SMS Via Web Messages may only sent via Exetel IP Addresses

Queries, errors or glitches regarding Member facilities
Yabbie
Posts: 123
Joined: Fri Dec 01, 2006 10:51 am
Location: Mornington Peninsula (VIC)

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by Yabbie » Thu Jan 08, 2009 1:42 pm

AAArrrrrgggghhhh!!!! This is annoying! I've requested my pin, been waiting for about five minutes and still no message.

*Surely* there has to be a better way of doing this?????

William M
Posts: 510
Joined: Wed Mar 21, 2007 1:28 pm

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by William M » Thu Jan 08, 2009 2:07 pm

We're open to suggestions if you have any, but at this stage this is the course of action in place.
Not endorsing the the method, have you tried the method suggested by MarkSnell as that is essentially what you wish to achieve?

Cheers Will

samarium
Posts: 376
Joined: Thu Feb 02, 2006 12:17 am

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by samarium » Fri Jan 09, 2009 1:32 am

What are the characteristics of the authentication scheme you require to allow web access?

What information leakage vectors are you trying to avoid?

Does my previous suggestion in the thread come anywhere near to matching your requirements for above?

William M
Posts: 510
Joined: Wed Mar 21, 2007 1:28 pm

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by William M » Fri Jan 09, 2009 8:44 am

samarium wrote: Seems to me that maybe Exetel could do something with some kind of one time password challenge / response system like OPIE, which would send an SMS to the phone the first time, with some part of the authentication that needs to be used subsequently. It would still be awkward, however it would at least be subsequently free, and thus more palatable when you only want to send a text or two. There are J2ME apps to do the OTP processing on the phone.
The main issue with the suggestion earlier is the "one time" challenge. If a user has already authenticated themselves, subsequent login sessions after that time allow anyone who has access to the account to send SMS messages from that account.

This security measure is not trying to prevent information leakage as at the in question point, when fraud occurs, information leakage has already taken place. It is preventing further damage, in this case financial damage, to the customer by requiring repeated authentication, making an infiltrator of an account more visible should they risk sending SMS messages from the account as well as posing as a deterrent.

Cheers Will.

samarium
Posts: 376
Joined: Thu Feb 02, 2006 12:17 am

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by samarium » Fri Jan 09, 2009 6:45 pm

If think you are miscontruing the "OneTimePassword" part of the system.

Flow would be something like this:

Setup is:
User requests OTP setup or rekey from exetel.
Exetel sets up access and generates secret key and SMS's to user, who saves key.

Usage is:
User access exetel sms website.
User is prompted with sequence number.
User generates one time password from secret key and sequence number, using otp generator on phone or other computer.
User enters otp to website to authenticate.

So user has to authenticate each time, and the password used to authenticate is different, and not computable from previous passwords.

William M
Posts: 510
Joined: Wed Mar 21, 2007 1:28 pm

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by William M » Mon Jan 12, 2009 2:32 pm

In regards to your method;

So what happens if a customer doesn't have their key on an alternate computer?
Does this mean that to use an alternative computer a user would have to carry their key with them?
Do they simply request a new key?

Cheers Will

samarium
Posts: 376
Joined: Thu Feb 02, 2006 12:17 am

Re: SMS Via Web Messages may only sent via Exetel IP Addresses

Post by samarium » Tue Jan 13, 2009 12:01 am

If the don't have the key, then they would need to go thru the rekey process, and you would sms them a new key, much the same as the current process where you have to reauthenticate via sms.

Yes, they would need to carry the key with them.

That is why I would use something like vejotp, which is a java otp generator that runs on the phone. They either save the password/phrase in the program, or save it elsewhere on the phone, or they save it on the computer and use a otp generator on the computer.

Another use of vejotp is that it can be used for otp generation for challenge/response over ssh, which I sometimes allow over the internet for when I don't have my ssh private key file.

You probably should get someone to install opie on a linux box somewhere and experiment with it as a login authenticator, as that way you will get a better feel for what works and what is possible.

Post Reply