About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Identity applications | Main | Personal development »


By Dave Birch posted Oct 29 2008 at 7:45 AM

[Dave Birch] The use of the mobile phone as an identity and authentication platform is, to my mind, inevitable. The capability and connectivity of the mobile handset makes it a million times more useful for identity, access control, credential management and most other digital identity functions. And, of course, the place can also act as a verification tool. One thing that holds up development in this area is the lack of trusted infrastructure in the handset (the handset environment is not protected: anyone can run software on the phone). But what about the network? Can we trust that? SMS provides a useful lesson. There are plenty of banking and payment services, for example, that use text messaging for transactional services:

Users simply send a text message to RBC Mobex with the dollar amount and the recipient's cell phone number. Funds are then taken from the sender's Mobex account and moved to the recipient's Mobex account. The recipient also receives an instant text message on their cell phone to let them know when the money has been sent to them.

Amounts of up to $100 per day can be sent to anyone with a mobile phone serviced by any Canadian wireless carrier, even if they do not have an RBC Mobex account. Recipients just need to register for the payment service to access their funds. The RBC Mobex account is a stored value account and enrollment is through the RBC Mobex web-site, where money can be loaded from any bank account with any financial institution in Canada, or by using a credit card.

[From Payments News: Canada: RBC's Mobex Mobile Payment Service - September 29, 2008]

There's an IVR callback with online PIN for transactions over $25, so there are limited opportunities for fraudsters. Provided that the allowed actions are limited, this kind of scheme works well, although there have been problems in some countries (eg, South Africa) where criminals have been able to obtain replacement SIMs from corrupt operator employees. Yet the fact that it may be hard to make bogus transactions does not mean that text messaging is ideal for identity and authentication services, nor does it mean that we should see services that use unencrypted text as reliable.

I saw Charles Brookson, the head of the GSMA security group, make a very interesting point recently. Charles was talking about the use of SMS fo rmobile banking and payment services and he made the point that SMS has, to all intents and purposes, no security whatsoever. The spoofing of SMS originating numbers, in particular, is trivial (this is why M-PESA, for example, encrypts and signs all SMS messages using a SIM Toolkit application).

This means that even "simple" transaction notification services can be a problem. If you are, let's say, a Citibank customer and you get a text message when you use your MasterCard for a purchase of more than $10 or whatever threshold you have set. You'll undoubtedly get used to seeing these messages all the time. So when a message arrives, purporting to be from Citibank (after all, it has their originating number so it appears on your phone display as "Citibank") and asking you call a number to check on a transaction, you'll call and give your account number, mother's maiden name and whatever else, thinking you are talking to Citibank but actually talking to some fraudsters. In other words, because people will believe SMS to be secure, even though it isn't, they will believe the identity of the caller, which could be storing up some big problems.

We need end-to-end security (like the mobile digital signature service that Turkcell have launched) and then we can transform the identity space by using the mobile phone instead of custom devices, passwords or nothing at all to secure our online selves.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference SOS SMS:


The comments to this entry are closed.