We frequently advise the use of two-factor authentication to protect accounts. Two-factor is certainly better than a single unchanging password, but there’s one major limitation: if you’re being sent an SMS with a one-time password but you want to access that service on the same phone, your protection level has essentially evaporated. According to AusCERT, that’s already a big enough issue to make two-factor systems based on sending text messages all but useless.
Picture: Stefan Gosatti/Getty Images
Speaking at the Digital Security Summit hosted by ACE Events in Canberra today, AusCERT general manager Graham Ingram highlighted the issue. While banks have actively encouraged the use of SMS-based systems for larger transactions, they are also encouraging the use of mobile phones to log in. As Ingram put it:
The problem the banks are having at the moment is that the two factor out-of-band device that they’re sending the messages too is now the same device being used for the banking, and the malware is fully aware of that and using the sent information to capture the session.
How can you stay secure? Firstly, use a non-obvious password for online banking, change it regularly, and don’t store it in unencrypted form. Secondly, use security software on your mobile (and require that of phones you manage for others).
Even more basic: Set passwords on your mobile devices so they can’t be accessed by miscreants. We’d suggest not doing your banking on your phone, but that ship has sailed — banks consistently report that half their online banking traffic comes from mobile devices.