| SMS message center |  Search
|
|
NowSMS Support Forums ⬆ NowSMS Support - SMS Issues ⬆ Archive through October 31, 2007 ⬆ |
◄ ► |
| Author | Message | |||
| h New member Username: Etrby Post Number: 1 Registered: 03-2005 |
we r developing a tool by which the system owner can accept money from his clients by transferring credit from their cell phone credit to his , so we need to be sure 100 % that this client has transferred the money to the system owner through the GSM operator not through another operator which may allow the user to change his sender ID to be similar to that ID comes with the money transaction SMS , if the client can change his ID to be similar to the transaction message ID the system can't recognise the trick , so we r thinking to check the SMS message centre just to check from which GSM carrier the SMS was sent ,but the NowSMS didn't display the SMS message centre so If u can help it will be very much appreciated | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 7476 Registered: 10-2002 |
Hi, That's an interesting observation. The type of information that you describe is only accessible when you are receiving messages via a GSM modem. (You can't get this information when a message is delivered via SMPP, or one of those other protocols.) Basically, the modem tells you the SMSC that delivered the message to the modem. So it is conceivable that this could offer some additional level of identification in order to show that it came from the SMSC of an operator. I don't think it's a perfect solution, because it may still be possible for a determined party to insert a spoofed sender message that gets routed through the operator SMSC ... but I don't know how difficult that would be to accomplish. Certainly you'd filter out the most common attempts (and perhaps use those attempts as a signal to watch for other attempts). Anyway, from a NowSMS perspective, this discussion is completely academic. NowSMS does not save the sending SMSC number when it receives an SMS message over a GSM modem. I will add this to our engineering queue, and see if we can add a feature to save this information and allow it to be routed to a 2-way command. This is not the first time this has come up in discussion, so we should make this capability available. -bn | |||
| h New member Username: Etrby Post Number: 2 Registered: 03-2005 |
thank u yes I'm using GSM modem , and I think that the GSM operator will block any sender ID similar to that he is using in very critical process like money transferring , so till now no solution can be achieved to be sure 100% that this a true money transfer message and coming from the GSM operator himself rather than SMS message centre identification . may be we can get around this if the nowSMS GW supports blocking SMS coming from a certain message centre, so can nowsms GW block received SMS from a certain message centre ???? | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 7497 Registered: 10-2002 |
I think it would be a better solution for NowSMS to support passing the SMSC number to the 2-way command so that an application can determine whether or not to accept it. Give us a couple of weeks, and we'll get this added. -bn | |||
| h New member Username: Etrby Post Number: 3 Registered: 03-2005 |
any news regarding this featur ? | |||
| Darek Chorazewicz Frequent Contributor Username: Daro Post Number: 71 Registered: 03-2004 |
Hallo. I think we could help you in building such interface. You'll be able to check smsc number to see what smsc the msg was sent from Please contact me: darek.ch@mobitex.pl Regards Dariusz | |||
| ashot shabazian New member Username: Tyrebusters Post Number: 7 Registered: 03-2004 |
MO SMS (unlike MT SMS) are easily spoofed and should not be used as a means to enable financial transactions. Validation by SMSC ID (SMSC GT) is not a safe method of authentification either, as any SMSC which processes subscriber MO SMS is inherently vulnerable to attacks from hackers who have access to SS7 networks and pretend to be subscribers of the network which operates a vulnerable SMSC. Even though you can easily retrieve the SMSC GT from the message by simply listening to the RS-232 port where the modem is connected to (by any protocol sniffer, e.g., Portmon) it would be a serious mistake if you used it in production environment. MT SMS on the other hand route according to routing tables of MNO and transit operator switches, which cannot be manipulated by a hacker. The only safe way to handle financial transactions via MO SMS is to send the subscriber an MT SMS with a unique ID for each transaction and make him to confirm the transaction by means of including that ID in the second (confirmation) MO message. This can be set up by means of "2-way" functionality of NowSMS. | |||
| h New member Username: Etrby Post Number: 4 Registered: 03-2005 |
thank u actually I'm not specialist in GSM network and I'm facing problem regarding some abbreviations u used would u plz help me more about what do u mean with MT SMS and MO SMS ??? | |||
| Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 7511 Registered: 10-2002 |
I defer to Ashot's knowledge of how easy or difficult it is to spoof this information. I would be hesitant to rely on it for validation. But we do get asked about providing this information about the receiving SMSC from time to time. So as I mentioned above, we will add it. Effective with the 2007.10.03 release, an additional replacement parameter is available for 2-way commands. The @@RECEIVEDSMSC@@ parameter will contain the SMSC address from which the SMS message was received. This value is ONLY available for messages received via a GSM modem, it will be blank for all other SMSC interfaces. An update that includes this support can be downloaded from http://www.nowsms.com/download/nowsmslatest.zip. To answer your other questions about Ashot's response ... MT SMS and MO SMS are common terms that you will hear when talking to people about SMS. MT means Mobile Terminated ... in other words a message being delivered to/received by a mobile phone. MO means Mobile Originated ... in other words a message being sent from a mobile phone. When a mobile phone user sends a message to your application, that is an MO SMS. When you send an SMS to a mobile phone user, that is an MT SMS. What Ashot is saying is that a hacker with SS7 access could forge the MO SMS that is received by your application. But the hacker can't manipulate the routing tables to redirect an MT SMS that you send to the customer. So you would want to devise a system that involved your application sending an SMS to the client and then the client sending back a response that included some information (from your MT SMS) that is unique to the transaction as a confirmation. It's more complex ... both from an application standpoint ... and from a user interface standpoint ... but more secure. If this isn't clear, maybe a simple example would help. Orignator sends "Send 500 to abcdefg". System replies, "To confirm transfer of 500 to abcdefg, reply to this message with the code 7229" Originator replies "7229", and your system has confirmation that the originator is using that device because you were able to send a message to them ... which can't be redirected. (Well, in theory, I suppose it could be redirected, but that would be a major hack that comprimised the overall operator network.) -bn | |||
| h New member Username: Etrby Post Number: 5 Registered: 03-2005 |
thank u very much for ur explanations , actually I searched about that 2 abbreviations I got the meanings but let me explain to u all the process : 1- the client dial a certain unique code asking to make a transaction 2- the GSM operator sends a SMS to confirm the transaction process 3- if the confirmation reached the GSM make the transaction process and sends 2 SMS to the consigner and the consignee tell them the transaction ID and time date and money amount etc... so the whole process go through the GSM operator so , I have 2 factors the 1st is the ID which is unique in the GSM network and the 2nd is the SMSC regarding the SS7 hacking would u plz give me more info about this topic ? | |||
