In theory, a single use password sent to an internet banking
customer’s mobile phone via a short message service (SMS) prior to
executing an online transaction provides a valuable added element
of security. In practice, the method is seriously flawed, according
to a study conducted by Mohammed AlZomai, a researcher at the
Queensland University of Technology’s (QUT) Information Security
Institute in Australia.

The vulnerability of single-use passwords sent via SMS lies in the
fact that the customer must manually copy the password from the
phone in order to confirm the online transaction. AlZomai explained
that because of this manual process, many customers were failing to
notice when the bank account number in the SMS message was not the
same as the intended account number, a clear sign hackers had
infiltrated the system.

As part of the study, QUT developed a simulated online bank and
asked participants to play the role of customers and undertake a
number of financial transactions using an SMS authorisation code.
AlZomai explained that researchers then simulated two types of
attacks: an obvious attack in which five or more digits in the
account number were altered and a stealthy attack in which only one
digit was changed.

Disturbingly, he continued, obvious attacks were successful in 21
percent of mock transactions and stealthy attacks in 61 percent. A
success rate of 21 percent in the case of obvious attacks
“represents an inadequate level of security for online banking” and
is a “strong indication that the SMS transaction authorisation
method is vulnerable”, stressed AlZomai.