Nasty security issue with text betting?
I’ve been messing around with SMS recently.
When you are running automation you can’t help but think, as you are guzzling down that drink at a party, how did I do on the 20:50? So I thought it may be neat to look at SMS as a solution. I thought it may technically difficult to do, but it turns out SMS is a quite easy, if not an inexpensive option. That was when I discovered something else.
I quickly realised, excuse the technical jargon, that SMS messages have no authentication payload. An SMS message is simply a number followed by some text. “So what!”, I hear you say. Well that basically means that I can send a message to you and make it look like it was from somebody else. I had some fun testing this by sending messages to two people from each other, which duely set off a chain of utter confusion. But then something else dawned on me….
Text betting has been popular for a while now and a number of firms have set up text betting services, just google text betting. You register your phone then send them some short code and an amount to bet. It all sounded a bit too simple, so I asked a friend to register, then placed a bet for him. Maybe I’m missing something, but this seems like a potentially big security flaw to me? There is no real authentication that it’s really you that is sending a bet to a company. The only authenticatation used is your phone number and that can be faked. But it appears anyone can mimic this phone number in a matter of minutes?
If you are registered or thinking of registering for a service like this, I’d be nervous. Surely it’s only a matter of time before this is exploited? Given the lengths to which accounts are protected for normal betting activity, this seems a bit of a hole?
Category: General
We provide the Cloud Software to all bookmakers that offer text betting.
The number promoted by all of these bookmakers is a short code:
William Hill 60609 for UK and 53128 for Ireland.
Paddy Power 51465 (UK & Ireland)
Totepool 60021(UK only)
Boylesports 51900 (UK & Ireland)
McLeans 85055 (UK only)
The flaw referred to here only applies to texts sent to long numbers (numbers that look like a normal mobile phone number) from web services such as esendex. It is impossible for these web services to send a message to a short code. Only handsets “on network” can text short codes and handsets cannot spoof their sender id.
Some of our clients have also provided long numbers for their customers to use and your point above is valid for texts coming to those numbers.
All of these clients have now closed access to their text betting service via these theoretically vulnerable long numbers.
It is very rare for a loophole to reach the public domain before something bad happens so we must congratulate you on your research!
Text betting is indeed very popular and I would encourage you to give it a go – it is entirely safe and the fastest way to get a mobile bet on!
And by the way – we are very soon releasing a service over Instant Messaging that will provide you with exactly what you started to look for – results on the events you have bet on!
Will keep you posted!
Jonathan Power
CEO,
Onionsack.