Re: [swinog] How do website operators get the mobile phone number of visitors?
> On 7 Dec 2018, at 16:44, Gregor Riepl wrote: > > >> And I have sniffed the traffic between my swisscom mobile Samsung >> Mobile and my Website, but can't find any of the additional headers >> disclosing my phone number. This is operator specific. It might not work on Swisscom mobile for example. Also another identifier might be there which can be translated by a service from the operator. Also some cheap mobile phone might leak an identifier while big brands might not. > > TLS would effectively defeat any attempt at injecting headers into HTTPS > traffic - unless the network operator controls a browser-trusted CA and uses > it to break TLS for man-in-the-middle traffic manipulation. > > Also: It doesn't matter if the connection is direct or goes through a proxy. > >> Is there a trick to make a mobile phone disclose it's phone number >> while connected via the mobile network's operator network? > > I found this, but I'm not sure if it's implemented in any common mobile > browser: https://wiki.mozilla.org/WebAPI/MobileIdentity > >> How can 'website payment' operator like 'obligo' get the phone number >> associated with a visitor? Obligo states they got the phone number >> to bill 'from the service operator'. > > I suspect some network operators provide an API for obtaining subscriber > information. You should confront your network operator if you're sure you > didn't agree to disclosing private information via such a service. > > See here for an example: > https://developer.att.com/technical-library/device-technologies/user-identification > Seems like a legacy from the WAP age to me. > > I'm pretty sure that such an API would not be public, and there would be > adequate access protection. It's possible that 'obligo' has an agreement with > network operators to access such information. > >> Would it be possible, that a fraudster injects such headers from a >> client to make obligo bill the wrong number? > > If the service uses a local API like MobileIdentity and the service provider > trusts that information, then sure. > If it uses strong transport layer security and the information is obtained via > a secondary channel (like a provider API), then no. Well, unless the attacker > hijacks the provider API, of course... > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] How do website operators get the mobile phone number of visitors?
> And I have sniffed the traffic between my swisscom mobile Samsung > Mobile and my Website, but can't find any of the additional headers > disclosing my phone number. TLS would effectively defeat any attempt at injecting headers into HTTPS traffic - unless the network operator controls a browser-trusted CA and uses it to break TLS for man-in-the-middle traffic manipulation. Also: It doesn't matter if the connection is direct or goes through a proxy. > Is there a trick to make a mobile phone disclose it's phone number > while connected via the mobile network's operator network? I found this, but I'm not sure if it's implemented in any common mobile browser: https://wiki.mozilla.org/WebAPI/MobileIdentity > How can 'website payment' operator like 'obligo' get the phone number > associated with a visitor? Obligo states they got the phone number > to bill 'from the service operator'. I suspect some network operators provide an API for obtaining subscriber information. You should confront your network operator if you're sure you didn't agree to disclosing private information via such a service. See here for an example: https://developer.att.com/technical-library/device-technologies/user-identification Seems like a legacy from the WAP age to me. I'm pretty sure that such an API would not be public, and there would be adequate access protection. It's possible that 'obligo' has an agreement with network operators to access such information. > Would it be possible, that a fraudster injects such headers from a > client to make obligo bill the wrong number? If the service uses a local API like MobileIdentity and the service provider trusts that information, then sure. If it uses strong transport layer security and the information is obtained via a secondary channel (like a provider API), then no. Well, unless the attacker hijacks the provider API, of course... ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] swinog Digest, Vol 167, Issue 1
with a code that is sent by an SMS to confirm identity before transaction becomes confirmed.. Fründlechi Grüess Martin > Am 07.12.2018 um 12:00 schrieb swinog-requ...@lists.swinog.ch: > > Send swinog mailing list submissions to >swinog@lists.swinog.ch > > To subscribe or unsubscribe via the World Wide Web, visit >http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > or, via email, send a message with subject or body 'help' to >swinog-requ...@lists.swinog.ch > > You can reach the person managing the list at >swinog-ow...@lists.swinog.ch > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of swinog digest..." > > > Today's Topics: > > 1. How do website operators get the mobile phone number of > visitors? (Benoit Panizzon) > > > -- > > Message: 1 > Date: Thu, 6 Dec 2018 14:54:04 +0100 > From: Benoit Panizzon > To: swi...@swinog.ch > Subject: [swinog] How do website operators get the mobile phone number >ofvisitors? > Message-ID: <20181206145404.74dca...@go.imp.ch> > Content-Type: text/plain; charset=UTF-8 > > Hi List > > I have read: > > https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/ > > And I have sniffed the traffic between my swisscom mobile Samsung > Mobile and my Website, but can't find any of the additional headers > disclosing my phone number. > > Is there a trick to make a mobile phone disclose it's phone number > while connected via the mobile network's operator network? > > How can 'website payment' operator like 'obligo' get the phone number > associated with a visitor? Obligo states they got the phone number > to bill 'from the service operator'. > > Would it be possible, that a fraudster injects such headers from a > client to make obligo bill the wrong number? > > PS: I know obligo's reputation. > > Mit freundlichen Gr?ssen > > -Beno?t Panizzon- > -- > I m p r o W a r e A G-Leiter Commerce Kunden > __ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 PrattelnFax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > __ > > > > -- > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > > > End of swinog Digest, Vol 167, Issue 1 > ** ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
