SMS passwords not secure, uni finds
(14 November 2007 – Australia) Sending one time passwords to customers via SMS for internet banking purposes – a method commonly used by Australian banks – is not necessarily a secure means of protecting private customer information, research has found.
Queensland University of Technology (QUT) found that the biggest impediment to technology working successfully – the human beings who use it – also undermined the efficacy of supposedly secure SMS passwords.
QUT found that customers did not notice when the bank account number quoted in the SMS message was not the correct one, an indication that hackers had possibly entered the system.
Simulating hacker style attacks in tests, QUT found that obvious attacks, where a couple of digits were changed, were successful in 21 percent of cases.
Subtler attacks, where just one digit was altered, were successful 61 percent of the times.
QUT found that customers did not notice when the bank account number quoted in the SMS message was not the correct one, an indication that hackers had possibly entered the system.
Simulating hacker style attacks in tests, QUT found that obvious attacks, where a couple of digits were changed, were successful in 21 percent of cases.
Subtler attacks, where just one digit was altered, were successful 61 percent of the times.