On 20/03/2013, at 18:32, Antonio Manuel Amaya Calvo wrote: > Hey. > > On 20/03/2013 11:44, Julien Wajsberg wrote: >> (I don't pretend to understand everything was described here) >> >> Le 19/03/2013 17:30, Fernando Jiménez a écrit : >>> There have already been a few discussions about how to implement a silent >>> SMS flow [2]. The comment at [3] mentions the possibility of having an SMS >>> flow only with SMS MO [4], which would be absolutely great, but I can't see >>> how this flow can work in a secure way since it is possible to replace the >>> sender of an SMS [5]. >> I'd say the only consequence of a spoofed SMS would be a failed payment, >> right ? There is no way the spoofed SMS would trigger an unwanted payment. > > No, if SMS can be spoofed then the consequence would be a fraudulent > payment. The payment would be done, since we're basically equaling the > SMS to a proof-of-ownership of the line that will be used to do the > payment. So if user A with MSISDN A' can send a SMS with MSIDN B' that > is owned by user B, then that would result in us charging user B for > whatever user A bought.
Thanks Antonio. Exactly. That's why I think an SMS MO <-> SMS MT flow is needed. However we are still waiting for David's explanation about his proposal. It seems that short numbers are treated in a different way in the operator's network and might be safe enough to allow us to work with an SMS MO only flow. _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
