Friday, 13 April 2007

Bopo - is this SMS service secure?

This service caught my eye while in a newsagents in Melbourne. Unfortunately it was on a screen with video ads on a loop so I had to watch the Mr Bean film trailer again before getting the full info.

Bopo is a pre pay visa card offered in Australia and the selling point of they were pushing in the ad was the ability to transfer money between cards by SMS. Could be worth investigating I thought, so I sat through Mr Bean again, and tapped the web address into my BlackBerry for a later look.

The web site gives a set of instructions for managing your account which all seemed simple enough. You seem to register your mobile number and they use that to authenticate any requests: check your balance, transfer money, stop your card, etc all via SMS.

But then it struck me, they're using a virtual mobile number for this. Any wholesale service can send to virtual mobile numbers which means that the originator of the messages can be spoofed. Normally these kind of services are run behind shortcodes, which are network specific codes and thus are not accessible from wholesale SMS connections. The side benefit of this is that you know the any SMS came from a on-network handset containing the SIM associated with the mobile number.

Now, I haven't used the service, they could be sending a confirmation text after each request but there is no mention in the user guide of any secondary validation. If not, all you need is someones mobile number and to know they have one of these cards and you can stop the card or transfer money to other people all from the comfort of your web browser.

There was a recent post about spoofing the originator of SMS messages for fun/nefairous purposes on SMS Text News ( lets you set the originator; wind folk up) I reckon this is a good example. Please let me have your comments, I'm going to try and contact Bopo to get their view on this but if anyone has used the service, or something similar, and I'm missing the mark completely. Please let me know.

No comments: