Prof. Jayanth R. Varma's Financial Markets Blog

Photograph About
Prof. Jayanth R. Varma's Financial Markets Blog, A Blog on Financial Markets and Their Regulation

© Prof. Jayanth R. Varma
jrvarma@iima.ac.in

Subscribe to a feed
RSS Feed
Atom Feed
RSS Feed (Comments)

Follow on:
twitter
Facebook
Wordpress

December
Sun Mon Tue Wed Thu Fri Sat
       
6
2011
Months
Dec
2010
Months

Powered by Blosxom

Tue, 06 Dec 2011

Mobile phones as Achilles heel of internet banking

I am increasingly worried that mobile phones are emerging as the Achilles heel of internet banking.

The most frightening news is the key logging software installed by the telecom companies on millions of smartphones (hat tip Bruce Schneier). Every key stroke and every received text message is recorded by the Carrier IQ spyware which logs even what is entered into https web pages that use the secure socket layer (SSL).

The point is that our mobile is not ours in the same sense that our computer is ours. Our mobile belongs first and foremost to our telecom operator and only secondarily to us. This is true even if the mobile runs an open source operating system – the Carrier IQ spyware runs on Android smartphones. On the other hand, when I use a personal computer on which I have installed (say) Ubuntu Linux and I am careful about what software I install on it, the computer is mine in a very real sense.

Unfortunately, this mobile which is not truly ours is increasingly our passport in the cyberworld. When banks were forced to adopt two factor authentication, they chose the mobile phone as the second authentication tool. Most internet banking transactions today require an additional one time password sent to the registered mobile. This is a problem when nobody else regards the mobile as an important element of a person’s identity.

Consider for example this story from Malaysia (hat tip again to Bruce Schneier. The crooks installed spyware an online banking kiosk at a bank and retrieved usernames, passwords and even the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users. Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the customers’ handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies. The only saving grace is that it took six crooks about nine months to steal about $75,000; the fraud is simply not scalable.

But then there are other methods of scaling this up. Professional call centres are emerging whose business is to extract sensitive information needed for bank fraud and identity theft from individuals.

Posted at 20:19 on Tue, 06 Dec 2011     2 comments     permanent link

Comments...

Life Insurance Policy wrote on Wed, 07 Dec 2011 17:53

insurance

Yes, mobile has really added an additional value in internet marketing.

Aaditya wrote on Fri, 02 Mar 2012 16:30

Re: Mobile phones as Achilles heel of internet banking

I agree to a certain extent. However, the points that you mentioned are nothing more than mere downside of a potentially brilliant idea to reach to the unbanked in India...device/ network level security risks may be a negative externality...but then banking is all about trust....as Bruce Schneier puts it in his new book Liars and Outliers - "Security exists to facilitate trust. Trust is the goal, and security is how we enable it."