SMS one-time PIN distribution not so hot - survey

Research carried out by the Queensland University of Technology in Australia claims to show that using SMSs (text messages) to distribute one-time PINs to e-banking punters isn't the best security solution.

The researchers found that, whilst the cellular distribution system works, human error can creep into the equation.

The Uni says that, when it set up a simulated online bank and and asked participants to conduct transactions with a SMS authorisation code, they failed to notice when the bank account number in the SMS message was not the same as the intended number - a sure sign that hackers have infiltrated the system.

According to Uni officials, they simulated two types of attacks - an obvious one where five or more digits in the account number were altered and a stealthy version where only one digit was changed.

The obvious attacks were successful in 21 per cent of cases, and the stealthy attacks fooled 61 per cent of users.

The Uni notes that the National Australia Bank and St George Banks both offer SMS-based two-factor authentication as an optional security mechanism to all their e-banking customers.

Interestingly, newswire reports of the Aussie research note that, in the UK, "most banks are avoiding SMS systems in favour of a programme, backed by payments association APACS, to roll out handheld chip and PIN devices to their Internet banking customers."

Um - not all the banks guys. I know we're a long way away, but you could check your facts, you know...