Stolen SIM codes and phone banking – should you be worried?
Why go to the trouble of hacking if you can find an easier method? Why not just pay mobile phone company employees to simply give you the codes that can unlock users’ unique SIM cards? That is what, apparently, has been happening for the last five years in France. The outside crooks paid the inside crooks €3 for each code, and then sold them on to hackers for €30.
The first thing you have to ask is how can this possibly happen in 2010? Security professionals have been shouting for years that the insider is as big a threat as the outside hacker. And we have solutions.
A database activity monitoring system that looks at the rate at which data is taken out of the database would have detected this problem but it is not enough to have a simple monitoring solution because the access to the database is usually through an application so you need to be able to maintain end to end visibility through all the different tiers. The system should alert on any abnormal amount of data retrieved from the database and also apply geo-location analysis and alert on an illogical access to database by a user who should not be accessing the data so many times or retrieving a large number of details in a single session.
Amichai Shulman, CTO, Imperva
OK – it shouldn’t have happened. But it did; so there are other questions we need to consider. Mobile phones are increasingly used as authentication devices for mobile banking. Just how serious can this get? I spoke to Jonas Thulin, VP of Sales Engineering at FireID, for his views.
FireID uses mobile phones to provide two factor authentication to banks, and I asked if the code theft was a worry. “Not for us,” he told me. “It doesn’t affect our customers at all, because we don’t link our application to the SIM card on the phone. To generate the one-time password, we have a shared secret, a seed number, that we store on the phone. This gets encrypted by a PIN number that the user configures when he installs the application. Basically, there simply isn’t enough information on the phone to successfully decrypt the PIN code in order to steal OTPs.
“However, where these thefts can cause problems,” he added, “is where the 2FA isn’t really 2FA at all – but more properly it uses the second factor as an alternative rather than an addition to the first factor. A good example is Google’s new 2FA for Google Apps where the authenticating code is sent to the handset as an SMS message. More worryingly, a lot of banks also still do this. Where this happens, hackers with access to the stolen SIM codes can also get access to bank access codes.”
In short, where the mobile phone authentication mechanism is genuinely two factors, such as that supplied by FireID, you’ll be OK just so long as the bad guys don’t get hold of both the SIM details and your PIN code. But if your bank simply sends you a text password – then you should be concerned. The moral is that genuine two factor authentication works; pseudo two factor authentication falls short.