Monday, June 9, 2014

Now Before you SUE me.... am helping for real I AM. #ATTACKING MOBILE PAYMENT SYSTEM MiTM+SE

So a while ago i actually stated that attacking mobile payment systems is inevitable.... now i have not suggested i will be doing that though stick around and you might probably learn a thing or two about this.... now here goes nothing.

so the basic structure of a mobile system is pretty simple

for example I use Safaricoms MPESA ... this is their earlier structure (yet to find any major change though)

Ok first of all let it be known ... I am not doing this on Safaricoms MPESA except for the fact:

1.I use MPESA (actually never used any other service)
2.I own an MPESA sim (duuh) hence my test was restricted to only this
3.I am pretty sure this works on other networks (though not tested)

Ok variables....
MPESA on a standard KEYPAD is emulated by the numbers 67372 ..... now i found this out playing with my iPhone (twas a 3G) quite a while ago.... :) see i once tried saving is a contact and the above numbers poped up.... anyway trying to call the number (oww what could go wrong) it reverted to activating my sim-toolkit lol ...suprise .... and there was my first break through .... now how do we exploit this?

Well Man In The Middle is a nice way but how do you MITM someone when you cant clearly send a message without spoofing the sender ID .... THATS IT :) uh huh, so step one .... create a GSM network ... ok that's not so easy? well it is actually... i did it in 3 hours ok to be fair i had hard-coded something close to that in a few months lol ... just had to watch enough youtube videos ... join OpenBTS forum, revisit my DCE classes (digital comp eng) a little of my ADCE also, alot of soldering, ok long story short reused a lot of code and owww ave already posted that here (well thats just like the uM (air) layer only where you have a BTS that controls several phones at once ....

with a few configurations like setting

Control.LUR.OpenRegistration = .*
to allow any phone to connect to the BTS... MITM is more than inevitable ....

now here's the trick that makes all this work.... once you send an SMS to any phone with the numbers 67372 .... the result automatically displays .... MPESA ..pretty nifty huh :)

Now Safaricom has done a goodthing not to allow any SMSs to be sent to the AGENTs phones but hmmmm that's not enough.... they are still normal phones/SIM cards and basically have the IMSI that am sending the message/SMS to.... here is my proof of sending a message to myself (YES MYSELF) that aint ILLEGAL :) and deceiving my SIM its an MPESA message ... here is the screen shot you can see some other transactions below (legit i might add)

and with a little S.E we can craft an SMS and send it to an AGENT and pretend to withdraw the cash .... this is a serious felony right here, I will be contacting Safaricom by the meantime ... if you don't hear from me... well... take a wild guess :)

VX #iOut

(oww not only safaricom) also other telcos will be notified as my niece says BAI (bye)

1 comment:

John Ombagi said...

If you get into how "M-banking" transactions do, I guess you can set an MITM attack and fool a user to sms/email back their credentials after reading a nice SMS from their bank (spoofed ofcos) #Evil

Post a Comment


:) No longer posting, all articles should be treated as archived and outdated