Tuesday, November 27, 2007

Secure Mobile Banking


The perception still exists that mobile banking transactions in Africa is based on low security SMS technology in the clear. Nothing can be further from the truth. All of the more serious mobile banking security deployments (MTN banking, Celpay, 121Cellmoney, mPESA, MODE) are much higher than most other payment solution. The advantage of the deployments on mobile phones is that you can design extremely secure transactions. This is achieved by making use of the crypto keys that are resident on the SIM card in GSM phones. In our solutions, we employ many innovative designs to ensure very security solutions:

1. All messages are encrypted on the phone using the keys on the SIM with 3DES encryption algorithms. This is application-based encryption - not just carrier encryption.
2. All messages on GSM networks are compressed and then encrypted again using GSM protocols (every message is thus encrypted twice)
3. The PIN entry is accepted by a special program resident on the SIM card (impossible to replace with Trojan horses or Phishing attacks).
4. The PIN is never stored, it is encrypted on the SIM card according to Banking specifications. (As a matter of fact, Fundamo technology was the first to be certified by Mastercard according to PPED specifications for banking transactions)
5. Each payment message is MAC'ed with a special tamper-proof algorithm, that protects against Man-in-the-middle attacks and possible re-playing of messages.

By the way, the biggest transaction value on our solution was a business to business payment of more than US$ 50 000. This will never be possible with SMS's in the clear.

No comments: