When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
[Dave Birch] OK, so I’ve been thinking about mobile phones in the identity space again, because I’ve been considering a problem around remote identification in connection with a project we’re working on. The mobile phone is an obvious focus for a solution, because everyone has one and (generally speaking ) they know how to use them. Therefore, if you have to use your mobile phone in some way to identify or authenticate yourself on the web, you probably won’t mind that much. And not having to buy some kind of dongle makes it cheaper. We have to be careful with this thinking though. As we discussed recently, we must thoughtful and not tomake unwarranted assumptions about the security of the mobile handset, applications, network and systems. People think that mobile is more secure than it actually is, and not because master criminals are planting trojan horse viruses
Though he’s seen cases in which customers were sent SMS messages that tricked them into giving up passwords or other key information, he hasn’t yet seen any cases in which losses were caused by key logging programs or other malware that infiltrated cell phones.
[From Mobile Insecurity: Reality or Just hype? – 11..2008 – Bank Technology News Article]
What we need is for end-to-end security to become standard on mobile phones and, to my mind, what that really means as a first step is a digital identity infrastructure that is rooted in the SIM. This, in itself, is not that hard. A SIM Toolkit (STK) application for creating and verifying digital signatures together with a key pair is all that is needed to get started. But so long as the handset itself remains insecure, there will always be the possibility of viruses capturing PINs and so on. If the manufacturers could get together to add some kind of trusted processing to the handset (which, incidentally, would mean that mobile phones could become approved PEDs and become part of PCI-DSS solutions) it would open up a whole new field of value-added business.
[Dave Birch] The use of the mobile phone as an identity and authentication platform is, to my mind, inevitable. The capability and connectivity of the mobile handset makes it a million times more useful for identity, access control, credential management and most other digital identity functions. And, of course, the place can also act as a verification tool. One thing that holds up development in this area is the lack of trusted infrastructure in the handset (the handset environment is not protected: anyone can run software on the phone). But what about the network? Can we trust that? SMS provides a useful lesson. There are plenty of banking and payment services, for example, that use text messaging for transactional services:
Users simply send a text message to RBC Mobex with the dollar amount and the recipient’s cell phone number. Funds are then taken from the sender’s Mobex account and moved to the recipient’s Mobex account. The recipient also receives an instant text message on their cell phone to let them know when the money has been sent to them.
Amounts of up to $100 per day can be sent to anyone with a mobile phone serviced by any Canadian wireless carrier, even if they do not have an RBC Mobex account. Recipients just need to register for the payment service to access their funds. The RBC Mobex account is a stored value account and enrollment is through the RBC Mobex web-site, where money can be loaded from any bank account with any financial institution in Canada, or by using a credit card.
[From Payments News: Canada: RBC’s Mobex Mobile Payment Service – September 29, 2008]
There’s an IVR callback with online PIN for transactions over $25, so there are limited opportunities for fraudsters. Provided that the allowed actions are limited, this kind of scheme works well, although there have been problems in some countries (eg, South Africa) where criminals have been able to obtain replacement SIMs from corrupt operator employees. Yet the fact that it may be hard to make bogus transactions does not mean that text messaging is ideal for identity and authentication services, nor does it mean that we should see services that use unencrypted text as reliable.