Answer the question
In order to leave comments, you need to log in
V
V
Vayladion Gognazdiak2014-08-24 12:25:32
Vayladion Gognazdiak, 2014-08-24 12:25:32
What are the methods of combating fraud when authorizing a user using MSISDN?
Good day.
First, I'll tell you what MSISDN is.
MSISDN - HTTP header parameter (for example, X-MSISDN ), which is added by the mobile operator when the subscriber enters a particular resource via WAP/GPRS/etc.. .
Almost always this parameter contains the phone number (in rare cases HASH, but this is true only for VimpelCom =))) ) of the subscriber. Those using this parameter, we can save the subscriber from entering logins and passwords for authorization when ordering various kinds of services, etc.
Now a question.
For example, we have an operator's portal, which has a subscriber's personal account, the subscriber is identified through MSISDN. In the office, he displays various data on the state of the personal account, details of calls to his mistresses, and so on.
How can I check that this is exactly the subscriber, and not Vasya Pupkin, who added a parameter with the number by which he wants to receive information to the HTTP header?
2 answer(s)
@NeLexa
@etspring
N
Ne-Lexa, 2014-08-28 @NeLexa
Something I don’t remember that MSISDN was still transmitted as a header, a year since 2006. And in the case, authorization must be carried out, either through an SMS code, or by login-password. Headlines can never be completely trusted.
V
Vayladion Gognazdiak, 2014-08-30 @etspring
I talked with OpSoSa specialists - they came to the conclusion that the only more or less suitable way to protect is to change the header name - there is a possibility to customize the header name for a specific resource.
The ideal option is hash.
Similar questions
A
P
L
A
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question