Friday, July 16, 2010

Mobile Handsets are less secure than PC's according to Ovum

In a recent report produced by Finextra, the analyst house Ovum warns banks to consider the security risks associated with mobile phones. (Read here). The analyst, Graham Titterington, makes some valuable observations about the potential security breaches possible on mobile transactions and then recommend that banks should look at the problem holistically.

He conclude that banks should deploy "end-to-end encryption" techniques from the handset to the back-office systems at the bank. With the increase in computation capability of end-user devices, this is now possible. I cannot agree more.

A few points need to be made though:
  • Mobile banking is fundamentally more secure than Internet banking, because the underlying carrier is more secure. One should not loose sight of this.
  • Encryption based on specific certificates and derived keys are possible with mobile devices because of a dedicated SIM card. This is the perfect way of distributing identity keys - alternatives in the Internet world is cumbersome. This should be utilised in encryption schemes - it is madness not to consider them
  • The encryption algorithms utilised in mobile telephony are already built and available on all handsets. (This is part of the handset license conditions.) Utilising these primitives in encryption schemes must be considered.

1 comment:

Anonymous said...

The most secure mobile handsets are the simplest as it is extremely difficult to reprogram them and often not possible if the whole software is burnt into a ROM before manufacture.

Smartphones are not secure – period - as they are exactly the same as PCs just smaller in form factor. Adding STK SIMs does not help as the point of attack is before the data from the keypad gets to the SIM.

The above statement holds true for Smartphones running J2ME apps AND SIMtoolkit. The reason being that most smartphones can have key and display loggers installed on them and that way you can get everything including PINs off them before they get to the secure processing element. That is why the best handset is the cheapest handset with a STK SIM in it. The minute that the user has a smart or feature phone the whole issue of the user interface comes into contention as a vulnerability.

BTW the article you point to is valuable as a caution but as something technically correct it is very vague - and adopting E2E does not stop the malware threat, which is the main thrust that he is talking about – he should rather be suggesting that Smartphone users get antivirus packages for their phones (including iPhones that have not been Jailbroken).