pen-test February 2010 archive
Main Archive Page > Month Archives  > pen-test archives
pen-test: Re: SMS Banking

Re: SMS Banking

From: Markus Matiaschek <mmatiaschek_at_nospam>
Date: Fri Feb 05 2010 - 22:08:09 GMT
To: "M.D.Mufambisi" <mufambisi@gmail.com>


Hi,

I'd just like to make some comments, i didn't think about a solution for your problem.

First of all i think that my Budi wibowo got something wrong regarding who is sending the PIN.

Second, GSM is cracked: http://reflextor.com/trac/a51 and can be intercepted and decrypted. You should take this into account.

Third i think the only farely safe way to make money transfers is with transaction numbers, TANs. German banks send mobileTANs to preregistered cell phone numbers to allow a transaction (through online banking though).
A "three-way-handshake" with a mTAN should pretty much prevent transactions through spoofed numbers.

regards,
Markus Matiaschek
Absolute IT Consulting S.A.
San Josť, Costa Rica



Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1