Delen via

An Interesting Take On Two-Factor Authentication

  • Artikel

(via Bruce Schneier )   Two banks in New Zealand are introducing an interesting form of two-factor authentication.  Looks like anyone who tries to transfer $2,500 or more to a third party bank account via the website will be required to use their new technology.  The system will text message the customer's cell phone an eight-digit passcode, which will be required to complete the transfer.  Passcodes will expire after three minutes, and users can lower the $2,500 threshold if they would like.

I assume the banks involved have done a study and determined that a good majority of the people banking online with them also use a cell phone.  What I'm curious about is the security of the text message.  Not knowing anything about how the SMS protocol works, I wonder how hard it is for me to intercept a message headed for someone's phone.  Presumably if I know enough about someone to get their bank username and password, and I'd like to steal more than $2,500, it'd be easy enough for me to try to find their cell phone number.  Another factor is how hard it is to clone a cell phone.  Again, not knowing much about SMS, I'd assume that a cloned phone would be able to intercept any messages sent to the original.

That being said, two factor authentication is always a big step up from just requiring a user name and password, especially since one if not both of those are usually easy to figure out.  It will be interesting to see if this catches on elsewhere.

Comments

  • Anonymous
    November 29, 2004
    You'd have to clone the phone or steal the owners phone. Mobile phone networks only broadcast to the mobile phone in the cell region that the mobile phone is located in (and neighbouring cells). You can't sniff the GSM packets as they're encrypted. So, you need the actual phone or a cloned phone.
    In either case it requires a lot more effort than some banks require today. With someones account details and mother's maiden name you could probably transfer a tidy sum.
  • Anonymous
    November 29, 2004
    Thanks for the information Neil. So if GSM networks encrypt their SMS messages, presumably with some form of strong encryption, it would seem that that raises the bar even higher. I wonder if CDMA phones do the same, although I believe that outside the United States everyone is pretty much standardized on GSM so the New Zealand banks wouldn't have to worry about that. Oh, and I agree, this does raise the bar, so it's definatly a step in the right direction.

    -Shawn
  • Anonymous
    November 29, 2004
    The comment has been removed
  • Anonymous
    November 29, 2004
    The comment has been removed
  • Anonymous
    November 30, 2004
    An Interesting Take On Two-Factor Authentication Surely there's a better way to introduce 2-factor security? I mean many web-forums that I join have a limited version of it.......
  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=net-security-blog-an-interesting-take-on-two-factor-authentication