Le 20/03/2013 18:32, Antonio Manuel Amaya Calvo a écrit : > Hey. > > On 20/03/2013 11:44, Julien Wajsberg wrote: >> (I don't pretend to understand everything was described here) >> >> Le 19/03/2013 17:30, Fernando Jiménez a écrit : >>> There have already been a few discussions about how to implement a >>> silent SMS flow [2]. The comment at [3] mentions the possibility of >>> having an SMS flow only with SMS MO [4], which would be absolutely >>> great, but I can't see how this flow can work in a secure way since >>> it is possible to replace the sender of an SMS [5]. >> I'd say the only consequence of a spoofed SMS would be a failed payment, >> right ? There is no way the spoofed SMS would trigger an unwanted >> payment. > > No, if SMS can be spoofed then the consequence would be a fraudulent > payment. The payment would be done, since we're basically equaling the > SMS to a proof-of-ownership of the line that will be used to do the > payment. So if user A with MSISDN A' can send a SMS with MSIDN B' that > is owned by user B, then that would result in us charging user B for > whatever user A bought.
Sorry, I still don't understand. The SMS is received by the user, right ? It contains a PIN ? And then the user uses this PIN in the payment screen. Am I missing something ?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
