SOS SMS
By Dave Birch posted Oct 29 2008 at 7:45 AM[Dave Birch] The use of the mobile phone as an identity and authentication platform is, to my mind, inevitable. The capability and connectivity of the mobile handset makes it a million times more useful for identity, access control, credential management and most other digital identity functions. And, of course, the place can also act as a verification tool. One thing that holds up development in this area is the lack of trusted infrastructure in the handset (the handset environment is not protected: anyone can run software on the phone). But what about the network? Can we trust that? SMS provides a useful lesson. There are plenty of banking and payment services, for example, that use text messaging for transactional services:
Users simply send a text message to RBC Mobex with the dollar amount and the recipient's cell phone number. Funds are then taken from the sender's Mobex account and moved to the recipient's Mobex account. The recipient also receives an instant text message on their cell phone to let them know when the money has been sent to them.
Amounts of up to $100 per day can be sent to anyone with a mobile phone serviced by any Canadian wireless carrier, even if they do not have an RBC Mobex account. Recipients just need to register for the payment service to access their funds. The RBC Mobex account is a stored value account and enrollment is through the RBC Mobex web-site, where money can be loaded from any bank account with any financial institution in Canada, or by using a credit card.
[From Payments News: Canada: RBC's Mobex Mobile Payment Service - September 29, 2008]
There's an IVR callback with online PIN for transactions over $25, so there are limited opportunities for fraudsters. Provided that the allowed actions are limited, this kind of scheme works well, although there have been problems in some countries (eg, South Africa) where criminals have been able to obtain replacement SIMs from corrupt operator employees. Yet the fact that it may be hard to make bogus transactions does not mean that text messaging is ideal for identity and authentication services, nor does it mean that we should see services that use unencrypted text as reliable.