3:47p.m. 7th November 2007

| Carlos Robinson

Using SMS passwords won't protect people from internet banking fraud, a new study has shown.

Queensland University of Technology (QUT) created a simulated online bank and asked participants to conduct transactions with an SMS authorisation code.

QUT's Information Security Institute spokesman Mohammed AlZomai said one in five online transactions was vulnerable to obvious attacks, despite the added security of an SMS password.

Mr AlZomai said that many banks were now using SMS passwords, where a one-time password is sent to a customer's phone for each transaction, which the customer then has to manually copy to their computer.

But customers were failing to notice when the bank account number in the SMS message did not match their account number, Mr AlZomai said.

He said if this occurred it was a clear sign hackers had infiltrated the system.

Mr AlZomai said he simulated two types of attacks: an obvious attack where five or more digits in the account number were altered, and a stealthy attack where only one digit was changed.

The obvious attacks were successful in 21 percent of cases, and the stealthy attacks fooled 61 percent of people, he said.

"This is a strong indication that the SMS transaction authorization method is vulnerable," he said.

"According to our study only 79 per cent of users would be able to avoid realistic attacks, which represents an inadequate level of security for online banking."

Mr AlZomai said this study showed customers the importance of being vigilant when they were banking online. But he also said that banks had a responsibility to their customers.

"We hope this research will allow online banks and other online service providers to be better prepared for these emerging risks," he said.