Monday, June 02, 2008

Cellphone security re-think

I found the case study of how not to implement mobile banking security as described on the Digital Soapbox very interesting. It is a fact that we cannot implement Internet banking security paradigms directly (as is) on the mobile phone. This is because of the following reasons:
  • Many security advances on the Internet (like virus checkers, firewalls, security warnings etc.) have not been implemented on phones. It is also unlikely that these will be implemented on phones as the capacity and computing speed is such that it cannot mimic computer functionality.

Phones have characteristics that computers don't have that can be utilised to make security more powerful. Think of the characteristics of the SIM card, the uniqueness of the Phone ID, or cellphone number. (Computers do not have this). GSM have built-in security on the bearer channel where-as computers have to switch their's on with SSL. One should think about using cellphone characteristics in mobile banking.

The most classic pitfall (as is described on the Digital Soapbox) is where Internet banking security is enhaced through the cellphone channel and this is then transported as is to celllphone banking. Security that have been based on dual channels is suddenly reduced to one channel with inferior security protection... Problem.


3 comments:

Rafal Los said...

First, thanks for the reference!

Second... yes this is a growing problem as attackers can simply use header manipulation to "masquerade" as a mobile phone and thereby completely cut web-based security measures as the site would have to down-grade.

We really need to solve this problem, mobile devices are becoming more intelligent and it's difficult to keep up with that technology and security at the same time.

Cheers.

Abhishek said...

It is true that mobile banking seems to be quite risky as the cell phone might not be equipped with top security features. I think banks should use the USSD method of communication with the customers which doesnt store any messages but acts on interactive basis. I found this info with the Barclays bank starting its Hello Money banking services.

Hannes@Home said...

Abhishek,
Mobile banking is far more secure than any other mechanism available to communicate with your bank.... if implemented correctly by mobile banking professionals. It is accepted by most professionals that USSD is not the most secure mechanism available. Your comments have motivated me to write something about the Barclay's implementation. (See one of my latest blog entries)