Tuesday, August 11, 2009

London University to the rescue of mobile banking security!

City University London received a three year grant from the Government’s UK-India Education and Research Initiative (UKIERI) to "secure the future of mobile banking". Read more here. According to the report, the researchers are under the impression that most banking systems requires a separate (second) SIM card in order to produce a secure session. This means that subscribers have to swap their SIM's in order to do banking. (I am quoting from the article on the Universities website - I am serious!). The article describes how the researchers are busy pioneering "a new form of security software, which generates a personal code or “crypto key” to each user via their existing SIM card."

I suppose they could use the grant money to catch a flight to Africa (the majority of countries in Africa) to come and see how this kind of solution actually works in production, where millions of people do banking with one SIM.... and where every transaction are encrypted with a personal crypto key.


Anonymous said...

Correlation or causation? Millions of people in Africa also live with poor water conditions. Does that imply we should copy the African model? Please be a bit clearer why a single SIM is secure enough from a bank's perspective?

Hannes@Home said...

While I am trying to be controversial in my blog, I do not want to insult. If I did this, please accept my apologies. I will write a blog on the need for SIM card security soon.

Dasun said...

The subscribers are not required to swap the SIM cards but subscribers are authenticated to the bank system using the SIM credentials via mobile operator.
Our system proposed a derivation of crypto keys from the SIM credentials and each transaction will be authenticated with a distinct crypto key. Meanwhile, each transaction is authorised based on the user identities and key parameters (parameter based access control) at the mobile device. Therefore "millions of people do banking with one SIM" is not possible in our system.