Turkcell, Turkey's largest mobile phone operator, recently announced its plan to rollout "signatures" on all its mobile phones. Here's what the article "Turkey Starts World's Largest Mobile Signature Rollout" published in cellular-news.com says:
"For instance, the subscriber can access a banking site from their mobile phone, home PC or an Internet café, and enter their customer ID to login or conduct a transaction. The bank then sends an authentication request that prompts the user to enter the secret code they chose when they activated the mobile signature service, using their GSM phone. The SIM card then checks the secret code, creates the digital signature and sends it back to the bank to enable the corresponding transaction on the banking account."
"What makes this Gemalto mobile signature solution more secure is that it relies on something you own (the private key of your digital signature that is securely carried on the SIM card) and something you know (the secret code)."
""Ease of use and security were critical when we decided to implement our m-signature program," commented Cenk Serdar, chief executive for value added services, Turkcell. "We wanted to spare our subscribers the hassle of buying and setting up a smart card reader and carrying an extra smartcard to perform secure online transactions with qualified digital signatures. The Gemalto solution transforms the handset into a highly secure digital signature creation device they feel familiar with.""
All of this security is wonderful but it won't stop a man in the middle attack. Using either a SMS message or an email, the criminals will get the user to click on a link. They will be directed to a fake website. There they will enter in their password. When the digital cert is required the fake website will then pass this along to the real website. After successfully authenticating, the criminals will then take over the session and do bad things.
Refer to my last blog on what happened to ABN Amro. Strong authentication doesn't prevent phishing attacks.
In this case, ease of use for the consumers trumps their security. The banks and retailers will eat the phishing losses as long as they remain a low percentage of their business. BUT, the consumer is still at risk with this "secure" solution.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us
Comments (3)
Dear Blogger,
I would advise you to go over the details of mobile signature offer of Turkcell. Your potential phishing claim does not perfectly apply to mobile siganture offering. Customers can detect the phishing with a minute attention.
In addtion to many alternative scenarios, the phishing scenario you mentioned in your posting does not apply Because together with the signature message, a detailed explanatory message is passed to the client phone. The explanatory message includes the details of the transaction (login at a specific time and date, amount of money transfer etc.) Banks, for instance, do sign both authentication and transactions in every session. Hence an attacker cannot phish a session or do transactions on behalf of the owner of the signature, if the person reads the message on his phone.
We can correspond for details, if you like.
Posted by Deniz Tuncalp | April 11, 2007 12:37 PM
Posted on April 11, 2007 12:37
I've since sent Deniz an email telling him I didn't think that this would stop a phishing/man in the middle attack. If the message is sent after a transaction has occurred, then this won't stop the attack. The man in the middle simply maintains the session after the user thinks they've logged off and then withdraws an amount. The user simply finds out faster that his/her account has been rifled.
I also pointed out that by having banks do checks on the digital signature for each transaction during a session may not work as well. The man in the middle creates a secure connection with the user and captures their digital signature during the initial login and then passes this in a secure session from the fake website to the bank website when it logs on as the user. When the banks asks for a digital signature after the user thinks they've logged off, the fake website merely resends it.
Strong authentication doesn't prevent man in the middle attacks. So far, no response from Deniz.
Guy
Posted by Guy Huntington | April 12, 2007 6:54 PM
Posted on April 12, 2007 18:54
Dear Guy,
The beauty of mobile signature / digital signature is just as you mentioned "If the message is sent after a transaction has occurred, then this won't stop the attack." The signed message is actually sent and validated before the transaction.
Currently, all application proviers who are supporting mobile signature uses this to sign for every signle transaction. Not only log-in, but also money transfers etc. Since they receive a digital signature every time they transact, it is not possible to hijack the session and create e.g. a money transfer.
Since the data to be signed changes every time, the product (data signed) changes at every signature. Hence, listening the channel and recreating the traffic does not create the same result.
The only potential Man in the middle attack scenario could happen if the fake website enters between the actual web site and the user and
simulates the client traffic towards the real website. However, in this case, the actual transaction that is attempted to be carried out on the actual website is sent for signing to the phone with an explanation message (including information about amount, target accoun etc.). Hence, if the individual reads the explanatory message, then (s)he is not gonna be faked.
Best regars,
Deniz Tuncalp
Posted by Deniz Tuncalp | April 14, 2007 7:33 AM
Posted on April 14, 2007 07:33