Security Basics mailing list archives

Re: SMS Banking

From: Dennis Storm <d.storm () drecomm nl>
Date: Thu, 4 Feb 2010 19:47:15 +0100 (CET)



----- Original Message -----
From: "M.D.Mufambisi" <mufambisi () gmail com>
To: pen-test () securityfocus com, security-basics () securityfocus com
Sent: donderdag 4 februari 2010 17:20:22 uur (GMT+0100) Europe/Berlin
Subject: SMS Banking

Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number.


First thing that pops to mind is to steal the phone and look at the messaging history. That way I have a subscribed 
phone, and can authenticate myself with the PIN. Personally I wouldn't use a service that's set up this way.

I also
want to be able to allow subscribers to tranfer funds to pre
determined service providers such as utility companies etc.
What are the risks around this application? How are such applications
normally subverted? Are there any case studies someone can point me
to? What are the various authentication methods as i appreciate mine
can not be the best?

Your help will be most appreciated.

Munyaradzi




Kind regards,

Dennis Storm
Systems Engineer

Drecomm BV "Internet Intelligence"
Groningen offices:
    Hoendiep 208
    9745 ED  Groningen, The Netherlands
    T:  +31 (0)50 577 58 22
    F:  +31 (0)50 577 58 23

Rotterdam offices:
    Walenburgerweg 46 a/b
    3033 AD  Rotterdam, The Netherlands

    T: +31 (0)10 466 86 38
    F: +31 (0)10 466 72 39

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

SMS Banking M.D.Mufambisi (Feb 04)
- Re: SMS Banking Dennis Storm (Feb 05)
- Re: SMS Banking pasquale imperato (Feb 05)
- Re: SMS Banking Budi wibowo (Feb 05)
  - Re: SMS Banking Agus 'Bosen' Supriadhie (Feb 05)
- Re: SMS Banking Doug Farre (Feb 05)
  - RE: SMS Banking Thor (Hammer of God) (Feb 05)
- Message not available
  - Re: SMS Banking Markus Matiaschek (Feb 05)
    - RE: SMS Banking Craig S. Wright (Feb 08)
    - RE: SMS Banking Thor (Hammer of God) (Feb 08)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - RE: [Full-disclosure] SMS Banking Craig S. Wright (Feb 10)
- Message not available
  - Re: SMS Banking Dennis Li (Feb 08)

(Thread continues...)