Thursday, May 28, 2009

Difference between encrypted and ordinary SMS mobile banking

The use of SMS infrastructure for mobile banking makes a lot of sense. Many deployments with this (very popular) mechanism is available in many countries. This type of mobile banking is rather easy to implement and can be accessed on any handset, in any country and with (if not low) at least predictable cost. It is relatively easy to deploy and extend and can be made available to any market within a short timeframe. As a matter of fact, the neighbour's son that recently completed that computer diploma thing, can probably do the integration.

Unfortunately, it is also basically not secure, can easily be hacked, the service is not reliable (or predictable) enough (for banking). The user experience is open for interpretation and consumer protection is therefor also difficult. Support costs and training is always a challenge.

Encrypted SMS deployments while significantly more complex solves all of the above problems. Consumers are presented with an easily understood menu on any handset (the same format as all of the other services on the handset). The solution works on any handset is available from anywhere in the world and is almost un-hackable. This type of infrastructure utilise the most advanced encryption technology (piggy-back on inherent GSM security primitives) and is the basis for most of the success stories around (including mPesa, MTN Mobile money, Smart Money and mChck).

One should be careful to distinguish between SMS mobile banking and encrypted SMS mobile banking. The only similarity is the actual carrier technology.

6 comments:

mahmoodd said...

In order to use secure elements on SIM, one need to have some library (e.g. J2ME) to encrypt/decrypt. The moment we talk about any library, we are targeting some specific mobiles (not all).

Hannes@Home said...

GSM standards specify a number of primitive encryption algorithms built into the firmware of the phone. This comes with any phone provided they conform to GSM standards. Encrypted SMS can (and have) been implemented independent of make or model.

mahmoodd said...

Are you referring to the channel encryption algorithms like A3, A5, A8? If not, can you elaborate your reply with some references of using primitive GSM encryption algorithms to encrypt SMS independent of make or model?

Cedric Franz said...

SIM Browser based solutions can encrypt data using plugins, security keys and security algorithms that are loaded on the SIM card. All GSM SIM cards come with basic 3DES and a number of other available algorithms already present on the SIM card. By using the SIM card to perform the encryption there is no dependency on the mobile handset. In a SIM based browser solution such as Smarttrust's WIG platform or Gemalto's S@T platform the entire application and processing runs on the SIM card. The encryptions is performed in addition to any encryption that the mobile operator might have running at the transport layer. Applications that run on the handset are handset dependent and therefore need to be redeveloped or amended to target different handset models.

mahmoodd said...

Thanks Franz. SIM browser based solutions require downloading (or initialization during manufacturing) of an applet on the SIM to be able to use any algorithms on SIM. Those mobiles which don't have applet will not be able to encrypt SMS.

psrdotcom said...

Can we display an encrypted message as Over The Air Decrypted flash Binary SMS in basic phones like Nokia 1100