Can future SMS banking scams be avoided?

but one of the security weaknesses of SMS communication came to light with this new scam
I disagree, it's not SMS that was the weakness here, rather they way cellphones work. Even if the bank had called the number to confirm the addition of a new beneficiary, 99% of people don't dispose of trash well enough and thus a good dumpster dive would reveal Postal Address and ID numbers. So, if that had happened, would we be saying that phone calls are weak too?

SMS messages and most emails are not encrypted. This means that malicious employees at network operator or ISP level can potentially read these.
Comparing SMS directly with email is not quite accurate. Anyone can download an off the shelf product and use it to sniff network traffic. That same 'anyone' can't do the same with SMS. Therefore, the argument that SMS travels over a 'private' network makes it at least a bit more obscured than unencrypted email.

Streicher believes that the processes which allowed the Vodacom based SMS fraud via the creation of a dual SIM to occur can be improved
With social engineering, good dumpster diving and maybe a downloaded facebook photo a savvy fraudster could even create an ID document to prove he is you, walk into a vodashop and get the dual sim right there. So I fail to see the point here too...

I would not recommend ever sending a credit card number or important passwords via SMS or email
Finally something I agree with. BUT, if a company offers a service where you pay with a credit card VIA SMS, it means that it is up to the service provider to protect the credit card data and to protect the customer. IE that company carries the risk, not the credit card holder. Yes, if the credit card number is stolen [in this manner] it's a problem for the customer to cancel it and get a new one but that customer is guarnteed to get his money back because it's a card not present transaction. It is because of these chargebacks that things such Mastercard's SecureCode (3D Secure) and VISA's Verified by Visa exists. Further, if the credit card is compromised and the service provider is not PCI compliant there are HUGE fines to be paid. Thus, while true it's not relevant. There is a market for SMS banking and customers should not fear it just because the MD of some random WASP said you should. Where this is an issue is the fact that the customer could easily send the SMS to the wrong number, which makes stupidity a risk here.

For instance a notification via SMS to the original MSISDN, which requests approval via SMS would prevent this fraud
This is contradicting to what he has already said. The OTP was indeed sent to the original MSISDN, but because it was a DUAL SIM it went to the wrong physical device.

Anyone can imitate such a message.
True, but only true if he means that the faked message would be from a random [incorrect] number. Faking the message and the source number is also possible, but hardly ANYONE could do it...

Also consider the scenario where a fraudster might imitate your banking login notification via SMS, but replace the bank telephone number with his own. Should you receive this SMS, you might phone the number in the SMS. The fraudster will then pretend to be your bank, and try and obtain your PIN
I'm not sure I see the point, this is not SMS specific? This is true for every single form of communication available, encrypted or not. So why blame SMS for this?

SMS messages are not encrypted, and a malicious employee at network level could potentially read this.
Yes, but that malicious employee would need access to the specific back end system. The implications of this statement are huge, because that means you shouldn't trust a bank either, as a malicious employee with the right access could read it there too. In reality all employees are equal. That is, what makes a techie at a bank so special that he/she is so much different from a techie at Vodacom or MTN??...So what's the point then, hide your money under you mattress?

Sorry staff writer, but I do believe you've been fed with a wooden spoon on this one...
 
Last edited:
Nice post Lazy.

Thanks, I'd really like to know the relevance of the MD of BulkSMS.com or a member of the WASPA board in terms of mobile banking. Neither of those organizations even dabble with banking systems or it's standards, nor does having "Dr" as a title make you an expert at everything. This is a publicity stunt, ie, an attempt to get a little light to shine on BulkSMS.com in my view.
 
Last edited:
Thanks, I'd really like to know the relevance of the MD of BulkSMS.com or a member of the WASPA board in terms of mobile banking. Neither of those organizations even dabble with banking systems or it's standards, nor does having "Dr" as a title make you an expert at everything. This is a publicity stunt, ie, an attempt to get a little light to shine on BulkSMS.com in my view.

Please explain. Are you sure?


Standard Bank OTP password sent to me from +27820070230

Longcode (not an MSISDN please *) owner:

Name: Vodacom Service Provider Company (Pty) Ltd


* Longcode and shortcodes belong to networks, MSISDNS belong to users
 
Please explain. Are you sure?
Regarding WASPA, I'm not 100% sure if banking systems fall within their mandate (hence me phrazing the first part as a question) but even if it does their code of conduct would not supersede the financial requirements of such a service.

Admittedly the Dr comment is a bit unfair as I don't know what his qualifications are, my reference point on that is merely his misrepresentation of security and expertise of it based on the article.
 
Last edited:
The biggest FAIL was not SMS or the networks or dodgy employees.

It was FICA.

If FICA was done right none of this would have happened.
 
Regarding WASPA, I'm not 100% sure if banking systems fall within their mandate (hence me phrazing the first part as a question) but even if it does their code of conduct would not supersede the financial requirements of such a service.

Admittedly the Dr comment is a bit unfair as I don't know what his qualifications are, my reference point on that is merely his misrepresentation of security and expertise of it based on the article.

OK, I kinda understand what you intended to say.

But what did catch me out lately is that Standard Bank no longer mask the sender from number and are working through a WASP now. This was before Vodacom implemented their recent ruling that sender from numbers may no longer be manipulated on their network.


This decision had more to do with blocking companies from using international carriers to deliver cheaper MTs (SMSs).
 
OK, I kinda understand what you intended to say.

But what did catch me out lately is that Standard Bank no longer mask the sender from number and are working through a WASP now. This was before Vodacom implemented their recent ruling that sender from numbers may no longer be manipulated on their network.


This decision had more to do with blocking companies from using international carriers to deliver cheaper MTs (SMSs).

I'm not sure about Vodacom 'ruling' that sender numbers may no longer be manipulated since as far as I'm aware they have been against it [almost forver] and blocked you from doing it on SMPP since 2004/05 at least. That's on their network at least, so as far as actually doing it, it's still possible to do [admittedly through a loophole] or, it was last time I checked. Point is, anyone can't do it. You have to know how/what.

The fact that Standard Bank works through a WASP now is slightly concerning, it introduces a third party into the loop which means an additional level of people management. The implications shouldn't be too bad, since it's for confirmation stuff etc and probably also depends on the reputation of the WASP that they are using. There are quite a few dodgy WASPS out there, hehe.
 
I disagree, it's not SMS that was the weakness here, rather they way cellphones work.

SMS is not to blame. It is the processes around the creation of dual SIMs that are.

This is contradicting to what he has already said. The OTP was indeed sent to the original MSISDN, but because it was a DUAL SIM it went to the wrong physical device.

I think he meant the process of creating the dual SIM should at least involve an SMS notification/approval from the original MSISDN.

Yes, but that malicious employee would need access to the specific back end system. The implications of this statement are huge, because that means you shouldn't trust a bank either, as a malicious employee with the right access could read it there too.

Banks could indeed also have malicious employees, but when looking at SMS, the banks need to consider that it is travelling unencrypted via a third party network. Banks can build systems and processes to reduce the risk from their own malicious employees, but have much less control over malicious employes at other companies.
 
No matter what process you think you, or implement, it will either be

1. Too complicated
2. Compromised within a few months
3. Disregarded as being not safe enough.
 
SMS is not to blame. It is the processes around the creation of dual SIMs that are.
No matter what process, it will be possible to fake it given enough effort to do so.

I think he meant the process of creating the dual SIM should at least involve an SMS notification/approval from the original MSISDN.
Maybe, but then he should have said that. I think he is trying to create a false impression to suit his needs.

Banks could indeed also have malicious employees, but when looking at SMS, the banks need to consider that it is travelling unencrypted via a third party network. Banks can build systems and processes to reduce the risk from their own malicious employees, but have much less control over malicious employes at other companies.
Even if this data was encrypted from end-to-end it would have made no difference at all....
In terms of sending your credit card number through on SMS, that's part of the risk that the service provider would have to carry.
 
That is missing the point. FICA should be the final line against any type of online banking scam. They should not be able to obtain bank accounts to transfer the funds to without proper validation. Yet clearly they were able to do that and the next part was easy, get a dodgy technician to wax the SMS part.

Come on, there are people doing online banking over USSD - and that is totally unencrypted. The technology is not to blame here.

FICA failed.
RICA will fail.
 
Top
Sign up to the MyBroadband newsletter
X