Friday, August 21, 2009

The SAM side of the SIM story

The SIM card in GSM mobile phones should probably qualify as the computer device that has been produced more than any other device. Far more SIM cards are produced than phones per year and with the invention of pre-paid telephony this accelerated even more. But the SIM card is actually a rip-off. It was copied from something called a SAM. As a matter of fact, it is not much different to a SAM.

Any-one with an interest in the technology of banking would of course know what I am talking about. A SAM is the tamper resistant device found in any ATM or POS terminal and it looks exactly like a SIM card. These cards sit at the heart of bank security in the sense that a bank PIN can only properly be encrypted if a SAM is present. Bank systems expect bank PIN's to be secured properly with keys stored on a SAM in such a way that it cannot be changed or manipulated. This is a well-understood mechanism widely deployed in banking systems.

Not only is it critical how the keys on the SAM is used, but also how the keys are installed on the SAM in the first place. The control over and access to the master-keys (used to derive the keys on the SAM's) are critical in order to ensure the security of the whole system. Millions and millions of ATM and POS transactions have been secured in this way for decades and (according to my information) has never been compromised. (All ATM (and POS) fraud attacks usually focus on intercepting the PIN before the SAM encryption).

With the invention of Internet banking (and because SAM's are not found on PC's), the discipline was somewhat forgotten (or maybe not applied). This is why the security deployed in Internet banking across the globe is not of the same level of security found in ATM's neither is it standardised and auditable as is the case with PIN encryption ala SAM.

This is why it is a mystery to me why many proponents of mobile banking attempt to propagate Internet banking solutions on mobiles. The SIM card in a mobile phone, looks like a SAM card, acts like a SAM card, shares almost all of the characteristics of a SAM card. It seems absolutely logical that one should apply the proven, accepted mechanisms that banks are comfortable with regarding SAM cards and apply them to SIM cards.

No comments: