-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What is the ultimate French toast topping?
Security is always an issue
- Thread starter rpm
- Start date
The_Unbeliever
Honorary Master
Think the option to have an SMS sent to you via cellphone when any transactions is done on your account is a good idea.
Better paranoid than poor, in this case.
Better paranoid than poor, in this case.
RoganDawes
Expert Member
Yes, apart from the SIM cloning which is going on at the moment.
Someone goes to the Vodashop pretending to be you, and claiming that their SIM had been stolen/lost. With sufficient persuasion (forged ID, or just a few hundred bucks, maybe), they issue the person a new SIM for your number, and your old one is disabled.
Now THEY get the notifications and the One Time Passwords, and have free reign over your account. Wonderful. NOT!
Yes, this assumes that they already know your userid and password.
Someone goes to the Vodashop pretending to be you, and claiming that their SIM had been stolen/lost. With sufficient persuasion (forged ID, or just a few hundred bucks, maybe), they issue the person a new SIM for your number, and your old one is disabled.
Now THEY get the notifications and the One Time Passwords, and have free reign over your account. Wonderful. NOT!
Yes, this assumes that they already know your userid and password.
stoke
Honorary Master
Yea, make it our problem, not like we pay the banks enough already, now we also got to look after our money that we gave them to safekeep.
PFFFFT.
If I leave my cellphone at home am I guilty of negligence?
PFFFFT.
If I leave my cellphone at home am I guilty of negligence?
TheRoDent
Cool Ideas Rep
One-time password generators please. We pay banks enough for "internet banking" fees that they can afford to sponsor a one-time-password generator for each of their customers.
BAM. Problem solved.
BAM. Problem solved.
incaseofire
Well-Known Member
- Joined
- May 26, 2007
- Messages
- 299
- Reaction score
- 0
Dig a hole in the back yard to stash your cash...
A fire-proof safe under your bed would be a better option though...
What really ticks me off is that banks take no responsibility for electonic theft, but I have to pay them to keep my money?? How does that work?
There should be insurance against these types of things (I don't think anyone will ensure money, but they should!)
A fire-proof safe under your bed would be a better option though...
What really ticks me off is that banks take no responsibility for electonic theft, but I have to pay them to keep my money?? How does that work?
There should be insurance against these types of things (I don't think anyone will ensure money, but they should!)
Banks should shoulder all the burden, especially the big 4. When you consider how much they charge, even for electronic transfers, it's daylight robbery, so screw them, they'd better cover any losses i have.
I quite liked that Standard Bank used to offer customers free Mcafee antivirus & firewall. anyone know why they stopped? I'm sure it's worthwhile for them if the client's pc is well protected. Even if they subsidise anti-virus through bulk buying, that would be okay. If you consider how dorf the average internet user is, it's plain scary. And 1 day without antivirus protection and you'll have 100's of infections. The average person thinks windows firewall is sufficient to protect their pc. hahaha
I quite liked that Standard Bank used to offer customers free Mcafee antivirus & firewall. anyone know why they stopped? I'm sure it's worthwhile for them if the client's pc is well protected. Even if they subsidise anti-virus through bulk buying, that would be okay. If you consider how dorf the average internet user is, it's plain scary. And 1 day without antivirus protection and you'll have 100's of infections. The average person thinks windows firewall is sufficient to protect their pc. hahaha
incaseofire
Well-Known Member
- Joined
- May 26, 2007
- Messages
- 299
- Reaction score
- 0
Very true and very scary!! Yet banks do nothing to inform the average Joe on the street..and why would they if there is no law stating that they should....?
gregmcc
Honorary Master
Yeah - people think a firewall is a holy grail and will stop viruses/trojans etc etc.
Banks in Europe take full responsibility for any money dissapearing out of your account due to cyber theft.
OTP is a good step though - FNB used to sell tokens for OTP which they don't do anymore!
Banks in Europe take full responsibility for any money dissapearing out of your account due to cyber theft.
OTP is a good step though - FNB used to sell tokens for OTP which they don't do anymore!
Yeah - people think a firewall is a holy grail and will stop viruses/trojans etc etc.
Banks in Europe take full responsibility for any money dissapearing out of your account due to cyber theft.
OTP is a good step though - FNB used to sell tokens for OTP which they don't do anymore!
I fully agree. The banks MUST take responsibility for any loss!! They are they ones who've made your account available to you via the internet therefore they must carry the risk!
There was a case last week, where Standard Bank blamed MTN for a "man in the middle" attack whereby the user's simm card was swapped via a sim swap at MTN and thus stating that it was MTN's fault that there was a break in their (Standard Bank's) "secure internet" session.
All it points out is that the bank hasn't done it's homework regarding the security risk in assuming that SMS, as a transport medium, is "secure" and will only ever be received by the intended recipient.
We've developed a light weight 2 factor authentication product which runs off any mobile device such as your cellphone and is specifically aimed at combating phishing, key logging software and specifically any "man in the middle" attack!
There's no need for devices such as Digitags or one time passwords being sms'd as your mobile device fulfills both those functions.
So let me get this straight - YOU give away your login credentials and YOUR cellphone number to a criminal (which the bank told you not to do) and now it is the banks fault that money is missing. Please would you explain the logic of that to me.
I suggest you spend some time on Google reading about what a "man in the middle" attack is. The SB-MTN incident was not one of those. Additionally - countermeasures have already been rolled out to curb sim-swap fraud.
Have you presented your solution to the banks? I think you'll find a problem that not everyone has the latest WAP/J2ME capable phone and the banks are not going to adopt something that they can't apply across their entire customer base.
@ Ambo
It sounds like you either work for one of the financial institutions or MTN seeing as you seem to know so much about their countermeasures
I suggest that you go read the details of the product again and you'll find that no connectivity,of any sorts, is used, to generate the "GateKey" (OTP). The product is also MIDP 1, 2 and Windows Mobile compliant therefore a vast majority of current cellphones are covered.
Also seeing as you seem to know so much about financial institutions, you probably also know that when FNB implemented the DigiTags they gave clients an option to make use of it. Those that want to make use of it login in a different manner. I.e. the "DigiCode", as they call it, gets entered together with the UId and password.
PLUS the client has to pay for the device!!
Thank you though, for your quick and methodical evaluation of our product and pointing out the non-obvious problem that we've missed over the last 3 years of researching, scoping and development. Much appreciated pal!
An institution has a choice on how to implement any product, compulsory or optional, based on their evaluation of any potential impact on their client base. I'm sure they will make the right decision based on the requirement that best suits their needs!!
The phishing attack happened yes. The user was at fault that I don't deny. BUT at what stage did the user sign his/her money away by stating to the bank that they will NEVER give their cell number out to another party??!?!?! GET REAL MAN!!!!
The bank has chosen an INSURE mechanism as a cheap TFA implementation and now wants to blame MTN and the user???? At what stage did MTN sign a "security document" of sorts with SB saying they guarantee that
As stated previously the bank didn't do it's homework and ASSUMED that OTP via SMS will always be "secure" and that the intended recipient would only receive it. Assumptions is the mother of all ....
I hope you haven't given your cellphone number out to anybody or attached it to your signature in your work/private email.... SB might just blame YOU for YOUR financial loss!
EDIT: Re: your comments about "man in the middle". It was not the best choice of words on my part but was used loosely, and in quotes, to indicate the "middle man" who stole the users details, as part of the identity theft, to initiate a simm swap.
It sounds like you either work for one of the financial institutions or MTN seeing as you seem to know so much about their countermeasures
I suggest that you go read the details of the product again and you'll find that no connectivity,of any sorts, is used, to generate the "GateKey" (OTP). The product is also MIDP 1, 2 and Windows Mobile compliant therefore a vast majority of current cellphones are covered.
Also seeing as you seem to know so much about financial institutions, you probably also know
that when FNB implemented the DigiTags they gave clients an option to make use of it. Those that want to make use of it login in a different manner. I.e. the "DigiCode", as they call it, gets entered together with the UId and password.PLUS the client has to pay for the device!!
Thank you though, for your quick and methodical evaluation of our product and pointing out the non-obvious problem that we've missed over the last 3 years of researching, scoping and development. Much appreciated pal!
An institution has a choice on how to implement any product, compulsory or optional, based on their evaluation of any potential impact on their client base. I'm sure they will make the right decision based on the requirement that best suits their needs!!
The phishing attack happened yes. The user was at fault that I don't deny. BUT at what stage did the user sign his/her money away by stating to the bank that they will NEVER give their cell number out to another party??!?!?! GET REAL MAN!!!!
The bank has chosen an INSURE mechanism as a cheap TFA implementation and now wants to blame MTN and the user???? At what stage did MTN sign a "security document" of sorts with SB saying they guarantee that
- Your cellphone with simm card will never be stolen?!?! (Is SB going to blame the cellphone thief then??
) - They wont mistakenly fall prey to Identity theft and issue a simm swap to the wrong party?!?!
As stated previously the bank didn't do it's homework and ASSUMED that OTP via SMS will always be "secure" and that the intended recipient would only receive it. Assumptions is the mother of all ....
I hope you haven't given your cellphone number out to anybody or attached it to your signature in your work/private email.... SB might just blame YOU for YOUR financial loss!
EDIT: Re: your comments about "man in the middle". It was not the best choice of words on my part but was used loosely, and in quotes, to indicate the "middle man" who stole the users details, as part of the identity theft, to initiate a simm swap.
Last edited:
ROTFLIt sounds like you either work for one of the financial institutions or MTN seeing as you seem to know so much about their countermeasures
MTN and the banks... let me add that to the list of companies I apparently work for along with Vodacom and Telkom. 
Windows Mobile...??? Are you kidding me. It may come to you as a shock but there are still a significant number of phones in circulation that only support voice and sms. And you say no connectivity - how do you load your software then?
DigiTags were far from a runaway success
There is a contradiction there: If the user had not given away their credentials in the first place then there could have been no sim-swap and no fraud. The OTP is an additional check but the primary security of internet banking is still the account number and password/pin and the user cannot blame anyone else if they divulged it.
I admit that the sim-swap issue was a loophole that was not properly considered but it does not negate the responsibility of the user to keep their credentials secure.
Ever heard of data cables connected to pc's ???
I'm quite keen to hear where you're getting your statistical data from relating to who has what and how much of it out there??Obviously relatively newer phones can make use of GPRS / Blue Tooth / Wifi ect to install client side applications. For those that can't, the use of good old data cables works just as well.
My comment around connectivity was more in line with the client application trying to connect to some server/web component. It had nothing to do with installation of software.
And for users who can't run a specific application on their phone for whatever reason...well they simply just choose not to make use of that security feature provided by the relevant institution or upgrade their phone. As simple as that. (see my comments below)
DigiTags were far from a runaway success
You've totally missed the point in your rushed attempt to reply! I said FNB gives the client an OPTION to make use of whatever technology they (FNB) feel fit to use!! Digitags was an example of such an option.
What a load of rubbish!!! MTN, Telkom, Markhams, City of Cape Town ect ect ect ect have my personal details for various reasons. So you think identity theft only occurs via phishing?? ROTFL
That's very naive.How secure is your HR departments Db with all your personal details? You think they're the only ones able to access it? What makes you think your details are secure at any other commercial institute which you've provided info to?
It seems the identity theft was an inside job at both STB and MTN sides....just proves my previously stated point about identity theft not only occurring via phishing.