Signed and sealed
[Dave Birch] Whilst bored at the airport last month I picked up "The Daily Mail" for 25th April 2012 found myself reading the "Money Mail" section. This had two really interesting stories in it, both of which posed a decent challenge to us in the secure electronic transaction space.
The first story concerned a woman who lived somewhere where she couldn't get a mobile signal (near Dover). To access her home banking, she logs in and then gets in her car and drives for 10 minutes to somewhere she can get a signal, at which point the SMS "one time password" (OTP) arrives from her bank. Then she drives home and logs in!
The second story concerned a man who doesn't have a mobile phone and doesn't want one. He can't use home banking at all because his bank uses SMS codes too, and he was complaining about having to use how bank's telephone banking because it wasn't as good as the internet banking service (I hate telephone banking too).
Thinking about these stories, I came up with two possible answers.
It's a bit rich to complain that you can't get a better service for something or other because you don't want a mobile. That's like me complaining that I want to watch Sky Sports but don't want to pay for cable or satellite. It's hard luck. Mobile phones cost, to all intents and purposes, nothing. When my son lost his phone last year, I went down to the store and bought him the cheapest mobile phone I could find. It was £4.95, if memory serves. And if I had broadband but lived somewhere with no mobile signal, then I'd get my own base station. Vodafone sell just such a "femtocell" under the brand name "Sure Signal" even in Dover.
The right solution to the problem is to use digital signatures with the keys stored in tamper-resistant memory (e.g., in the SIM for people who have mobile phones or in a smart card, hat, badge, watch or implant for people who don't) and to implement proper security on the banking side (using open standards).
Broadly speaking, the protocol should be that I log in to my bank, my bank sends a digitally-signed challenge to my selected device:
- My phone over-the-air.
- My phone via local interface such as NFC or Bluetooth.
- My token, such as a SecureKey USB stick.
- My PC, using an on-board Trusted Execution Environment (TEE), rather like the old Trusted Processing Modules (TPMs) that never really went mass-market in laptops.
In all cases, the message is decoded and the signature checked (inside the tamper-resistant hardware) and a response message is constructed using my digital signature (again, signed using my private key inside the tamper-resistant hardware). This would be real, standardised, open security and would mean that banks could reach all of their customers, all of the time, through all of their devices. It's really not that difficult.
If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets. Identity really is the new money[From Digital Identity: Cloudy with a chance of PKI]
The operators need to implement SIM-based PKI anyway if they want to have secure QR code and NFC tags, and since the chips used for SIMs implement all of the relevant cryptography I can't see any barrier to doing this. So what's the block? Suggestions on an e-postcard, please.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The English language version of this work is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License. If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.
Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.
Meet us at:
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010