Security Basics mailing list archives
Re: SMS Banking
From: Dennis Li <dennis.li.sh () gmail com>
Date: Mon, 8 Feb 2010 17:48:14 +0800
Hi, Munyaradzi I think you need consider two-factors authentication way. And the identity of user and the bank website shall be verified in case of mobile stolen and phishing. Some controls are: 1. use another authentication besides ID, password and cellphone itself(such as SIM card stored key); such as OTP(one-time-pad); 2. consider how to clean the SMS history or hidden some sensitive information during transaction (in my friend mobile, the information he typed in the web page when he log on to credit card online site was kept except password.) 3. use words user left when he register SMS banking service in the first step responding user from bank to identify itself is the real web site Good luck! Dennis li On Fri, Feb 5, 2010 at 12:20 AM, M.D.Mufambisi <mufambisi () gmail com> wrote:Hi All, Im designing an SMS baking application but i need to research on the security risks involved first. Im thinking of subscribing mobile phone number along with a pin. eg Number 222-222-222 PIN 20029. So when the individual wants to enquire his balance, he sends a text messgae like Bal 20029 i.e. BAL PINNUMBER. The control here is that the sms and pin has to come from the subscribed number and only that number. I also want to be able to allow subscribers to tranfer funds to pre determined service providers such as utility companies etc. What are the risks around this application? How are such applications normally subverted? Are there any case studies someone can point me to? What are the various authentication methods as i appreciate mine can not be the best? Your help will be most appreciated. Munyaradzi ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SMS Banking, (continued)
- Re: SMS Banking Dennis Storm (Feb 05)
- Re: SMS Banking pasquale imperato (Feb 05)
- Re: SMS Banking Budi wibowo (Feb 05)
- Re: SMS Banking Agus 'Bosen' Supriadhie (Feb 05)
- Re: SMS Banking Doug Farre (Feb 05)
- RE: SMS Banking Thor (Hammer of God) (Feb 05)
- Message not available
- Re: SMS Banking Markus Matiaschek (Feb 05)
- RE: SMS Banking Craig S. Wright (Feb 08)
- RE: SMS Banking Thor (Hammer of God) (Feb 08)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- RE: [Full-disclosure] SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Markus Matiaschek (Feb 05)
- Re: SMS Banking Dennis Li (Feb 08)
- Re: SMS Banking Tim Clewlow (Feb 08)