Havana Cuba. — Transfermovil is a app launched in September 2017 by the Cuban Telecommunications Company (ETECSA) to “facilitate service payments, online purchases, bank inquiries and procedures, and the management of telecommunications services.”
Although the app has been in development for years and is operated by millions of people, it leaves a lot to be desired due to the technology it still uses to carry out its functions.
Normally, the e-commerce activity handled by this platform requires serious protection against privacy and data security breaches. However, after five years, the app’s developers insist on using text messages (SMS) for communication between servers and users while sharing sensitive information about banking transactions, passwords, purchases, service payments and others.
Despite the fact that the SMS messaging system is considered an obsolete communication channel —and one of the main reasons is precisely the lack of security—, ETECSA resolved that all communication between the Transfermovil application (users) and its servers be carried out on this ancient technology.
Why should sensitive information not be sent by SMS?
Cellular devices automatically connect to the nearest antenna (base station) to establish the connection. So far, sending SMS has a type of encryption that, although it is not the best, provides some security. The problem arises in the path that remains to be traveled to reach its destination.
Without any type of encryption to follow its path, while the message is being transmitted, there is a risk that third parties may alter, retain, copy or duplicate it, and there is no way to escape when the telephone operator presents itself as an attacker.
Likewise, SMS do not have encryption within the network that is responsible for storing or forwarding them.
The only communications company on the island has filters that are responsible for censoring messages that contain words and phrases such as “Homeland and Life”, “demonstration”, “strike”, “protest”, “11J” and many more. This security breach reveals that in the ETECSA facilities there is not only free access to text messages, but that they use this vulnerability on purpose in an arbitrary way.
An ETECSA specialist who spoke on condition of anonymity told CubaNet that Transfermovil it was developed over SMS due to the lack of Internet on the Island.
“Text messages all phones can send. When Transfermovil was launched in 2018, there was not even 3G (technology to access the Internet via mobile data)”, explained the source.
How to protect yourself?
Unfortunately, in the case of Transfermóvil, Cubans do not have an alternative to stop using SMS, since the very operation of the application requires that all communication use that channel, which leaves an open door for third parties to read the messages. Without much effort. Thus, more than one intruder could know to which card money has been transferred and the amount, if a fine has been paid or if the payment of the ONAT (National Tax Administration Office) is behind, to cite examples.
It is worth mentioning that the Cuban application for electronic commerce is not found in the official Google application store, so it is a risk to install the APK file offered by ETECSA.
In a review of this file on Virustotal.com (a platform that provides file analysis) we could see that Transfermovil requires full permission to read and modify the SMS stored on the device where it is installed. In addition, the application asks for access to the phone’s internal storage.
The Cuban application also does not have “Terms and Conditions” where it is reflected how the data and the privacy of the users are handled.
Receive information from CubaNet on your cell phone through WhatsApp. Send us a message with the word “CUBA” on the phone +525545038831, You can also subscribe to our electronic newsletter by giving click here.