In order to do so, the attacker needs the phone's IMEI number, which is not a security credential in itself, but a user should become suspicious nowadays if their bank wants to know their IMEI number. Therefore I suggest to categorize this attack as experimental.
The urgent question behind this is: why did the Symbian developers base the security of their operating system on IMEI numbers?
Posts
Its not that experimental any more:
ReplyDeletehttp://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android
Another question - how secure is chipTAN?
Is there any public information about the
protocol used?
Thanks a lot for the link. I would consider ChipTAN secure only if the user enters or controls the transaction on the display.
ReplyDeleteThis is the classic example of the usability on security: If the user might theoretically be able to check your transaction, but in practice does not understand what is displayed an attacker might trick him into confirming something he does not want to confirm.
Also, there are specific complex use cases where tricks are possible (sorry: link in german http://www.heise.de/security/meldung/chipTAN-Verfahren-der-Sparkassen-ausgetrickst-866115.html)
So, assuming a good user interface and that only the simple use cases are used ChipTAN is in my view "acceptable with remarks".
The specification is from EMVCo, it's downloadable but you need to accept a clickthrough license.