Incidentally, in the modern business environment, these services also provide an excellent feedback mechanism. If you know what alerts customers are setting, then you can use that information to tailor better products for them. It’s a simple example, I think, of how a new channel can help customers to design new services on behalf of the business just by providing more interaction (and therefore more information). So if you discover that customers are setting alerts for overseas transactions but not for domestic transactions, then why not sell them a “domestic only” card or whatever.
But back to text. It’s got a lot going for it. It’s ubiquitous, it’s inexpensive, it’s flexible.
So text messaging is the way forward. But there’s a problem. These systems are not secure. Not in the least.
One task of Duh is to steal SMS-based authentication codes that some banks use to protect customers who are conducting financial transactions from their iPhones.[From New iPhone worm steals online banking codes, builds botnet]
American Banker said that these codes are seen as strong authentication. Well, not by us they’re not.
SMS has, to all intents and purposes, no security whatsoever. The spoofing of SMS originating numbers, in particular, is trivial (this is why M-PESA, for example, encrypts and signs all SMS messages using a SIM Toolkit application)… This means that even “simple” transaction notification services can be a problem.[From Digital Identity Forum: SOS SMS]
Suppose I send out some text messages to random numbers telling people that there is a problem with their credit card account. Right now they might be suspicious. But if they get used to getting these messages all the time then they won’t think there’s anything odd about it at all. And if I send them a message asking them to call the bank (actually me) because there’s a problem with a transaction, then they won’t think it at all odd for me to then ask them a few security questions. You know the kind of thing: mother’s maiden name, last three digits on the signature strip, password…
Alerts, yes. Transactions, no. Financial institutions need to be very clear with customers that text messages may be used for alerts but they will never ask you to call a specific number, visit a specific web site, send back any information. The sooner we can move on to real mobile security, the better.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]