Text message Security

Forums › Spark New Zealand › Text message Security

joe5600

94 posts

Master Geek
Inactive user

Topic # 7455 16-Apr-2006 16:48

hello there does any one here no how security our text message's are doesd telecom/vodafone log them is it possable to pick up someone else's text message's???????????????????

sbiddle

26470 posts

Uber Geek
+1 received by user: 6025

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 33097 16-Apr-2006 17:23

I was told a couple of years ago that Telecom stored SMS's for a celendar month and Vodafone for 1 week. With the explosive growth of SMS and in particular threatening message sent via SMS I believe both networks store messages for at least several months. I am sure somebody on here will be able to give you exact details.

The number of cases Police are investigating re threatening txts is staggering, maybe both networks need to start emphasising the fact that messages are stored and can all be recalled.

paradoxsm

3000 posts

Uber Geek

Trusted

Reply # 33106 16-Apr-2006 19:16

They can be read by certain employee's, They need some good reasons to do it however,

I heard they are stored for 6 months now, following all the recent TXTbullies and TXTabuse happening. I used to get spammed by 027's when $10 unlimited SMS came out.

Remember they are 7 bit data and only 160 characters, You could easily fit 10 of them in 1KB and they compress rather well even as .ZIP.

Jama

1420 posts

Uber Geek

Trusted

Reply # 33111 16-Apr-2006 19:43

6 months would require 2.5TB worth of storage.

tonyhughes

Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 4

Mod Emeritus

Trusted

Lifetime subscriber

Reply # 33125 16-Apr-2006 21:05

Mauricio could hold a couple of months worth then...

To the OP: Dont treat text messages as secure. The network used to deliver them is secure at some level, but the message itself is not encrypted as far as I am aware.

Unless you encrypt a communication yourself, and trust that encryption to a strong enough degree (appropriate to the content of the communication), then you should be aware that the message can not be considered private.

No, you cannot intercept anyone elses text messages. The days of phone cloning are pretty much gone. (Unless you are in the league of governments that own fleets of black helicopters I suppose).

Visit http://www.thecloud.net.nz for New Zealand based Hosted Exchange, Virtual Servers, Web Hosting, FTP Backup & more.
(1GB free FTP storage, or larger plans from $5.75)

- Setup your own mailserver at home on Ubuntu Server - full step by step howto here.
- Have you seen this: Nathan "KFC4LIFE" Dunn.

Torque

301 posts

Ultimate Geek
+1 received by user: 5

Reply # 33332 18-Apr-2006 21:06

Indeed, I would presume Fraud Investigators / Security team people at the telcos can read txt messages.
Cops can if they get a warrant.

Who knows what the SIS/GCSB can do in regards to that?

essamessa

12 posts

Geek

Reply # 33348 19-Apr-2006 09:14

SMS content is not available to anyone without a warrant. When the Police require text data they must obtain a warrant from the Courts and present that to the telco, which then extracts the data for them.
Only around a week of text data is stored, expressly for this purpose.

cokemaster

Nate wants an iphone
3901 posts

Uber Geek
+1 received by user: 28

Mod Emeritus

Trusted

Lifetime subscriber

Reply # 33355 19-Apr-2006 10:56

I would hope that they are reasonably secure due to several banks uisng SMS (Kiwibank and ASB by memory) for various tasks.....

Though, I've been let down before.

webhosting |New Zealand connections | geekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

sbiddle

26470 posts

Uber Geek
+1 received by user: 6025

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 33359 19-Apr-2006 11:38

cokemaster: I would hope that they are reasonably secure due to several banks uisng SMS (Kiwibank and ASB by memory) for various tasks.....

Though, I've been let down before.

Two factor authentication is a bit of a joke for bank security as it only offers a very minimal extra layer of security over the existing login/password and simply causes an inconvenience to people. Somebody at a telco intercepting messages is the least of your worries!

It will be very interesting to see the banks response in NZ when we get the first fraud case involving a customer using two factor authentication since they have hyped up the supposedly additional security it offers!

cokemaster

Nate wants an iphone
3901 posts

Uber Geek
+1 received by user: 28

Mod Emeritus

Trusted

Lifetime subscriber

Reply # 33360 19-Apr-2006 11:45

It gets worse. In ASBs case they have TXT Banking which allows you to transfer money around your accounts (but not out of).

It has a 25c fee in addition to whatever fees apply to your account AND the cost to text (usually 20c per message)... potentially someone could have 'fun' tranferring money around in the knowledge that its racking up fees.

webhosting |New Zealand connections | geekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

sbiddle

26470 posts

Uber Geek
+1 received by user: 6025

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 33364 19-Apr-2006 12:21

But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system. It's easy to avoid this by implimenting a second layer of security that will only allow the generated two factor code to be submitted from the same IP as the original login if the two factor code is sent via SMS - from what I understand this does not happen in NZ.

freitasm

BDFL - Memuneh
60591 posts

Uber Geek
+1 received by user: 11525

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 33365 19-Apr-2006 12:29

sbiddle: But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system.

Not really - remember the keylogger collects one number for the second authentication, but when the bad person tries to login s/he will be asked for the number again - which by that time is invalid for a second login.

You can support content creators (and Geekzone) by using the Brave browser.

sbiddle

26470 posts

Uber Geek
+1 received by user: 6025

Moderator

Trusted

Biddle Corp

Lifetime subscriber

Reply # 33368 19-Apr-2006 12:43

freitasm:
sbiddle: But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system.
Not really - remember the keylogger collects one number for the second authentication, but when the bad person tries to login s/he will be asked for the number again - which by that time is invalid for a second login.

The trojan dosn't pass the two factor code to the bank site however, it merely captures it with the keylogger and then directs the user to a site saying the login has failed and sends the info to the bad guy who has to log in immediately. I was reading about this the other day when somebody demonstrated an attack on a German bank using a custom trojan, it of course requires specific programming for a certain bank but it's proof that two factor authentication isn't the bullet proof solution that the banks want.

richms

21121 posts

Uber Geek
+1 received by user: 4210

Trusted

Subscriber

Reply # 33882 25-Apr-2006 21:27

Also there are trojens that allow them to take over your browsing session, so as the text code auths your session, they can then do whatever they like in another browser once the users desired transaction has happened.

A lot harder as they have to be ready to go when the user logs into the banking site and does the text confirmation, but still worth it for the gains if it allows the perps to get away with cleaning out someones account.

Richard rich.ms