2

We have created an app for banks. In that apps we are doing device binding with phone number and device details through text SMS.

Now attackers somehow used SMS forwarding technique to bind his own device with victim phone number.

We are not sure about the attacker's modus operandi to use victim phone number to bind his own devices.

We believe that attacker might be using iMessage to sync the SMS from the App after sent the SMS and forwarding the same SMS to victim.

Note: In our App, we used MFMessageComposeViewController class to send message for device binding to the bank.

We are looking for the solution. So attacker cannot used/copy the text message from SMS created within the app for device binding and forward to victim.

James Z
  • 12,209
  • 10
  • 24
  • 44
Sommm
  • 527
  • 4
  • 22
  • 2
    SMS are known to be insecure. Attacks are usually performed on operator level (e.g. using SS/ network). Or you simply call the mobile network operator and order a second SIM card for the victims mobile network plan. So no matter what you do on app level the concept is broken if you use SMS. – Robert Sep 15 '22 at 11:00
  • Then how can we verify phone number and Device during device binding. Any other techniques? – Sommm Sep 15 '22 at 11:21
  • 3
    I don't think phone number verification and device binding is the problem, your problem is that you use the phone number (or better the ability to receive SMS sent to the phone number) as authentication. – Robert Sep 15 '22 at 12:00
  • As a Robert says, you cannot use device phone number or a code sent to it as an authentication factor and guarantee that it won't be compromised. It is only as secure as the carrier/network operator makes it. You can use alternate approaches such as hardware tokens or scanning a time limited QR code visible from their account on your web site or receiving an activation link via email – Paulw11 Sep 15 '22 at 21:14

1 Answers1

0

As has been pointed out in the comments, you simply can't use SMS, either for registrations or providing OTPs for transactions/logons as there are too many attack vectors. The following would be more secure for registration:

• Use a time-limited qr code or one-time code displayed to the user somewhere in their internet banking profile or if they do not have internet banking, in the branch. This approach is recommended.
• Complete registration in-app through a combination of security questions and a pin emailed to them. If no email, once again in-branch only.

Once registration is complete, you should use push notifications rather than SMS for OTPs etc. It is also recommended not to include an OTP in the push notification itself but simply have the push notification prompt the app to request an OTP over https.

RunLoop
  • 20,288
  • 21
  • 96
  • 151