Do you trust sms-informing?

    SMS informing is widely used in our life. And through it it is so convenient to monitor the balance of your money on a bank card. Know that the money has come, or what was withdrawn by you. But using this feature, compare using an incorrectly configured firewall: it instills a false sense of security.



    A bit of background


    One fine day I received an SMS from Megaphone that I received 1000 rubles on my phone. I was very happy: I didn’t throw money on the phone. But my joy was short-lived: an hour later another sms came:

    "Отмена ошибочного платежа. Ваш новый баланс: (тут цифры) руб"

    Closer to the point


    So here. Recently, scouring the Internet on the topic of sending sms from an arbitrary number, I found a bunch of services of this kind. Then I remembered the story with the payment of Megaphone and thought: but I so trust this sms-informing that I’m even too lazy to check the information from these sms. And then I came up with this idea. Surely I'm not the only one so lazy. But what if an attacker uses one of these services? First it will withdraw money, and then it will send a fake sms about the cancellation of the withdrawal operation?

    Conducted an experiment: sent 5 people through such a service 2 sms from one sender “90-0” (from this number sberbank card holders receive sms about operations with their card):

    1. On cash withdrawals (text: "VISA0421; Vydacha nalichnyh; Uspeshno; Summa: 15000.00RUR; BANKOMAT 430403-2004; 11/01/11 16:55")
    2. On the cancellation of the withdrawal operation (Text: “Dear cardholder! You were returned 15000RUR, which were withdrawn from your card due to a failure in the system. Sincerely, Sberbank”).

    The interval between SMS was about 5 minutes. As it turned out, none of the participants in the experiment ended up contacting the bank about this situation: someone just failed (they were not near the phone). And someone during this time could not find the bank's phone to clarify the situation. And when the second sms arrived - calmed down and forgot about the situation. And this is despite the fact that in the messages I sent, the card numbers are fake (I didn’t know which cards they had). And an attacker may have more information about his victim.

    So be careful and do not be lazy to check the information from sms .

    UPD:Currently, the biggest problem from the point of view of the attacker is the timely arrival of fake sms. Because the arrival time of a withdrawal SMS varies and it is difficult to predict the exact time of arrival. A fake sms must be sent after the real one. Preferably in a few minutes.

    Also popular now: