Future Attacks 113 the best talent possible. It is certainly not a debate that will end soon, nor likely ever to be resolved. These first two attacks were fairly benign and did little to no damage to the attacked devices. However, they defiantly showed the world that there were a signifi- cant number of jailbroken devices that could be compromised easily. It also showed that the user base was fairly un-savvy about the risks to these hybrid devices. Shortly after the first two attacks, a third worm showed up, but this time, with definite malicious intent. In the Netherlands, a worm nicknamed "Duh" H started spreading to jailbroken iPhones with default root passwords in attempt to steal bank- ing information. The worm would setup a botnet where a bot residing on the phone would wait for SMSes from ING bank and mobile transaction authentication num- bers (mTANs), a six-digit number sent to Web banking users that they must enter in a short window of time to complete a transaction. An out-of-band authentication system to verify the owner is accessing the account. The system fails since the SMS is received on what amounts to the same computer that is accessing the Web banking portal, thus negating the out-of-band part and the security it implies. The bot inter- cepts the mTAN SMS and sends it to a remote system where the attacker has a small window of opportunity, logging in ahead of the legitimate user and gaining access