funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PayPal Plans Payments Via Text Message?

From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Thu, 23 Mar 2006 08:56:34 -0700
 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Mark P. Fister
Sent: Thursday, March 23, 2006 3:32 AM
To: Fergie
Cc: funsec () linuxbox org
Subject: Re: [funsec] PayPal Plans Payments Via Text Message?

On Thu, Mar 23, 2006 at 02:22:25AM +0000, Fergie wrote:

Despite the frustrating lack of details here, the article goes on to 
say that "Users will first have to register their mobile devices with 
PayPal?s Web site and select a code to protect them against 
unauthorized users."

Wow. Does this sound like a potential avenue for abuse, or what? ;-)


The potential you're probably thinking of is this:

1. Cell phone is stolen.
---------------------------
What if the phone is merely cloned and not stolen? That technology is
still out there, if rarely used. An attacker could then guess passwords
a few at a time over a long period.


How do you guys originally tie a number to a cell phone? Via
registration on the web with an acknowledgement sent to the cell phone
via SMS? I guess that would mean in order to sign up for the service,
you would already have to have full access to the paypal account,
therefore making it just as (in)secure as any online transaction ;-)

You might want to take an advance lesson from these guys.
http://www.theregister.co.uk/2006/02/02/mobile-phone_tracking/

It seems that people were abusing the system, trying to track those who
didn't want to be tracked via more methods than are listed in the above
link. You cant stop all security flaws (social or technological), but
the idea of always texting the phone with notices that you are signed up
to the service, or when you fail authentication, or just make a huge
purchase might be able to stop some current and future headaches. And
while it may be annoying to some, it might also be comforting to others.

-JP


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: