OT: Cellular banking
Oleg Goldshmidt
pub at goldshmidt.org
Fri Dec 6 00:35:39 IST 2013
Mord Behar <mordbe0 at gmail.com> writes:
> The real diference between using a mobile phone and using a laptop is
> that first hop, from the device to the tower. I know that on the
> laptop it is secure, there are no man in the middle attacks since I
> control every device on the network (and I'm assuming that from my
> router to the bank there is no MiM attack either, probably a safe
> assumption).
Is it? Not if you are suitably paranoid. ;-) Just kidding, but see
below.
> But what about from the phone to the tower? Are all communications
> between the phone and the tower encrypted?
Supposedly. However, you cannot be sure that you are actually talking to
your mobile service provider. It *is* possible to spoof a tower - there
are portable devices, "IMSI catchers", that are even available to
consumers, e.g., as signal boosters (at least abroad, not sure about
Israel), see, e.g.,
http://www.theregister.co.uk/2011/07/14/vodafone_femtocell_hack/
http://www.theregister.co.uk/2011/08/09/femtocell_security_fail/
http://www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/
(I was involved in a bit of a discussion with a friend a couple of days
ago so I have the links handy - not that I follow the state of the art
closely, mind you). I assume that the fact that with 2G the tower does
not even need to authenticate against the handet is irrelevant, but note
that even with 3G-4G spoofing is possible.
This is relevant to your question about MITM between handset and tower n
general, and it may be a privacy problem (e.g., someone may track your
location and/or listen to your calls and/or read your texts), but it is
likely to be IRRELEVANT for your banking - the traffic between your
handset and the bank is hopefully encrypted independently of the
cellular communication protocols, e.g, with SSL (after all, it's
internet traffic). See below.
> Are some devices and/or carriers more secure than others? Are some
> bank's apps more secure than others?
I have no idea.
> How about just using the web interface from a browser?
It's a question of TRUST, obviously. 2 IMHO relevant points follow.
1) You are certainly aware of the fact that things like SSL are based on
a chain of trust rather than on true end-to-end security. It is
entirely conceivable that a major communications provider may have a
rather wide-ranging ability to sign certificates, and may present
your handset with a certificate that the handset will trust, even
though what looks like your bank's site is actually a proxy.
This is not endemic to cellular communications, unless you regard
your mobile service provider as more sinister or more influential (in
terms of getting a wildcard certificate, e.g., for *.co.il) than your
home ISP. It's for you to decide...
2) You also need to trust your handset's browser (or the banking app if
you use one), the mobile OS, and all the other apps to be secure. My
*intuitive* impression at the moment is that the security of, say,
Android+apps (especially if you tend to install random apps) is not
yet at par with the security of a properly maintained Linux system,
but I may be wrong. Personally, I freak out whenever I see a stupid
app demand complete network access as well as complete storage access
even though in my mind it has no legitimate need for either, but
that's just me.
If you decide to trust all of the components mentioned as much as you
trust everything between your home PC and your bank then I suppose you
can feel safe.
--
Oleg Goldshmidt | pub at goldshmidt.org
More information about the Linux-il
mailing list