An Interesting Take On Two-Factor Authentication

(via Bruce Schneier )   Two banks in New Zealand are introducing an interesting form of two-factor authentication.  Looks like anyone who tries to transfer $2,500 or more to a third party bank account via the website will be required to use their new technology.  The system will text message the customer's cell phone an eight-digit passcode, which will be required to complete the transfer.  Passcodes will expire after three minutes, and users can lower the $2,500 threshold if they would like.

I assume the banks involved have done a study and determined that a good majority of the people banking online with them also use a cell phone.  What I'm curious about is the security of the text message.  Not knowing anything about how the SMS protocol works, I wonder how hard it is for me to intercept a message headed for someone's phone.  Presumably if I know enough about someone to get their bank username and password, and I'd like to steal more than $2,500, it'd be easy enough for me to try to find their cell phone number.  Another factor is how hard it is to clone a cell phone.  Again, not knowing much about SMS, I'd assume that a cloned phone would be able to intercept any messages sent to the original.

That being said, two factor authentication is always a big step up from just requiring a user name and password, especially since one if not both of those are usually easy to figure out.  It will be interesting to see if this catches on elsewhere.