Ding! Your phone is now your wallet.
Tuesday February 27, 2007 at 3:31 am CST
Posted by Jimmy Shah
Recently we at McAfee Avert Labs have been looking into mobile payment security.
Currently many people who work overseas can use various money transfer services. Usually they need to go into a local office and fill out a form. The fees involved tend to be high and can be as much as a quarter of the money sent. There is an alternative though, let them send the money via their mobile phone. No forms, no office, and much lower fees.
The Philippines has a large number of its citizens who send a lot of money. It also has an existing mobile money transfer service. Users can send amounts to other people using their phones. The recipients get a confirmation number via SMS. Getting the cash does require going down to a center and presenting the confirmation number.
How it works
1. Blue sends money to his mother Green. Mother Green receives a confirmation SMS.
2. Mother Green presents the SMS to her local money transfer center and receives the money.
This is a pretty good system, where not much can go wrong. The transfer network is secure enough with the only real risk at the endpoints. Recipients of the money transfers are potentially open to attack.The SMS money transfer services ensure that money is delivered safely to the recipient by having them sign up for an account. When a recipient doesn’t yet have an account, they also get an account number in the SMS. They need the account number to sign up for an account in order to retrieve the money.
What can go wrong
1. Mother Green is expecting money from her son. Bad Mr. Red has received a copy of the confirmation SMS from Mobispy.
2. Mr. Red steals Mother Green’s money.
Anybody with the account number SMS could sign up for the account and get the money. An attacker could steal your mobile and sign up for the account and pick up your money. Alternatively, they could install snoopware like Mobispy, Acallno, or Mopifeli. Then they can just wait for the transfer SMS to arrive and take their copy to the center before you.
One can avoid such an attack in a number of ways:
- Try to never let your phone out of your hand and always use a PIN code when switching on your phone.
- Avoid installing unknown or untrusted software (for all types of phones), which are sometimes used to install snoopware.
- Ask your Mobile Operator/Carrier what they are doing for you to protect your mobile communication.
February 28th, 2007 at 2:54 am
Very interesting. Obviously the way to go and I am encouraged that I do use a PIN on my mobile. will encourage others in my organisation to make sure they do as well but now I need to find out more about Mobispy!