SMS banking passwords fail to stop hackers - research

SMS banking passwords fail to stop hackers - research

The use of SMS authentication to access Web banking services fails to protect people from hackers and fraud, according to research conducted by The Queensland University of Technology (QUT) in Australia which found that human error remains one of the biggest risk factors.

The QUT found that the SMS authentication system - where one-time passwords are sent to a customer's phone for each transaction which the user then has to manually copy to their computer - works from a technical perspective.

But when QUT set up a simulated online bank and and asked participants to conduct transactions with a SMS authorisation code, they failed to notice when the bank account number in the SMS message is not the same as the intended number - a sign that hackers have infiltrated the system.

Mohammed AlZomai, from QUT's Information Security Institute, says he simulated two types of attacks - an obvious one where five or more digits in the account number were altered and a stealthy version where only one digit was changed.

The obvious attacks were successful in 21% of cases, and the stealthy attacks fooled 61% of people, he says.

"This is a strong indication that the SMS transaction authorisation method is vulnerable," says AlZomai. "According to our study only 79% of users would be able to avoid realistic attacks, which represents an inadequate level of security for online banking."

National Australia Bank and St George Banks both offer SMS-based two-factor authentication as an optional security mechanism to all online banking customers.

Recently Bank of America introduced a service, called SafePass, where customers receive a single-use six digit code in a SMS text message to authorise online transactions.

However in the UK most banks are avoiding SMS systems in favour of a programme, backed by payments association Apacs, to roll out hand-held chip and PIN devices to Internet banking customers.

Comments: (0)