The first story concerned a woman who lived somewhere where she couldn’t get a mobile signal (near Dover). To access her home banking, she logs in and then gets in her car and drives for 10 minutes to somewhere she can get a signal, at which point the SMS “one time password” (OTP) arrives from her bank. Then she drives home and logs in!
The second story concerned a man who doesn’t have a mobile phone and doesn’t want one. He can’t use home banking at all because his bank uses SMS codes too, and he was complaining about having to use how bank’s telephone banking because it wasn’t as good as the internet banking service (I hate telephone banking too).
Thinking about these stories, I came up with two possible answers.
It’s a bit rich to complain that you can’t get a better service for something or other because you don’t want a mobile. That’s like me complaining that I want to watch Sky Sports but don’t want to pay for cable or satellite. It’s hard luck. Mobile phones cost, to all intents and purposes, nothing. When my son lost his phone last year, I went down to the store and bought him the cheapest mobile phone I could find. It was £4.95, if memory serves. And if I had broadband but lived somewhere with no mobile signal, then I’d get my own base station. Vodafone sell just such a “femtocell” under the brand name “Sure Signal” even in Dover.
The right solution to the problem is to use digital signatures with the keys stored in tamper-resistant memory (e.g., in the SIM for people who have mobile phones or in a smart card, hat, badge, watch or implant for people who don’t) and to implement proper security on the banking side (using open standards).
Broadly speaking, the protocol should be that I log in to my bank, my bank sends a digitally-signed challenge to my selected device:
- My phone over-the-air.
- My phone via local interface such as NFC or Bluetooth.
- My token, such as a SecureKey USB stick.
- My PC, using an on-board Trusted Execution Environment (TEE), rather like the old Trusted Processing Modules (TPMs) that never really went mass-market in laptops.
In all cases, the message is decoded and the signature checked (inside the tamper-resistant hardware) and a response message is constructed using my digital signature (again, signed using my private key inside the tamper-resistant hardware). This would be real, standardised, open security and would mean that banks could reach all of their customers, all of the time, through all of their devices. It’s really not that difficult.
If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets. Identity really is the new money[From Digital Identity: Cloudy with a chance of PKI]
The operators need to implement SIM-based PKI anyway if they want to have secure QR code and NFC tags, and since the chips used for SIMs implement all of the relevant cryptography I can’t see any barrier to doing this. So what’s the block? Suggestions on an e-postcard, please.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers