Malware impact on short text messaging overstated, says expert

Harris: copycats can't foil Zitmo

Zeus is the king of the Greek gods but in malware circles, Zeus is a king of another kind — king of the banking bandit worms. So it's not surprising that a wave of worry swept over the security community when a mobile variant of the bad app, Zitmo, had found a way to compromise authentication systems based on short text, or SMS, messaging.

"The malware poses as a banking activation application," Fortinet mobile malware researcher Axelle Apvrille wrote in company blog on July 8. "In the background, it listens to all incoming SMS messages and forwards them to a remote Web server. It’s simple, but just enough for the Zeus gang to grab your banking TANs."

A TAN, or Transaction Authentication Number, is a one-time password used in addition to a user's permanent password to authenticate a bank transaction.

Anxiety among bad app fighters, though, may be misplaced, according to Chris Russell, vice president of technology at Swivel Secure, a U.K. maker of authentication software for mobile phones. While acknowledging that Zitmo can crack some authentication schemes, he asserted that reports that all authentication technology based on SMS text message transmission may be at risk were "overstated."

He boasted that his company's application, PINsafe, is designed to foil such exploits. “Unlike other technologies that involve the user receiving the login credential via SMS, PINsafe delivers a random security string which needs a fixed PIN to generate the response," he explained in a statement. "At no time during the process is the user asked to enter their personal PIN so it is never transmitted either by SMS or over the Internet so cannot be intercepted by any digital eavesdropper, rendering the Trojan ineffective.”

PINsafe uses a very simple, patented protocol to generate a one-time-code for each login session, Swivel elaborated. Users are sent a random alpha-numeric security string in advance of the requirement as a text message to their phone. This is not what the user sends back to the server so is of no use to the hacker. With the SMS message transmitted via the mobile network and the OTC returned via an SSL link to the server the process is doubly secure.

“This is one of our key differentiators,” added Swivel Managing Director Richard H. Harris. “There are a number of copycat systems that use SMS as part of the process; typically the user is sent a code that they then simply return to prove their identity."

"Of course," he continued, "it only proves that the person has the phone at the time of the login and yes, the code can be intercepted en route from the client to the server, in which case the reports would be right to say that the Zeus worm is a potential threat. This is not how PINsafe works.”

Security has been cited in surveys as a major factor slowing down the adoption of mobile banking apps. The rate of adoption of mobile banking barely budged between 2010 and 2011, despite aggressive promotions by financial institutions, Javelin Strategy & Research revealed in a recent report. One reason, the report said, is smartphone owners perceive mobile banking as less secure. "Between 2009 and 2010 the number of consumers who rated mobile banking as 'unsafe' or 'very unsafe' increased by a shocking 54 percent," it added.