831430 - Security questions about Bango header auth and cc payments

Status: RESOLVED FIXED

(Marketplace Graveyard :: Payments/Refunds, defect, P1)

Description

[Kumar McMillan [:kumar]]

We'd like to get answers to the following questions from Bango and/or Telefonica:
https://etherpad.mozilla.org/20mJlfcI9O

This will help us understand what kind of threats are possible for spoofing payments when Marketplace hands it off to Bango.

Comment 1

[Keir Kettle]

I've replied to the questions in the etherpad. Our infosec team might have some additional feedback, if so I'll update the etherpad again.

Comment 2

[Wil Clouser [:clouserw]]

Kumar sounded happy with this in the email.  Is there more to do?

Comment 3

[Raymond Forbes[:rforbes]]

I have asked for clarification in the etherpad.

Comment 4

[Steve Ruston]

David, can you provide the link to where we can find the Header flow on your Redmine site and the relevant access credentials

Comment 5

[David Lozano]

https://bvpartner.tid.es/redmine/projects/bangoowd/wiki/APIs-Mobile_ID

user: sruston@mozilla.com
pass: you will receive it by email

Comment 6

[David Lozano]

To address the security questions: we ONLY accept requests coming with MSISDNs in headers as long as they come from a preconfigured list of source IP addresses that we also use to know the origin operator. Of course, we also check the format of the http header we receive from the operator (that info is not public, but it does not include signatures).

Comment 7

[Steve Ruston]

Ray, can you confirm the info on the BV wiki covers what you need?

Comment 8

[Steve Ruston]

David, can we take the header information from your Wiki and put it on our public wiki?

Comment 9

[Kumar McMillan [:kumar]]

David answered this on the call: it is not public information so we need to store it privately in mana or somewhere.