to the cyber criminal's phone."

The company said that mobile phone smishing attacks, or phishing scams sent via SMS, will also rise this year.

"Success rates are higher with a smishing attack compared to a standard phishing attack, as consumers are not conditioned to receiving spam on their mobile phone so are more likely to believe the communication is legitimate," the report said.

It said there are no effective technologies to prevent smishing.

The report also claimed that the infamous Zeus malware, widely blamed for most of the online transaction fraud, will merge with rival SpyEye to create a hybrid trojan.

It alleges that the new hybrid will include a kernel mode rootkit, improved HTML infection abilities and remote desktop access.

"Should [its creator] act on his plans, this already spells evolution in the type of commercially available malware likely to be sold in the underground in 2011," the report read.

Topics: Mobility, Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What a suprise that RSA is talking about a competing dynamic password solution being compromised....
  • @grif, you're not suggesting they might have been attempting some good old-fashioned product placement while dissing their opposition, are you?

    Surely not, that would be unethical or something...
  • The thing they forgot to mention is competing organizations who provide SMS OTP (one-time-password) services utilse a web-based backup or primary log-in capability. Phones drop out...get to a computer...You don't need a criminal to prevent you using a mobile device...any phone service privider can attest to that...based on their ability/inability to provide services lately...and prolly the funny thing is that their opposition (like Vasco) do provide SMS capabilities...I can visualize their sales/mktg can we scare the customer from buying this low-cost, almost as good as our you-beaut system?...I know...tell 'em that the phone's useless if some criminal blocks all the phone lines...yeah...that will who would publish something like that...I'll call one of my phone signal...see it works!