Skip to content

Security Improvements

Even with FraudStop protecting payment pages it is important to consider other aspects of your payment system to ensure they are secure.

Transmitting MSISDNs

The MSISDN should never be transmitted in plain text, instead an alias, session token or encrypted MSISDN should be sent. The encryption of the MSISDN should occur on the backend, encryption on the frontend is insecure.

Distinguish Between Wireless Broadband and Mobile Handsets

When billing a consumer through a header enrichment flow a check needs to be made by the aggregator/merchant to ensure that the user is on the network that the MSISDN belongs to. This prevents fraudsters performing payments on MSISDNs they don't own by spoofing the header enrichment header on ISPs other than the mobile network. If a fraudster tries to spoof the MSISDN on the mobile network then the header should be overwritten by the mobile network halting the attack.

However care must be taken when a mobile network also offers a Wireless Broadband option for consumers. Made to replace a users home internet, wireless broadband connections typically do not have header enrichment in place. When looking up the wireless broadband connection with an IP lookup tool there may not be a differentiation between the wireless broadband IPs and the mobile connections on the same network. These two facts combine to allow fraudsters to perform MSISDN injection using a wireless broadband connection, which bypasses the header enrichment overwrite but also gets past the IP check by the billing partner.

This can be prevented in one of two ways:

  1. The mobile network involved overwrites the header enrichment header for wireless broadband devices, preventing the MSISDN injection.
  2. The billing partners are given a list of IP ranges for wireless broadband and IP ranges for mobile devices to allow them to distinguish between the two types.

Validate MSISDNs

Validating MSISDNs is an important part of preventing MSISDN injection. Here are some simple checks to perform:

  1. If the MSISDN should be encrypted do not accept unencrypted MSISDNs.
  2. Check for multiple MSISDNs in the MSISDN header/field, if you see mutiple MSISDNs prevent the transaction.