but one of the security weaknesses of SMS communication came to light with this new scam
I disagree, it's not SMS that was the weakness here, rather they way cellphones work. Even if the bank had called the number to confirm the addition of a new beneficiary, 99% of people don't dispose of trash well enough and thus a good dumpster dive would reveal Postal Address and ID numbers. So, if that had happened, would we be saying that phone calls are weak too?
SMS messages and most emails are not encrypted. This means that malicious employees at network operator or ISP level can potentially read these.
Comparing SMS directly with email is not quite accurate. Anyone can download an off the shelf product and use it to sniff network traffic. That same 'anyone' can't do the same with SMS. Therefore, the argument that SMS travels over a 'private' network makes it at least a bit more obscured than unencrypted email.
Streicher believes that the processes which allowed the Vodacom based SMS fraud via the creation of a dual SIM to occur can be improved
With social engineering, good dumpster diving and maybe a downloaded facebook photo a savvy fraudster could even create an ID document to prove he is you, walk into a vodashop and get the dual sim right there. So I fail to see the point here too...
I would not recommend ever sending a credit card number or important passwords via SMS or email
Finally something I agree with. BUT, if a company offers a service where you pay with a credit card VIA SMS, it means that it is up to the service provider to protect the credit card data and to protect the customer. IE that company carries the risk, not the credit card holder. Yes, if the credit card number is stolen [in this manner] it's a problem for the customer to cancel it and get a new one but that customer is guarnteed to get his money back because it's a card not present transaction. It is because of these chargebacks that things such Mastercard's SecureCode (3D Secure) and VISA's Verified by Visa exists. Further, if the credit card is compromised and the service provider is not PCI compliant there are HUGE fines to be paid. Thus, while true it's not relevant. There is a market for SMS banking and customers should not fear it just because the MD of some random WASP said you should. Where this is an issue is the fact that the customer could easily send the SMS to the wrong number, which makes stupidity a risk here.
For instance a notification via SMS to the original MSISDN, which requests approval via SMS would prevent this fraud
This is contradicting to what he has already said. The OTP was indeed sent to the original MSISDN, but because it was a DUAL SIM it went to the wrong physical device.
Anyone can imitate such a message.
True, but only true if he means that the faked message would be from a random [incorrect] number. Faking the message and the source number is also possible, but hardly ANYONE could do it...
Also consider the scenario where a fraudster might imitate your banking login notification via SMS, but replace the bank telephone number with his own. Should you receive this SMS, you might phone the number in the SMS. The fraudster will then pretend to be your bank, and try and obtain your PIN
I'm not sure I see the point, this is not SMS specific? This is true for every single form of communication available, encrypted or not. So why blame SMS for this?
SMS messages are not encrypted, and a malicious employee at network level could potentially read this.
Yes, but that malicious employee would need access to the specific back end system. The implications of this statement are huge, because that means you shouldn't trust a bank either, as a malicious employee with the right access could read it there too. In reality all employees are equal. That is, what makes a techie at a bank so special that he/she is so much different from a techie at Vodacom or MTN??...So what's the point then, hide your money under you mattress?
Sorry staff writer, but I do believe you've been fed with a wooden spoon on this one...