Penetration Testing mailing list archives

Re: SMS Banking

From: Doug Farre <dougfarre () gmail com>
Date: Thu, 4 Feb 2010 17:04:26 -0600

Mobile phone numbers can be spoofed. My piece of advice is that all
transactions must be acknowledged by the user. For instance, user
makes a request, system asks the user if for confirmation, then the
system proceeds.

Also, keep in mind that a lost cell phone can mean the user's pin is
compromised as the sms msgs are all stored in plain text.

On Thu, Feb 4, 2010 at 10:20 AM, M.D.Mufambisi <mufambisi () gmail com> wrote:

Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number. I also
want to be able to allow subscribers to tranfer funds to pre
determined service providers such as utility companies etc.
What are the risks around this application? How are such applications
normally subverted? Are there any case studies someone can point me
to? What are the various authentication methods as i appreciate mine
can not be the best?

Your help will be most appreciated.

Munyaradzi

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




--
------
Doug Farre
(209) 677-7483

Sent from Houston, TX, United States

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

SMS Banking M.D.Mufambisi (Feb 05)
- Re: SMS Banking Budi wibowo (Feb 05)
- Re: SMS Banking Doug Farre (Feb 05)
  - RE: SMS Banking Thor (Hammer of God) (Feb 07)
- Message not available
  - Re: SMS Banking Markus Matiaschek (Feb 07)
    - RE: SMS Banking Craig S. Wright (Feb 07)