Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsSpark New ZealandText message Security


94 posts

Master Geek
Inactive user


Topic # 7455 16-Apr-2006 16:48
Send private message

hello there does any one here no how security our text message's are doesd telecom/vodafone log them is it possable to pick up someone else's text message's???????????????????

Create new topic
27249 posts

Uber Geek
+1 received by user: 6683

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 33097 16-Apr-2006 17:23
Send private message

I was told a couple of years ago that Telecom stored SMS's for a celendar month and Vodafone for 1 week. With the explosive growth of SMS and in particular threatening message sent via SMS I believe both networks store messages for at least several months. I am sure somebody on here will be able to give you exact details.

The number of cases Police are investigating re threatening txts is staggering, maybe both networks need to start emphasising the fact that messages are stored and can all be recalled.

3000 posts

Uber Geek

Trusted

  Reply # 33106 16-Apr-2006 19:16
Send private message

They can be read by certain employee's, They need some good reasons to do it however,

I heard they are stored for 6 months now, following all the recent TXTbullies and TXTabuse happening. I used to get spammed by 027's when $10 unlimited SMS came out.

Remember they are 7 bit data and only 160 characters, You could easily fit 10 of them in 1KB and they compress rather well even as .ZIP.

 
 
 
 


1420 posts

Uber Geek

Trusted

Reply # 33111 16-Apr-2006 19:43
Send private message

6 months would require 2.5TB worth of storage.

Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 5

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 33125 16-Apr-2006 21:05
Send private message

Mauricio could hold a couple of months worth then...

To the OP: Dont treat text messages as secure. The network used to deliver them is secure at some level, but the message itself is not encrypted as far as I am aware.

Unless you encrypt a communication yourself, and trust that encryption to a strong enough degree (appropriate to the content of the communication), then you should be aware that the message can not be considered private.

No, you cannot intercept anyone elses text messages. The days of phone cloning are pretty much gone. (Unless you are in the league of governments that own fleets of black helicopters I suppose).







309 posts

Ultimate Geek
+1 received by user: 6


  Reply # 33332 18-Apr-2006 21:06
Send private message

Indeed, I would presume Fraud Investigators / Security team people at the telcos can read txt messages.
Cops can if they get a warrant.

Who knows what the SIS/GCSB can do in regards to that?

12 posts

Geek


  Reply # 33348 19-Apr-2006 09:14
Send private message

SMS content is not available to anyone without a warrant.  When the Police require text data they must obtain a warrant from the Courts and present that to the telco, which then extracts the data for them. 
Only around a week of text data is stored, expressly for this purpose.

Nate wants an iphone
3904 posts

Uber Geek
+1 received by user: 29

Mod Emeritus
Trusted
Lifetime subscriber

Reply # 33355 19-Apr-2006 10:56
Send private message

I would hope that they are reasonably secure due to several banks uisng SMS (Kiwibank and ASB by memory) for various tasks.....

Though, I've been let down before.




webhosting |New Zealand connectionsgeekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

27249 posts

Uber Geek
+1 received by user: 6683

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 33359 19-Apr-2006 11:38
Send private message

cokemaster: I would hope that they are reasonably secure due to several banks uisng SMS (Kiwibank and ASB by memory) for various tasks.....



Though, I've been let down before.



Two factor authentication is a bit of a joke for bank security as it only offers a very minimal extra layer of security over the existing login/password and simply causes an inconvenience to people. Somebody at a telco intercepting messages is the least of your worries!

It will be very interesting to see the banks response in NZ when we get the first fraud case involving a customer using two factor authentication since they have hyped up the supposedly additional security it offers!

 

Nate wants an iphone
3904 posts

Uber Geek
+1 received by user: 29

Mod Emeritus
Trusted
Lifetime subscriber

Reply # 33360 19-Apr-2006 11:45
Send private message

It gets worse. In ASBs case they have TXT Banking which allows you to transfer money around your accounts (but not out of).

It has a 25c fee in addition to whatever fees apply to your account AND the cost to text (usually 20c per message)... potentially someone could have 'fun' tranferring money around in the knowledge that its racking up fees.




webhosting |New Zealand connectionsgeekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

27249 posts

Uber Geek
+1 received by user: 6683

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 33364 19-Apr-2006 12:21
Send private message

But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system. It's easy to avoid this by implimenting a second layer of security that will only allow the generated two factor code to be submitted from the same IP as the original login if the two factor code is sent via SMS - from what I understand this does not happen in NZ.

BDFL - Memuneh
61712 posts

Uber Geek
+1 received by user: 12383

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 33365 19-Apr-2006 12:29
Send private message

sbiddle: But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system.
Not really - remember the keylogger collects one number for the second authentication, but when the bad person tries to login s/he will be asked for the number again - which by that time is invalid for a second login.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

27249 posts

Uber Geek
+1 received by user: 6683

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 33368 19-Apr-2006 12:43
Send private message

freitasm:
sbiddle: But that's still not likely to cause any significant fraud.

The big problem with two factor authentication is that with a keylogger trojan running you can capture a login, password and two factor code in realtime, redirect the user to a site that says the login has failed and then somebody somewhere in the world in realtime can have immediate access to your system.
Not really - remember the keylogger collects one number for the second authentication, but when the bad person tries to login s/he will be asked for the number again - which by that time is invalid for a second login.



The trojan dosn't pass the two factor code to the bank site however, it merely captures it with the keylogger and then directs the user to a site saying the login has failed and sends the info to the bad guy who has to log in immediately. I was reading about this the other day when somebody demonstrated an attack on a German bank using a custom trojan, it of course requires specific programming for a certain bank but it's proof that two factor authentication isn't the bullet proof solution that the banks want.

21605 posts

Uber Geek
+1 received by user: 4429

Trusted
Subscriber

  Reply # 33882 25-Apr-2006 21:27
Send private message

Also there are trojens that allow them to take over your browsing session, so as the text code auths your session, they can then do whatever they like in another browser once the users desired transaction has happened.

A lot harder as they have to be ready to go when the user logs into the banking site and does the text confirmation, but still worth it for the gains if it allows the perps to get away with cleaning out someones account. 






Richard rich.ms

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.