Thus Spaketh Idd Salim

Tick… tock… Tick… tock… Goes my HackOmeter. “Have they been hit yet?”, I ask myself. I switch on the TV to see if a Kenyan Bank has yet been hit. “Not yet”, I conclude. “I see voluptuous women flaunting naked in the streets an on bill boards. Soon the rapists are coming.”, I tell my friends. And Ohh, what a sad day it will be.

The Topic for today is SMS Banking.

What it is MEANT to do:

SMS banking is a remote banking service via mobile phones. Upon each money withdrawal operation with a card account (purchase using a card, cash withdrawal in an ATM), the client connected to the SMS Bank system receives an SMS message with information on the transaction. Such SMS message usually includes the charged amount, part of the credit card number, date, time, and place of the transaction (shop or ATM location). Full stop! That is what SMS Banking was meant to be, should Be and Must remain as.

What is has been ABUSED to be:

But hang on, there. What about these services all over the news that allow a user to check balances, transfer money, stop checks etc, all from SMS (or USSD as the case of Equity and Barclays) ? Isn’t that what SMS banking really is?

Well, this is classic example Security Through Obscurity.  Like walking at Tom Mboya at 2am waving a KSHS 1000 Note and reaching home safe. You won’t do that for long.

Shamelessly stolen from The RSA Website, :

We have all read about the iPhone and Blackberry SMS attacks and vulnerabilities. There is current commercially available (let alone black market) software that allows eaves dropping and spoofing of SMS. The lack of SMS confidentiality has been established by congressional members, city mayors, and international government officials in dozens of cases where their text messages were intercepted and made public. Like landline communication, cell phone communications including SMS should be considered to have no confidentiality.

An SMS can be:

• Intercepted on its way from your phone to Zain/Safaricon/Safaricom.
• Changed and edited [The content, the destination Numbers, The Source Number etc].
• Delayed.
• Deflected and even deleted before it ever gets there.

This can be done with equipment that cost less than USD 10, 000 and also with techniques that anyone who knows the difference between Hellon and Arunga can master in a week.

How Can this be done?

There are 3 Knows ways to Intercept communication between 2 sources that are sent via SMS:

• Phone cloning – The best. Totally bamboozles the MSP Cell Towers [Saf/Zain]. They see two phones with same phone number, MIN and ESN. Very effective on CDMA networks but not as effective on GSM – More Info -
• SIM Copying – VERY Illegal because it is 100% efficient. Clones the SIM and yours becomes active whereas the clone is dormant but receives copies of all your SMS and calls.
• Patched Firmware  – A very easy and common method is for a hacker to upload a super-firmware to their phone. This upgrade turns their phone into a super-phone radio transmitter and they can receive SMSes that are addressed to THEM and people AROUND them. You can really have fun with this at a club, a mall or a bus-stop.

Ever been robbed or attacked then the assailants returned your phone / SIM? Chances are you got cloned and All your phone-calls [as long as you are on the same Cell Area] and ALL your SMSES [irrespective], get delivered to YOU real phone and its clone.

Where is the problem?

Ok. Enough phone hacking lessons. For those dumb enough not to grasp where the problem is, so far, please, allow me to reiterate:

• Your SMSes are neither CONFIDENTIAL nor PERSONAL. Get over it! In a recent article about how guys from SafCon sell data call and SMS records shows the first level of breach. Your data can be bought!
• Your SMSes can be intercepted by hackers. SafCon can fire all those name-spoilers they hire, but your information is only secure from humans. It is NOT digitally secure. SMS and USSD traffic is rarely encrypted, if ever.

What is MY problem?

Just your money, my reader. You dont want all your hard-eraned cash to end up in Nigeria, do you?

Why doesnt Safcon [Not to be confused with Safaricom] etc do something?

Honestly, not their problem. You send SMSes, they make money. And it is not their mandate to SECURE these systems. they offer the ROAD. If you get an accident on it, hard luck!

Is All Lost in the Mobile Banking Sector?

Not by a long shot. But that is a topic for another day, or you can skype/gmail/yahoo me @iddsalim so tell you HOW Symbiotic is Countering this menace. Power through serious code..

Adios!

Back to code!

Share on Facebook