OT: Cellular banking

Thu Dec 5 23:41:46 IST 2013

MITM is (as far as currently known) only possible if they have a CA
you trust, as far as the lower layer encryption goes:

GSM (2G/GPRS) has been hacked and for all intents and purposes is
unencrypted these days if the person has the right reception
equipment/hack phone.
UMTS (3G/HSPA) has much stronger encryption which afaik has not yet
been cracked, I would expect newer generations (4G/LTE) to be even
more secure, but of course it all stands on whether or not your
provider enables the features/settings, 2g for instance can be made
slightly harder to crack but that is mostly disabled due to legacy
equipment.

Personally I think the main factor in security when dealing with your
bank or any other secure connection is the trust you have in the two
endpoints: yourself and the bank.
Do I trust my computer to still be clean and secure and therefor be
able to notify me of a MITM attack (except when it's being perpetrated
with valid certs, which is a lot harder to begin with).
And do I trust the other side (bank servers), for this we generally
rely on the SSL certificate trust tree, and unless you intend to keep
a hard copy of cert fingerprints to verify and are paranoid enough to
work that way I think we can assume it's okay.

The hops in the middle are (I think) less relevant because unless you
were using some ancient browser that didn't support a strong cypher
AND the bank still allowed weak cyphers all the traffic will be
encrypted sufficiently to make it not economical to attack your
private bank account like that.
(That is the whole point of encryption passing the message between
Alice and Bob without anyone else (Eve) listening being able to
understand the message)

Regards,
Eliyahu - אליהו

2013/12/5 Rabin Yasharzadehe <rabin at rabin.io>:
> Botom line: It's all about trust
>
> Your ISP/Cellular Provider can recored and monitor your traffic,
> I don't sure about MIM - but they can do that if they have the right
> equipment (some thing like Internet Rimon doing with HTTPS sites)
>
>
>
> On Thu, Dec 5, 2013 at 7:12 PM, Mord Behar <mordbe0 at gmail.com> wrote:
>>
>> Well, we did it. We finally got an Android phone.
>> And of course the second thing my wife asked me was "Can I use this for
>> banking?"
>> We only use the online banking services from within our home network which
>> is (pretty) secure.
>> The real diference between using a mobile phone and using a laptop is that
>> first hop, from the device to the tower. I know that on the laptop it is
>> secure, there are no man in the middle attacks since I control every device
>> on the network (and I'm assuming that from my router to the bank there is no
>> MiM attack either, probably a safe assumption). But what about from the
>> phone to the tower? Are all communications between the phone and the tower
>> encrypted? Are some devices and/or carriers more secure than others? Are
>> some bank's apps more secure than others? How about just using the web
>> interface from a browser?
>> I know that this is only vaguely Linux-related, but I'm sure the people
>> here have the experience, knowledge and insight to help me out.
>> Thanks.
>>
>> _______________________________________________
>> Linux-il mailing list
>> Linux-il at cs.huji.ac.il
>> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>>
>
>
>
> --
> Rabin
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>