An Interesting Take On Two-Factor Authentication


(via Bruce Schneier)  Two banks in New Zealand are introducing an interesting form of two-factor authentication.  Looks like anyone who tries to transfer $2,500 or more to a third party bank account via the website will be required to use their new technology.  The system will text message the customer’s cell phone an eight-digit passcode, which will be required to complete the transfer.  Passcodes will expire after three minutes, and users can lower the $2,500 threshold if they would like.

I assume the banks involved have done a study and determined that a good majority of the people banking online with them also use a cell phone.  What I’m curious about is the security of the text message.  Not knowing anything about how the SMS protocol works, I wonder how hard it is for me to intercept a message headed for someone’s phone.  Presumably if I know enough about someone to get their bank username and password, and I’d like to steal more than $2,500, it’d be easy enough for me to try to find their cell phone number.  Another factor is how hard it is to clone a cell phone.  Again, not knowing much about SMS, I’d assume that a cloned phone would be able to intercept any messages sent to the original.

That being said, two factor authentication is always a big step up from just requiring a user name and password, especially since one if not both of those are usually easy to figure out.  It will be interesting to see if this catches on elsewhere.

Comments (6)

  1. Neil Kimber says:

    You’d have to clone the phone or steal the owners phone. Mobile phone networks only broadcast to the mobile phone in the cell region that the mobile phone is located in (and neighbouring cells). You can’t sniff the GSM packets as they’re encrypted. So, you need the actual phone or a cloned phone.

    In either case it requires a lot more effort than some banks require today. With someones account details and mother’s maiden name you could probably transfer a tidy sum.

  2. Shawn says:

    Thanks for the information Neil. So if GSM networks encrypt their SMS messages, presumably with some form of strong encryption, it would seem that that raises the bar even higher. I wonder if CDMA phones do the same, although I believe that outside the United States everyone is pretty much standardized on GSM so the New Zealand banks wouldn’t have to worry about that. Oh, and I agree, this does raise the bar, so it’s definatly a step in the right direction.

    -Shawn

  3. malpingu says:

    GSM and CDMA only encrypt over-the-air messages. Although GSM has been demonstrated to be cracked in realtime in a lab environment, it is highly unlikely such techniques would be used to acuire information of such limited value as a one-time passcode needed to authenticate a transaction. Theoretically, intercepting and interrupting delivery of this one-time passcode (on a land-line, prior to over-the-air transmission) may suffice as a denial of service attack, but, in absence of knowing the account number and password (PIN), that is about the extent to which its disclosure poses any problem since it is bound to a particular transaction (which, presumably, the valid user intends). Of course, if an adversary already has the account number and PIN (or can hijack a secure web session), then this one-time code might be of some value to support impersonation and fabrication of transactions, but the likelihood of such a coordinated attack (let alone its success) is much lower with this added security measure.

  4. Shawn says:

    That a GSM message could be cracked in a lab is most likely mitigated by the fact that there’s only a three minute window that the passcode is valid within. If it takes more than three minutes to crack the message, then the resulting passcode is useless.

    Again, that assumes that the GSM encryption standard is strong, and not easily broken.

    Denial of service isn’t as big a deal here, since during normal business hours, the customer could presumably call the bank and do the transfer over the phone. However, if you do need to transfer $2,500 on a Sunday evening, the DOS would become more of an issue.

    -Shawn

  5. An Interesting Take On Two-Factor Authentication Surely there’s a better way to introduce 2-factor security? I mean many web-forums that I join have a limited version of it…….