= Subscriber content; or subscribe now to access all American Banker content.

Mobile Bank Accounts May Be Vulnerable from SIM Card Hack

A vulnerability discovered in the SIM cards used in some smartphones could be exploited by fraudsters to steal consumers' mobile and online bank account information, according to Security Research Labs in Berlin.

SIM cards are small, removable plastic chips that store information such as the user's phone number, security data and billing information.

SIM cards can also act as gateways to the apps on smartphones, including mobile banking apps, according to the tech blog KnowYourMobile.com.

Security Research Labs founder Karsten Nohl will present the research at the BlackHat Conference later this month in Las Vegas.

"SIM cards are the de facto trust anchor of mobile devices worldwide," the Berlin company said in a blog post. "The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets."

An attacker, Security Research Labs explains, begins by sending an unrecognizable, binary text message usually meant to carry user logs and telephone settings to a victim's phone.

The cellphone then responds by sending back an error message carrying a signature that can be distilled to reveal a 56-bit Data Encryption Standard key. DES is an old encryption standard used by about one in eight phones around the world, the company says.

The cracked key can then allow a criminal to download software onto the SIM card that can, among other tricks, change voicemail numbers and find out exactly where a phone is at any time.

"This allows for remote cloning of possibly millions of SIM cards including their mobile identity as well as payment credentials stored on the card," the researcher explains.

The carrier joint venture Isis uses SIM cards to store its customers' financial information; the digital wallet company has near-complete control over the chips.

And there is at least one scheme in the developing world that stores banking information on cell phone SIM cards, allowing funds transfers to be made from a phone.

Gemalto works with a number of banks around the world, including Redeban Multicolor, Colombia's largest financial network, that deploy mobile apps in its SIM cards.

AT&T, Verizon and T-Mobile all said their phones are not susceptible to this vulnerability because they use a newer form of encryption.

This isn't the first cybercrime experts have noticed an issue with SIM cards.

Last year, Trusteer discovered a Trojan horse variant used to steal international mobile equipment identity numbers (IMEI) from bank account holders. The theft took place when a person tried to log in to their mobile banking application.

In this heist, a criminal then contacted a carrier, reporting the cellphone as stolen and then receiving a new SIM card that would eventually receive all the one-time passwords originally meant for the victim.


(2) Comments



Comments (2)
This is quite a timely presentation. At validSoft we have commented many times on the rise of SIM Swap fraud. In fact I still find it hard to believe that so few industry players know about SIM Swap fraud. ValidSoft went live with a SIM Swap fraud prevention solution last yera year already. Our customer won Best Security Initiative of the Year for it: http://www.validsoft.com/news/world-s-first-sim-swap-fraud-solution-for-banking-industry--news-21442311353

SIM Swap fraud is hitting the banks' bottom line and could erode customers' trust in the mobile, not only as a mechanism for receiving relatively simple security codes, but as a banking and payment device overall. With the industry investing so much capital into the mobile banking and payments platform, trust in that platform and the integrity of the networks is essential.

Ultimately the security of a bank is the top priority when customers choose who to bank with.
Posted by Mike H | Wednesday, July 24 2013 at 3:20PM ET
A very simple solution to this problem is to leverage certificates on phones that are able to securely store them in FIPS 140-2 certified cryptomodules. iPhones and some Samsung devices are now certified to securely store and utilize certificates.

One challenge: These devices cannot yet generate or are not yet FIPS approved to generate the private key material needed for certificate key pairs. Many certificate policies require the keys be generated in the same device in which it is stored and mobile devices aren't there yet.

Mobile phone manufacturers and manufacturers of devices designed to securely generate and store private key material (such as Gemalto) need to come together and resolve the challenge, enabling the use of mobile devices with applications needing a high degree of security.
Posted by cosmocox | Tuesday, July 23 2013 at 1:23PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.