Closed Bug 831430 Opened 12 years ago Closed 12 years ago

Security questions about Bango header auth and cc payments


(Marketplace Graveyard :: Payments/Refunds, defect, P1)



(Not tracked)



(Reporter: kumar, Assigned: steve)



(Whiteboard: u=mkt p=1)

We'd like to get answers to the following questions from Bango and/or Telefonica:

This will help us understand what kind of threats are possible for spoofing payments when Marketplace hands it off to Bango.
Priority: -- → P1
Assignee: nobody → sruston
I've replied to the questions in the etherpad. Our infosec team might have some additional feedback, if so I'll update the etherpad again.
Kumar sounded happy with this in the email.  Is there more to do?
Whiteboard: u=mkt p=
Target Milestone: --- → 2013-01-24
I have asked for clarification in the etherpad.
Target Milestone: 2013-01-24 → 2013-02-07
Version: 1.0 → 1.1
Whiteboard: u=mkt p= → u=mkt p=1
David, can you provide the link to where we can find the Header flow on your Redmine site and the relevant access credentials
Assignee: sruston → dll
To address the security questions: we ONLY accept requests coming with MSISDNs in headers as long as they come from a preconfigured list of source IP addresses that we also use to know the origin operator. Of course, we also check the format of the http header we receive from the operator (that info is not public, but it does not include signatures).
Assignee: dll → rforbes
Ray, can you confirm the info on the BV wiki covers what you need?
David, can we take the header information from your Wiki and put it on our public wiki?
Assignee: rforbes → dll
Version: 1.1 → 1.2
Assignee: dll → sruston
David answered this on the call: it is not public information so we need to store it privately in mana or somewhere.
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.