[Dave Birch] The use of the mobile phone as an identity and authentication platform is, to my mind, inevitable. The capability and connectivity of the mobile handset makes it a million times more useful for identity, access control, credential management and most other digital identity functions. And, of course, the place can also act as a verification tool. One thing that holds up development in this area is the lack of trusted infrastructure in the handset (the handset environment is not protected: anyone can run software on the phone). But what about the network? Can we trust that? SMS provides a useful lesson. There are plenty of banking and payment services, for example, that use text messaging for transactional services:
Users simply send a text message to RBC Mobex with the dollar amount and the recipient’s cell phone number. Funds are then taken from the sender’s Mobex account and moved to the recipient’s Mobex account. The recipient also receives an instant text message on their cell phone to let them know when the money has been sent to them.
Amounts of up to $100 per day can be sent to anyone with a mobile phone serviced by any Canadian wireless carrier, even if they do not have an RBC Mobex account. Recipients just need to register for the payment service to access their funds. The RBC Mobex account is a stored value account and enrollment is through the RBC Mobex web-site, where money can be loaded from any bank account with any financial institution in Canada, or by using a credit card.
There’s an IVR callback with online PIN for transactions over $25, so there are limited opportunities for fraudsters. Provided that the allowed actions are limited, this kind of scheme works well, although there have been problems in some countries (eg, South Africa) where criminals have been able to obtain replacement SIMs from corrupt operator employees. Yet the fact that it may be hard to make bogus transactions does not mean that text messaging is ideal for identity and authentication services, nor does it mean that we should see services that use unencrypted text as reliable.
I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS fo rmobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever. The spoofing of SMS originating numbers, in particular, is trivial (this is why M-PESA, for example, encrypts and signs all SMS messages using a SIM Toolkit application).
This means that even “simple” transaction notification services can be a problem. If you are, let’s say, a Citibank customer and you get a text message when you use your MasterCard for a purchase of more than $10 or whatever threshold you have set. You’ll undoubtedly get used to seeing these messages all the time. So when a message arrives, purporting to be from Citibank (after all, it has their originating number so it appears on your phone display as “Citibank”) and asking you call a number to check on a transaction, you’ll call and give your account number, mother’s maiden name and whatever else, thinking you are talking to Citibank but actually talking to some fraudsters. In other words, because people will believe SMS to be secure, even though it isn’t, they will believe the identity of the caller, which could be storing up some big problems.
We need end-to-end security (like the mobile digital signature service that Turkcell have launched) and then we can transform the identity space by using the mobile phone instead of custom devices, passwords or nothing at all to secure our online selves.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]