On 20/03/2013 19:03, Julien Wajsberg wrote:
Le 20/03/2013 18:32, Antonio Manuel Amaya Calvo a écrit :
Hey.
On 20/03/2013 11:44, Julien Wajsberg wrote:
(I don't pretend to understand everything was described here)
Le 19/03/2013 17:30, Fernando Jiménez a écrit :
There have already been a few discussions about how to implement a
silent SMS flow [2]. The comment at [3] mentions the possibility of
having an SMS flow only with SMS MO [4], which would be absolutely
great, but I can't see how this flow can work in a secure way since
it is possible to replace the sender of an SMS [5].
I'd say the only consequence of a spoofed SMS would be a failed payment,
right ? There is no way the spoofed SMS would trigger an unwanted
payment.
No, if SMS can be spoofed then the consequence would be a fraudulent
payment. The payment would be done, since we're basically equaling the
SMS to a proof-of-ownership of the line that will be used to do the
payment. So if user A with MSISDN A' can send a SMS with MSIDN B' that
is owned by user B, then that would result in us charging user B for
whatever user A bought.
Sorry, I still don't understand.
The SMS is received by the user, right ? It contains a PIN ? And then
the user uses this PIN in the payment screen.
Am I missing something ?
That's SMS MT (SMS Mobile Terminated). But for do that we need the
mobile number of the user, which is what we didn't want to ask for
(since it's bad UX). So we wanted to use SMS MO (Mobile Originated). You
could in theory do that with just one message:
SMS MO
Mobile ------------> Payment processor
That would allow BlueVia to get the phone number (from the SMS network
header) and that would be all. Except SMS MO isn't actually secure and
thus you can spoof the originator phone number. It's more complicated
than that since that depends on the SMS-C and if you allow routing from
external networks to the destination number. So what Fernando was
proposing was:
SMS MO
1 Mobile ------------> PP
SMS MT
2 Mobile <----------- PP
The payment processor gets the phone number of the user at (1) and then
it uses that phone number to send a SMS to actually validate the number.
Even if the user faked his number at (1) he would not be able to get the
message from (2) and thus he would not be able to continue the process.
So what we're trying to determine currently is if we can or cannot
guarantee that using just SMS MO the number cannot be spoofed.
Best,
Antonio
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar
nuestra política de envío y recepción de correo electrónico en el enlace
situado más abajo.
This message is intended exclusively for its addressee. We only send and
receive email on the basis of the terms set out at:
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g
