Performing any form of authentication based on the ICCID of a SIM (technically a UICC these days) card (other than pairing of an MSISDN with it for authentication with a mobile operator as they bear the risk) is a very silly idea.
Many sims are still using DES and as demonstrated by SRlabs around 3 years ago. Additionally cards using 3DES manufactured by Gemalto have been shown to have been revealed to be compromised, their Si's were stolen by the usual suspects, namely GCHQ & the NSA.
Any OTT application should implement it's own security based on open standards. Relying on ITUT & ETSI standards is a no go. The Natwest implementation was shoddy and built on technology they did not understand.
A 4G BTS, BSC through to HLR & full BSS/OSS can be assembled in a backpack, just like an 802.11 BSS can be assembled to spoof BSSIDs & ESSIDs.
(The entire point of this post is acronyms to irritate Darmstadt)
Many sims are still using DES and as demonstrated by SRlabs around 3 years ago. Additionally cards using 3DES manufactured by Gemalto have been shown to have been revealed to be compromised, their Si's were stolen by the usual suspects, namely GCHQ & the NSA.
Any OTT application should implement it's own security based on open standards. Relying on ITUT & ETSI standards is a no go. The Natwest implementation was shoddy and built on technology they did not understand.
A 4G BTS, BSC through to HLR & full BSS/OSS can be assembled in a backpack, just like an 802.11 BSS can be assembled to spoof BSSIDs & ESSIDs.
(The entire point of this post is acronyms to irritate Darmstadt)
Comment