« Crossing the streams | Main | The last social mile »

Mobile key infrastructure

Could mobile phones be the solution to online security problems? Fred Piper posed this question yesterday to a meeting of the UK branch of the Information Systems Security Association (something like half of whom he'd taught at one point or another).

It wasn't that Piper favored the idea. He doesn't, he said, have a mobile phone. He was putt off the whole idea long ago by an ad he saw on TV that said the great thing about mobile phones was when you left the office it would go with you. He doesn't want to be that available. (This is, by the way, an old concern. I have a New Yorker cartoon from about the 1970s that shows a worried, harassed-looking businessman walking down the street being followed by a ringing telephone on a very long cord.)

But from his observation, mobile phones (PPT) are quietly sneaking their way into the security chain without anyone's thinking too much or too deeply about it. This trend he calls moving from two-factor authentication to two-channel authentication. You can see the sense of it. You want to do some online banking, so for extra security your bank could, in response to your entering your user name and password, send you a code to your previously registered mobile phone, which you then type into the Web site (PDF) as an extra way of proving you're you.

One reason things are moving in this direction is that even though security is supposed to be getting better in some ways it's actually regressing. For one thing, these days impersonating someone is easier than cracking the technology – so impersonation has become the real threat.

For another thing, there are traditionally three factors that may be used in creating an authentication system: something you know (a PIN or credit card number), something you have (a physical credit, ATM, or access card), or something you are (a personal characteristic such as a biometric). In general, good security requires at least two such factors. That way, if one factor is compromised although the security system is weakened it's not broken altogether.

But, despite the encryption protecting credit card details online, since you are not required to present the physical card, most of the time our online transactions rely for authentication on a single factor: something we know. The upshot is that credit cards no longer are as secure as in the physical world, where they rely on two factors, the physical card and something you know (the PIN or the exact shape of your signature). "The credit card number has become an extended password," he said.

Mobile phones have some obvious advantages. Most people have one, so you're not asking people to buy special readers, as you would have to if you wanted to use a smart card as an authentication token. To the consumer, using a mobile phone for authentication seems like a freel lunch. Most people, once they have one, carry them everywhere. So you're not asking them to keep track of anything more than they already are. The channel, as in the connection to the mobile phone, is owned by known entities and already secured by them. And mobile phones are intelligent devices (even if the people speaking into them on the Tube are not).

In addition, if you compare the cost of using mobile phones as a secure channel to exchange one-time passwords for specific sessions to the cost of setting up a public key infrastructure to do the same thing, it's clearly cheaper and less unwieldy.

There are some obvious disadvantages, too. There are black holes with no coverage. Increasingly, mobile phones will be multi-network devices. They will be able tocommunicate over the owned, relatively secure channel – but they will also be able to use insecure channels such as wi-fi. In addition, Bluetooth can add more risks.

Another possibility that occurs to me is that if mobile phones start being used in bank authentication systems we will see war-dialling of mobile phone numbers and phishing attacks on a whole new scale. Yes, such an attack would require far greater investment than today's phishing emails, but the rewards could be worth it. In a different presentation at the same meeting, Mike Maddison, a consultant with Deloitte, presented the results of surveys it's conducted of three industry sectors: financial services, telecommunications and media, and life sciences. All three say the same thing: attacks are becoming more sophisticated and more dangerous, and the teenaged hacker has been largely replaced by organised crime.

Piper was not proposing a "Mobile Key Infrastructure" as a solution. What he was suggesting is that phones are already being used in this way, and security professionals should be thinking about what it means and where the gotchas are going to be. In privacy circles, we talk a lot about mission creep. In computer software we talk about creeping featurism. I don't know if security folks have a standard phrase for what we're talking about here. But it seems to me that if you're going to build a security infrastructure it ought to be because you had a plan, not because a whole bunch of people converged on it.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).


TrackBack URL for this entry:



Nice write up. I'm glad to see more people thinking about cell phones as authentication devices and I agree that more thought needs to go into how they are developed and what it takes for them to be secure.


Security is a good thing...but there is a point where it just becomes too annoying! My one web site for a savings account "redesigned" their website, so that to log in - I have to type in my user name, password, favorite sports team, last 4 digits of social security number, and I forgot what else. Oh yeah, and they ask a different thing every time. Needless to say, I don't use the web site any more. I try to check about 12 pages every morning with all my financial institutions, and even if a browser refuses to remember my login and password - it's too much hassle. So, at what point do "extra security measures" compromise the usefulness of the thing I'm trying to get to? Hmm.

Yes: and of course there are lots of things on the Net where a user ID and password are overkill, too.

The problem of making security systems usable is one of those long-running unsolved things. Of course, in some cases (eg, airports), part of the point of the security system is to place a burden on the user, so that security can be seen to be done. Bruce Schneier calls it "security theater". Although I think it's now beyond the point of any useful reassurance...


First rule: do not trust a third party to take care of your security concerns.

A regular phone works as good as a cell phone. Add a remotely accessible voice mail system with PIN, and you have a pretty good substitute for a cell phone, at least for the purpose of exchanging a key.

But there is rule number One. Why shall we trust the mobile phone infrastructure? I give you three reasons why we should not.

First, cell phone manufacturers as well as cell phone service providers seem to be in a rush to beat the competition with new gimmicks. Why should a cell phone come with the possibility to upload firmware written in Java? The moment when you allow anybody to remotely manipulate the firmware of a cell phone you punch a big hole into the security concept. This problem is real. Just search with Google for "cell phone java security".

Second, why shall we trust the telcos? Take Verizon as an example. Go to http://uptime.netcraft.com/ and enter www.verizon.net. Then have a look at http://www.trustworthycomputing.com/ and ask yourself if there is anybody in the world who can honestly claim that she or he can cope with the flood of security issues. Try to make an online payment through Verizon's web site and try to use anything but MS-DoS Windows w/ IE. I have been told on the phone by a Verizon rep that they only support MS-DoS Windows w/ IE. Unfortunately Verizon is as good as any other telco. How much additional security did we gain?

Third, search for "cell phone theft" at Google. Here goes your trusted device.

Did I mention the first rule of all security concepts?

Well, quite. Like I said in the piece, Piper wasn't proposing it, just saying it was wneaking up on us and security people should be thinking about it.

To me, the biggest issue is still that so many large organizations don't seem to understand the need for them to authenticate themselves to us - they think we're the untrustworthy ones, not them.


Great write up - however the biggest problem is that people have serious concerns about the mobile device per se. It's too easy to steal. Our friends at the Halifax Insurance state that there were 2 million stolen in the UK last year (05) alone. It means lack of credibility for the mobile. This was my companies starting point. Please read on I'm not about to give you the company spin. I'm from a mobile industry background and it was well recognised that device theft was an issue.
Our way around it is to use a secondary device (we call it a SLIM) talking to the mobile over a permanent channel, today using Bluetooth. Move away from the device and we can lock the handset, all ports, which means that you cannot talk to the hardware and OS. Bring the device back and the phone is unlocked. Sounds very simple But you need to be permanantly authenticating both the device and the SLIM to make sure the devices are what they say they are, - in real time too. We think that this gives a business user a twenty minute comfort zone that PIN passwords don't allow. (ever tried a BlackBerry with the PIN timer set to less? - irritating to say the least).
Perhaps more importantly is the SLIM itself - a real time authenticator that does not retain any personal data; that is difficult to clone and can also contain a biometric reader, authenticating the device, the person and the handset. This is the genuine step forward and does not rely upon the network having to participate.

For those of you that don't like the active part perhaps it's the subtle 2,3,4 and 5 factor authentication that appeals - nevertheless this technique could be genuinely disruptive. Check out our low key website: http://www.startlok.com/services.cfm


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)