Security Research firm says SMS passcodes unreliable for verification

By -

A new report released by NSS Labs, a security research and advisory company says Banks need to be more careful in authenticating the online banking customers when using SMS based passcodes for verification.

Besides the regular websites like emails and social networks, Banks have also readily adopted the two factor authentication method for security where they send a 4-6 digit code on the users registered mobile number to further verify their identity. However, the researchers suggests that it all began when the banks started to focus more on online and mobile banking services in the recent years, and the hackers followed suit. The hackers are in fact particularly targeting these services with “highly specialized financial malware“, which in turn led the banks to adopt the two factor authentication method.

And due to Android’s open source nature which allows everyone to create their own mobile application for users to download, it has become the cyber criminals favorite mobile OS. Not to forget the fact that Android OS today occupies the top position with the largest user base. The reports say 99 percent of the new mobile malware created are targeted towards Android. Apple’s iOS remains secure due to 3 reasons; very less number of users compared to Android, every app requires Apple’s permit, and there aren’t many malware developers who specialize in iOS.

The malware is mainly targeting the financial sector where transfer of high amount of money takes place. It works in way where the hacker first infects the victims desktop machine with malware’s such as ZitMo (Zeus-in-the-Mobile), SpitMo (Spy-in-the-Mobile) or CitMo (Citadel-in-the-Mobile), which takes information like their Contact number, mobile operating system and phone model. This malware works with the Android OS on the users phone. The victim is then sent a link on their phone saying its a “Security update“, clicking on the link installs the malware on their mobile.

The report suggests Banks should try to prevent these security attacks from their end by considering discarding the SMS based authentication for something more secure and by using, “hardened browsers on mobile devices with unique install keys, certificate based identification, in app encryption, geolocation, and device fingerprinting,”.

The users on the other end should take sufficient measures on their desktop to prevent such attacks and for the phone they should check the authenticity of the any app before installing it.

Via – PCWorld

Source – NSS Labs (Update Nov 11, 2015: The report by NSS Labs is no more accessible)

Photo Credit – Ritesh Nayak/Flickr

Subscribe to our Mailing List
We promise to never spam.

Get all the interesting stories delivered straight to Inbox.

Darshik Jariwala is an IT Professional from Canada, with 3+ years of experience and knowledge in various verticals in the IT industry. In his leisure time, he loves writing Blogs, Reading, watching Movies, occasional Photography and most of all having coffee with friends. You can also befriend him on , and .

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.