Home page logo
/

basics logo Security Basics mailing list archives

Re: SMS Banking
From: "Menerick, John" <jmenerick () netsuite com>
Date: Mon, 8 Feb 2010 09:33:11 -0800

Comments inline

On Feb 4, 2010, at 8:20 AM, M.D.Mufambisi wrote:

Hi All,

Im designing an SMS baking application but i need to research on the
security risks involved first. Im thinking of subscribing mobile phone
number along with a pin. eg Number 222-222-222 PIN 20029. So when the
individual wants to enquire his balance, he sends a text messgae like
Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin
has to come from the subscribed number and only that number. I also
want to be able to allow subscribers to tranfer funds to pre
determined service providers such as utility companies etc.
What are the risks around this application?

Large risks.  Take your basic one form of authentication modeled risk but multiply it greatly due to the gravity of the 
information behind said SMS auth. Previous email from Craig Wright is a great start.

How are such applications
normally subverted?

Everything from GSM cracking, to fuzzing via sms gateways/email providers.

Are there any case studies someone can point me
to?

Once you ignore the pages of using SMS for 2FA, http://www.google.com/search?&q=SMS+authentication should give you a 
few pointers and case studies

What are the various authentication methods as i appreciate mine
can not be the best?


Homomorphic digital signatures would go a long way.  Otherwise, look at US FDIC standards/guidance and work from there.

Your help will be most appreciated.

Munyaradzi

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for 
the sole use of the intended recipient for the stated purpose.  Any improper use or distribution is prohibited.  If you 
are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or 
destroy all transmitted information.  Please note that all communications and information transmitted through this 
email system may be monitored by NetSuite or its agents and that all incoming email is automatically scanned by a third 
party spam and filtering service.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]