Mobile eye-D

[Dave Birch] OK, so I’ve been thinking about mobile phones in the identity space again, because I’ve been considering a problem around remote identification in connection with a project we’re working on. The mobile phone is an obvious focus for a solution, because everyone has one and (generally speaking ) they know how to use them. Therefore, if you have to use your mobile phone in some way to identify or authenticate yourself on the web, you probably won’t mind that much. And not having to buy some kind of dongle makes it cheaper. We have to be careful with this thinking though. As we discussed recently, we must thoughtful and not tomake unwarranted assumptions about the security of the mobile handset, applications, network and systems. People think that mobile is more secure than it actually is, and not because master criminals are planting trojan horse viruses

Though he’s seen cases in which customers were sent SMS messages that tricked them into giving up passwords or other key information, he hasn’t yet seen any cases in which losses were caused by key logging programs or other malware that infiltrated cell phones.

[From Mobile Insecurity: Reality or Just hype? – 11..2008 – Bank Technology News Article]

What we need is for end-to-end security to become standard on mobile phones and, to my mind, what that really means as a first step is a digital identity infrastructure that is rooted in the SIM. This, in itself, is not that hard. A SIM Toolkit (STK) application for creating and verifying digital signatures together with a key pair is all that is needed to get started. But so long as the handset itself remains insecure, there will always be the possibility of viruses capturing PINs and so on. If the manufacturers could get together to add some kind of trusted processing to the handset (which, incidentally, would mean that mobile phones could become approved PEDs and become part of PCI-DSS solutions) it would open up a whole new field of value-added business.

On the other hand, perhaps I’m being overly sensitive to risk for cultural reasons. In Japan, where the mobile phone is an integral part of the culture and not regarded as technology any more, there is at least one bank that has adopted the mobile channel wholeheartedly.

At eBank, applicants do not need to fill in application forms by hand or visit the bank, says Saiki. “They can do all of it by sending applications by PC and mobile phone. It is necessary to send identification, but they can send the picture on their driver’s licence or other ID using a camera function of a mobile phone, which is legal in Japan

[From E-bank Japan sets mobile banking example | 13 Oct 2008 | ComputerWeekly.com]

Wow. This would definitely reduce the cost of customer acquisition for all sorts of businesses! I’m not sure if it gets us where we want to be in terms of real security though. We need end-to-end security (like the mobile digital signature service that Turkcell have launched) and then we can transform the identity space by using the mobile phone instead of custom devices, passwords or nothing at all to secure our online selves.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]