Security Basics mailing list archives
Re: SMS Banking
From: "Menerick, John" <jmenerick () netsuite com>
Date: Mon, 8 Feb 2010 09:33:11 -0800
Comments inline On Feb 4, 2010, at 8:20 AM, M.D.Mufambisi wrote:
Hi All, Im designing an SMS baking application but i need to research on the security risks involved first. Im thinking of subscribing mobile phone number along with a pin. eg Number 222-222-222 PIN 20029. So when the individual wants to enquire his balance, he sends a text messgae like Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin has to come from the subscribed number and only that number. I also want to be able to allow subscribers to tranfer funds to pre determined service providers such as utility companies etc. What are the risks around this application?
Large risks. Take your basic one form of authentication modeled risk but multiply it greatly due to the gravity of the information behind said SMS auth. Previous email from Craig Wright is a great start.
How are such applications normally subverted?
Everything from GSM cracking, to fuzzing via sms gateways/email providers.
Are there any case studies someone can point me to?
Once you ignore the pages of using SMS for 2FA, http://www.google.com/search?&q=SMS+authentication should give you a few pointers and case studies
What are the various authentication methods as i appreciate mine can not be the best?
Homomorphic digital signatures would go a long way. Otherwise, look at US FDIC standards/guidance and work from there.
Your help will be most appreciated. Munyaradzi ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SMS Banking, (continued)
- Re: SMS Banking pasquale imperato (Feb 05)
- Re: SMS Banking Budi wibowo (Feb 05)
- Re: SMS Banking Agus 'Bosen' Supriadhie (Feb 05)
- Re: SMS Banking Doug Farre (Feb 05)
- RE: SMS Banking Thor (Hammer of God) (Feb 05)
- Message not available
- Re: SMS Banking Markus Matiaschek (Feb 05)
- RE: SMS Banking Craig S. Wright (Feb 08)
- RE: SMS Banking Thor (Hammer of God) (Feb 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- RE: [Full-disclosure] SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Markus Matiaschek (Feb 05)
- Re: SMS Banking Dennis Li (Feb 08)
- Re: SMS Banking Tim Clewlow (Feb 08)