Posts this month
A blog on financial markets and their regulation
I am increasingly worried that mobile phones are emerging as the Achilles heel of internet banking.
The most frightening news is the key logging software installed by the telecom companies on millions of smartphones (hat tip Bruce Schneier). Every key stroke and every received text message is recorded by the Carrier IQ spyware which logs even what is entered into https web pages that use the secure socket layer (SSL).
The point is that our mobile is not ours in the same sense that our computer is ours. Our mobile belongs first and foremost to our telecom operator and only secondarily to us. This is true even if the mobile runs an open source operating system – the Carrier IQ spyware runs on Android smartphones. On the other hand, when I use a personal computer on which I have installed (say) Ubuntu Linux and I am careful about what software I install on it, the computer is mine in a very real sense.
Unfortunately, this mobile which is not truly ours is increasingly our passport in the cyberworld. When banks were forced to adopt two factor authentication, they chose the mobile phone as the second authentication tool. Most internet banking transactions today require an additional one time password sent to the registered mobile. This is a problem when nobody else regards the mobile as an important element of a person’s identity.
Consider for example this story from Malaysia (hat tip again to Bruce Schneier. The crooks installed spyware an online banking kiosk at a bank and retrieved usernames, passwords and even the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users. Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the customers’ handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies. The only saving grace is that it took six crooks about nine months to steal about $75,000; the fraud is simply not scalable.
But then there are other methods of scaling this up. Professional call centres are emerging whose business is to extract sensitive information needed for bank fraud and identity theft from individuals.