Home page logo
/

basics logo Security Basics mailing list archives

Re: SMS Banking
From: pasquale imperato <slashbackpt () gmail com>
Date: Thu, 4 Feb 2010 19:57:11 +0100

Since there is the possibility of doing "sms spoofing", first of all I
would add a response from the application to the cellphone in order to
receive a confirmation by the owner of the cellphone number.

In other words:
1) owner REQUEST: BAL PINNUMBER
2) application RESPONSE: "please confirm you sent the BAL request
sending back this random code: XXXXXX"
3) owner CONFIRMATION with the random code XXXXXX
4) application RSPONSE: informations required

Moreover, I would also send a message to his personal email address in
the case the cellphone has been stolen ( by example ) and the owner
had his pinnumber saved somewhere in his cellphone...

In any case I wouldnt let the user doing too much risky operations
through his cellphone, but this is just my personal opinion.

Bye,
Pasquale Imperato


On Thu, Feb 4, 2010 at 5:20 PM, M.D.Mufambisi <mufambisi () gmail com> wrote:

Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number. I also
want to be able to allow subscribers to tranfer funds to pre
determined service providers such as utility companies etc.
What are the risks around this application? How are such applications
normally subverted? Are there any case studies someone can point me
to? What are the various authentication methods as i appreciate mine
can not be the best?

Your help will be most appreciated.

Munyaradzi

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]