Can future SMS banking scams be avoided?
The security vulnerability of sending sensitive information via SMS was recently highlighted when a Vodacom employee used a dual SIM to intercept banking information which was then used for fraudulent online transactions.
Intercepting the One Time Password (OTP) SMS without the owner knowing about it is where the rogue Vodacom employee came in. The Vodacom employee created a temporary dual SIM, active online for a very short period of time, to intercept the OTP SMS. This OTP was forwarded to a crime syndicate to create a new beneficiary (their own fraudulent banking account) and transfer money to this new beneficiary.
An OTP SMS was previously considered a secure method to transfer information to an online banking client, but one of the security weaknesses of SMS communication came to light with this new scam.
Dr. Pieter Streicher, MD of BulkSMS.com and a WASPA board member, says that he would not recommend sending sensitive information via SMS.
“SMS messages and most emails are not encrypted. This means that malicious employees at network operator or ISP level can potentially read these. SMS is as safe or unsafe as email. I would not recommend ever sending a credit card number or important passwords via SMS or email,” said Streicher.
Streicher believes that the processes which allowed the Vodacom based SMS fraud via the creation of a dual SIM to occur can be improved. “For instance a notification via SMS to the original MSISDN, which requests approval via SMS would prevent this fraud,” said Streicher.
Vodacom indicated that they put measures in place to avoid the reoccurrence of this type of fraud, but would not divulge specific details apart from the fact that it involved additional security.
Stopping SMS scams
Streicher warns that it is very easy to imitate SMS messages, and that organizations and customers must be aware of this. “Let’s take for instance an SMS payment notification. If you receive such a notification, this does not guarantee there is any money paid into your account. Anyone can imitate such a message. Such messages are there for convenience sake, but you should check your account for actual proof of a payment,” Streicher explains.
“Also consider the scenario where a fraudster might imitate your banking login notification via SMS, but replace the bank telephone number with his own. Should you receive this SMS, you might phone the number in the SMS. The fraudster will then pretend to be your bank, and try and obtain your PIN.”
Streicher says that organisations should also remember that SMS messages are not encrypted, and a malicious employee at network level could potentially read this. “It is therefore a bad idea to send sensitive data such as credit card numbers via email and SMS.”
According to Streicher organisations should look critically at all their SMS communications, and consider the risks should these messages be imitated or intercepted. In most cases, the convenience will exceed the risk.
SMS banking scams – give your views