Re: SMS Banking

["Menerick, John" <jmenerick () netsuite com>]

Comments inline

On Feb 4, 2010, at 8:20 AM, M.D.Mufambisi wrote:

> Hi All,
>
> Im designing an SMS baking application but i need to research on the
> security risks involved first. Im thinking of subscribing mobile phone
> number along with a pin. eg Number 222-222-222 PIN 20029. So when the
> individual wants to enquire his balance, he sends a text messgae like
> Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
> has to come from the subscribed number and only that number. I also
> want to be able to allow subscribers to tranfer funds to pre
> determined service providers such as utility companies etc.
> What are the risks around this application?

Large risks.  Take your basic one form of authentication modeled risk but multiply it greatly due to the gravity of the 
information behind said SMS auth. Previous email from Craig Wright is a great start.

> How are such applications
> normally subverted?

Everything from GSM cracking, to fuzzing via sms gateways/email providers.

> Are there any case studies someone can point me
> to?

Once you ignore the pages of using SMS for 2FA, http://www.google.com/search?&q=SMS+authentication should give you a 
few pointers and case studies

> What are the various authentication methods as i appreciate mine
> can not be the best?

Homomorphic digital signatures would go a long way.  Otherwise, look at US FDIC standards/guidance and work from there.

> Your help will be most appreciated.
>
> Munyaradzi
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for 
the sole use of the intended recipient for the stated purpose.  Any improper use or distribution is prohibited.  If you 
are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or 
destroy all transmitted information.  Please note that all communications and information transmitted through this 
email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third 
party spam and filtering service.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------