NEWS FROM THE LAB - Tuesday, April 21, 2009

�25,000 Bank Robbing Mobile Phones? Posted by Sean @ 13:53 GMT

Many European banks provide their customers with a paper list of sequential numbers and randomly requested checksums. Without this physical list, an attacker might be able to access the online banking GUI, but they should not be able to complete a fund transaction.

Now, carrying around a card and scratching off numbers is fairly secure but it isn't always convenient.


What's more convenient and is something you always have with you? Your phone.

More and more banks are beginning to offer transaction authentication numbers (TAN) via SMS text messages. The customer registers their phone to receive the one-time passwords, and the TAN is provided on-demand. Easy, secure.

And that brings us to this headline: Criminals Pay Top Money for Hackable Nokia Phone

A company called Ultrascan Research Services claims that East European gangs are paying big money for certain versions of Nokia 1100 phones.

Nokia 1100

According to Ultrascan's post, some Nokia 1100 phones can be used to intercept SMS messages.

We don't have the details, we only know what's been stated by Ultrascan. We've also been unable to find a hacker forum or an auction site with actual requests for such phones.

To be worth the prices being paid (up to �25,000) the phone would somehow need to spoof the victim's phone number without using their SIM card. If that's possible, then it's a very clever trick and suddenly enables the use of all of the past compromised account information that's been gathered by banking trojans.

And that's a very sizable return on investment. Even for a �25,000 phone.