Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Mobile Phone SMS Authentication Hack Vulnerability Overstated

Swivel Secure : 22 July, 2011  (Technical Article)
Swivel Security comments on the Zitmo variant of the Zeus worm which can infect Android devices used for SMS based two-factor authentication
Mobile Phone SMS Authentication Hack Vulnerability Overstated

Recent reports that all authentication technology based on SMS text message transmission may be at risk from a new variant of the Zeus worm, a Trojan virus that infects common mobile phone platforms, have been dismissed by Swivel Secure’s VP of Technology, Chris Russell as being overstated.

Whilst Chris accepts that the new variant ‘Zitmo’, designed to target the new Android devices, could result in an SMS authentication code being redirected to a remote hacker’s server, he denies the suggestion that all mobile phone based authentication systems are vulnerable to this type of attack.

“Unlike other technologies that involve the user receiving the login credential via SMS, PINsafe delivers a random security string which needs a fixed PIN to generate the response. At no time during the process is the user asked to enter their personal PIN so it is never transmitted either by SMS or over the Internet so cannot be intercepted by any digital eaves-dropper, rendering the Trojan ineffective.”

PINsafe uses a very simple, patented protocol to generate a one-time-code for each login session. Users are sent a random alpha-numeric security string in advance of the requirement as a text message to their phone. This is not what the user sends back to the server so is of no use to the hacker. With the SMS message transmitted via the mobile network and the OTC returned via an SSL link to the server the process is doubly secure.

“This is one of our key differentiators,” added Richard H Harris, MD at Swivel Secure. “There are a number of copycat systems that use SMS as part of the process; typically the user is sent a code that they then simply return to prove their identity. Of course it only proves that the person has the phone at the time of the login and yes, the code can be intercepted en route from the client to the server, in which case the reports would be right to say that the Zeus worm is a potential threat. This is not how PINsafe works.”

Mobile two-factor authentication is rapidly becoming the preferred option for authorising access to corporate networks and Web applications, replacing legacy systems that require some form of token device. Swivel pioneered the use of enterprise-class, SMS based authentication with the launch of PINsafe in 2003 and has since developed a global client base involving hundreds of thousands of individual users across the whole range of industry sectors. Current clients include global brand names and multi-national businesses as well as smaller SMEs.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo