USSD Security. Part 2.
As a follow up to this post, lets talk about why James Bond style encryption methods don’t necessarily guarantee the security of your service. When the security systems are in place and the whole infrastructure seems invincible and you can finally lean back in a chair…Oh wait, is it really so?
You can have the best secure algorithms and technology but this doesn’t guarantee that you are 100% safe. Today’s highly advanced computer criminals are not going to expend any effort with hacking the sophisticated encryption methods you have set in place. Instead, they focus on the weakest link, and this, in most cases are the people.
Social engineering is the term coined by the famous hacker Kevin Mitnick. He used psychological manipulation techniques to get confidential information, instead of expending energy and hacking into the system. These methods exploit typical human traits such as gullibility, curiosity, sympathy and greed, a much easier and effective strategy.
Phishing is one method that is widely used. Phishing can be used to obtain credit card details, passwords and usernames by claiming to be a legitimate company. Generally, frauds send e-mails which directs the recipient to a fake web site, that looks like the exact replica of the official site, and it is there that users are asked to enter their sensitive data.
In the case of mobile phones, messages claiming to be from a bank request users to call the number provided in the message. After dialing the number, users are asked to enter their account number and PIN. Gullibility kicks in…
When creating a service, bear in mind that validating the identity of your users is the primary security task that should not be forgotten. At the same time, the users must have a system where they can identify that they are interacting with the genuine service and not a replica. A challenge-response scenario is the easiest way for both parties to prove that they are who they claim to be. For example, some banks provide customers with a picture which appears when logging onto their account, thereby letting them know that it is a genuine web site. For banks to know that it is actually you on the other side, they send two SMSes with passwords for your account. When you enter the first password, the dialogue prompts to “enter the new password”. At this stage, even if a fraud obtained your primary data, they will not know that the new password requested has been sent to you via SMS, and will therefore not be able to complete the transaction.
What these examples show us, is that even with all the technologically advanced security systems that banks put into place, it is crucial to factor human error and vulnerability into the equation, as they can make even the most sophisticated security systems redundant.
What does one do?
- Invent a scenario where both parties identify each other as the genuine article.
- Only then get yourself busy by implementing hi-end encryption and all that follows.
