About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« The numbers game | Main | Authentication in 3D »

Mobile eye-D

By Dave Birch posted Nov 10 2008 at 9:17 PM

[Dave Birch] OK, so I've been thinking about mobile phones in the identity space again, because I've been considering a problem around remote identification in connection with a project we're working on. The mobile phone is an obvious focus for a solution, because everyone has one and (generally speaking ) they know how to use them. Therefore, if you have to use your mobile phone in some way to identify or authenticate yourself on the web, you probably won't mind that much. And not having to buy some kind of dongle makes it cheaper. We have to be careful with this thinking though. As we discussed recently, we must thoughtful and not tomake unwarranted assumptions about the security of the mobile handset, applications, network and systems. People think that mobile is more secure than it actually is, and not because master criminals are planting trojan horse viruses

Though he's seen cases in which customers were sent SMS messages that tricked them into giving up passwords or other key information, he hasn't yet seen any cases in which losses were caused by key logging programs or other malware that infiltrated cell phones.

[From Mobile Insecurity: Reality or Just hype? - 11..2008 - Bank Technology News Article]

What we need is for end-to-end security to become standard on mobile phones and, to my mind, what that really means as a first step is a digital identity infrastructure that is rooted in the SIM. This, in itself, is not that hard. A SIM Toolkit (STK) application for creating and verifying digital signatures together with a key pair is all that is needed to get started. But so long as the handset itself remains insecure, there will always be the possibility of viruses capturing PINs and so on. If the manufacturers could get together to add some kind of trusted processing to the handset (which, incidentally, would mean that mobile phones could become approved PEDs and become part of PCI-DSS solutions) it would open up a whole new field of value-added business.

On the other hand, perhaps I'm being overly sensitive to risk for cultural reasons. In Japan, where the mobile phone is an integral part of the culture and not regarded as technology any more, there is at least one bank that has adopted the mobile channel wholeheartedly.

At eBank, applicants do not need to fill in application forms by hand or visit the bank, says Saiki. "They can do all of it by sending applications by PC and mobile phone. It is necessary to send identification, but they can send the picture on their driver's licence or other ID using a camera function of a mobile phone, which is legal in Japan

[From E-bank Japan sets mobile banking example | 13 Oct 2008 | ComputerWeekly.com]

Wow. This would definitely reduce the cost of customer acquisition for all sorts of businesses! I'm not sure if it gets us where we want to be in terms of real security though. We need end-to-end security (like the mobile digital signature service that Turkcell have launched) and then we can transform the identity space by using the mobile phone instead of custom devices, passwords or nothing at all to secure our online selves.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Mobile eye-D:


I too have been considering the security and authenticity of voice callers and callees. I'd been pinning my hopes on speech rather than iris recognition, mainly because it seems a lot simpler for users.
How would you convince users to use eye biometrics to permit dial tone?

[Dave Birch] Quite!

The comments to this entry are closed.