Two auth Clickatell flawed?

[hpl123]

Hi all,
Working on two factor authentification for a app and using the Clickatell SMS plugin in Aware for the SMS (sends out the code) and noticed Aware uses regular HTTP and not HTTPS when calling the Clickatell API. If Aware sends the code out in the open, anyone could monitor and swoop that up and then use it to "bypass" the two factor auth which makes the whole thing flawed / useless. Any security guys (or Awaresoft) out there that can comment on this? Why isn't HTTPS used? What / how big are the risks using HTTP? What would it take to monitor and swoop up SMS sent from a server via HTTP?

Thanks

[aware_support]

Hi Henrik,

Aware IM uses whatever URL was in the Clickatell documentation. All questions should be directed to them.

By the way, is your Clickatell plugin still working fine? We have a customer who complains that it's not working for him and that Clickatell has changed some API, that broke the existing code.

[hpl123]

Hi Henrik,

Aware IM uses whatever URL was in the Clickatell documentation. All questions should be directed to them.

By the way, is your Clickatell plugin still working fine? We have a customer who complains that it's not working for him and that Clickatell has changed some API, that broke the existing code.

Ok, then it is HTTP and is not ideal. I will see if it´s possible to just use HTTPS with the API instead. Can I then fix this myself if I just open up the plugin JAR files in some Java tool (is it as easy as changing the URL some place in the JAR files?). Yes, my plugin still works but I am on the old communicator platform and Clickatell has made some new stuff so all new accounts use some new platform where the API might be different (it is possible to request to come over to the old platform though so advise the person to try that).

[Powerm]

"Yes, my plugin still works but I am on the old communicator platform and Clickatell has made some new stuff so all new accounts use some new platform where the API might be different (it is possible to request to come over to the old platform though so advise the person to try that)."

Thats's correct, the plugin does not work with the new Clickatell API....

[customaware]

I use BulkSMS which uses https and works flawlessly. And does not need a plugin.

[Powerm]

- Can you select multiple entries and bulk send a template SMS?
- choose or define the sender ID ( mobile phone number ?
- is is opening a Tab for each sent SMS ?

[customaware]

I use it for sending SMS notifications to a distributions when a Safety Incident has occurred (can vary every incident)
You can set an sender ID
Not sure what you mean by opening a Tab for each sent SMS

Here are the features http://www.bulksms.com/features/

[mrbdrm]

I recommend Telerivet and PHP for OTP with HTTPS
its the most reliable way to send OTP and cheapest using your own phones.
you can have sms request sent to aware with their webhook if you need too.