The first story concerned a woman who lived somewhere where she couldn’t get a mobile signal (near Dover). To access her home banking, she logs in and then gets in her car and drives for 10 minutes to somewhere she can get a signal, at which point the SMS “one time password” (OTP) arrives from her bank. Then she drives home and logs in!
The second story concerned a man who doesn’t have a mobile phone and doesn’t want one. He can’t use home banking at all because his bank uses SMS codes too, and he was complaining about having to use how bank’s telephone banking because it wasn’t as good as the internet banking service (I hate telephone banking too).
Thinking about these stories, I came up with two possible answers.
It’s a bit rich to complain that you can’t get a better service for something or other because you don’t want a mobile. That’s like me complaining that I want to watch Sky Sports but don’t want to pay for cable or satellite. It’s hard luck. Mobile phones cost, to all intents and purposes, nothing. When my son lost his phone last year, I went down to the store and bought him the cheapest mobile phone I could find. It was £4.95, if memory serves. And if I had broadband but lived somewhere with no mobile signal, then I’d get my own base station. Vodafone sell just such a “femtocell” under the brand name “Sure Signal” even in Dover.
The right solution to the problem is to use digital signatures with the keys stored in tamper-resistant memory (e.g., in the SIM for people who have mobile phones or in a smart card, hat, badge, watch or implant for people who don’t) and to implement proper security on the banking side (using open standards).
Broadly speaking, the protocol should be that I log in to my bank, my bank sends a digitally-signed challenge to my selected device:
- My phone over-the-air.
- My phone via local interface such as NFC or Bluetooth.
- My token, such as a SecureKey USB stick.
- My PC, using an on-board Trusted Execution Environment (TEE), rather like the old Trusted Processing Modules (TPMs) that never really went mass-market in laptops.
In all cases, the message is decoded and the signature checked (inside the tamper-resistant hardware) and a response message is constructed using my digital signature (again, signed using my private key inside the tamper-resistant hardware). This would be real, standardised, open security and would mean that banks could reach all of their customers, all of the time, through all of their devices. It’s really not that difficult.
If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets. Identity really is the new money[From Digital Identity: Cloudy with a chance of PKI]
The operators need to implement SIM-based PKI anyway if they want to have secure QR code and NFC tags, and since the chips used for SIMs implement all of the relevant cryptography I can’t see any barrier to doing this. So what’s the block? Suggestions on an e-postcard, please.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The Cronto visual transaction authentication system I helped design works essentially the way you describe (http://www.cronto.com/). It differs in the detail, for various reasons, but offers similar usability and security. It doesn’t use the SIM though because the task of getting mobile operators to do anything with the SIM is a huge challenge. I have more hope about the OS and/or CPU doing secure key storage. With the keychain, iOS is already quite far in that direction.
Hopefully, the handset manufacturers will come up with a cost effective way to give access to TEEs for key storage – this would, I’m convinced, stimulate creativity in this space. Thanks for Cronto link will check it out.
Google Authenticator exists as a soft token solution – free to use and very simple.
True, if your phone OS is compromised, you’re screwed, but that would be the case even with a SIM based solution. (Unless there’s a hardwired trusted path from SIM to screen.)
I agree that the mobile phone or at least a smart device is the best way to offer digital signatures and authentication but I don’t think it needs to be SIM-based. If it’s SIM-based then it isn’t compatible with other smart devices like tablets (where most m-commerce is taking place). If you change your operator, and therefore SIM, you need to set up authentication again. The “block” is that when you require tamper-proof hardware in addition to the smart device you make things too complicated for the consumer. There are now software-based solutions in the market that can turn you smart device into a 2FA security credential provide PKI signatures and hence avoid the tethering of the SIM and other HW-based solution. If it’s made simple, secure and seamless, you will have a better chance at driving adoption and usage of these services.
“a hardwired trusted path from SIM to screen”
This is why the secure transaction guys are so excited about TEEs.
That’s interesting. I always thought that the Secure Element was just a place to store certificates and sign bits.
That said though, I’m not certain of the benefits of a hardware module over an OS level trust mechanism. No-one seems to be making use of Windows secure desktop in business online banking (or CardSpace which was a really good idea).
Most big organisations aim to make their interfaces “normal” and user friendly, then mop up breaches as they happen. Not ideal, but understandable …..