RE: SMS Banking

["Thor (Hammer of God)" <Thor () hammerofgod com>]

SMS based solutions are inherently insecure; not just from the application level, but from the carrier level.  You're 
assuming the carrier media is secure, which is not the case as Karsten showed at the CCC when he cracked GSM.  

I think you would be far better served to create a client side application (client specific of course) where you could 
build security into the application itself, use SSL, etc for client-to-server inquiries and transaction execution.

t

> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Doug Farre
> Sent: Thursday, February 04, 2010 3:04 PM
> To: M.D.Mufambisi
> Cc: pen-test () securityfocus com; security-basics () securityfocus com
> Subject: Re: SMS Banking
>
> Mobile phone numbers can be spoofed. My piece of advice is that all
> transactions must be acknowledged by the user. For instance, user
> makes a request, system asks the user if for confirmation, then the
> system proceeds.
>
> Also, keep in mind that a lost cell phone can mean the user's pin is
> compromised as the sms msgs are all stored in plain text.
>
> On Thu, Feb 4, 2010 at 10:20 AM, M.D.Mufambisi <mufambisi () gmail com>
> wrote:
> > Hi All,
> >
> > Im designing an SMS baking application but i need to research on the
> > security risks involved first. Im thinking of subscribing mobile
> phone
> > number along with a pin. eg Number 222-222-222 PIN 20029. So when the
> > individual wants to enquire his balance, he sends a text messgae like
> > Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and
> pin
> > has to come from the subscribed number and only that number. I also
> > want to be able to allow subscribers to tranfer funds to pre
> > determined service providers such as utility companies etc.
> > What are the risks around this application? How are such applications
> > normally subverted? Are there any case studies someone can point me
> > to? What are the various authentication methods as i appreciate mine
> > can not be the best?
> >
> > Your help will be most appreciated.
> >
> > Munyaradzi
> >
> > ---------------------------------------------------------------------
> ---
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate.  We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing management
> of your encryption keys and digital certificates.
> >
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
> 2f727d1
> > ---------------------------------------------------------------------
> ---
> >
>
>
>
> --
> ------
> Doug Farre
> (209) 677-7483
>
> Sent from Houston, TX, United States
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
>
> http://www.iacertification.org
> -----------------------------------------------------------------------
> -


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------