[Dave Birch] Simple text message alerts are an easy way to integrate the mobile phone into the payments environment. A long way away from NFC handsets and such like, but simple and practical and of high utility. If you are walking down the street and you suddenly get a text message telling you that your card has been used to buy a TV in Khazakstan, then you will know much more accurately than any neural network as to whether this is a valid use of your card or not.

Incidentally, in the modern business environment, these services also provide an excellent feedback mechanism. If you know what alerts customers are setting, then you can use that information to tailor better products for them. It’s a simple example, I think, of how a new channel can help customers to design new services on behalf of the business just by providing more interaction (and therefore more information). So if you discover that customers are setting alerts for overseas transactions but not for domestic transactions, then why not sell them a “domestic only” card or whatever.

But back to text. It’s got a lot going for it. It’s ubiquitous, it’s inexpensive, it’s flexible.

So text messaging is the way forward. But there’s a problem. These systems are not secure. Not in the least.

One task of Duh is to steal SMS-based authentication codes that some banks use to protect customers who are conducting financial transactions from their iPhones.

[From New iPhone worm steals online banking codes, builds botnet]

American Banker said that these codes are seen as strong authentication. Well, not by us they’re not.

SMS has, to all intents and purposes, no security whatsoever. The spoofing of SMS originating numbers, in particular, is trivial (this is why M-PESA, for example, encrypts and signs all SMS messages using a SIM Toolkit application)… This means that even “simple” transaction notification services can be a problem.

[From Digital Identity Forum: SOS SMS]

Suppose I send out some text messages to random numbers telling people that there is a problem with their credit card account. Right now they might be suspicious. But if they get used to getting these messages all the time then they won’t think there’s anything odd about it at all. And if I send them a message asking them to call the bank (actually me) because there’s a problem with a transaction, then they won’t think it at all odd for me to then ask them a few security questions. You know the kind of thing: mother’s maiden name, last three digits on the signature strip, password…

Alerts, yes. Transactions, no. Financial institutions need to be very clear with customers that text messages may be used for alerts but they will never ask you to call a specific number, visit a specific web site, send back any information. The sooner we can move on to real mobile security, the better.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


  1. Have you researched or heard about the text message strategy implemented by the Department of Homeland Security in the years following the Sept. 11 attacks? I know everyone thinks the color-coded security index was cheesy, but it was interesting that they had instant text message and e-mail blasts for different threat levels. Are businesses doing similar automated messaging? From, Mike

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights