Feeds

Lost your credit card PIN? No worries! Get a new one - over SMS

Mobe firm gets PCI DSS green light for text-crypto service

Seven Steps to Software Security

Text messaging isn’t secure. It was never meant to be, as befits something which the chair of the SMG4 standards committee thought was a good idea at the time. No-one ever thought that it might be used for particularly valuable data. SMS expects everything to happen in plain txt so nuttin iz encryptd, bruv.

So it’s pretty impressive when a company can pass the rigorous standards for PCI DSS, the Payment Card Industry Data Security Standard, for text messaging.

Croatian company Infobip has done just that with a service it calls SSMS or Secure Smart Messaging Service. Infobip sells its platforms to corporates, notably banks.

Everything from the corporate server is encrypted, all the way through Infobip’s system, and no-one at the company can read it and on to the mobile network SMSC, with two way negotiation to ensure the encryption. From then on it’s down to the standard mobile phone network encryption.

Infobip sees this as being fine for areas where there is a second level of authorisation. Things like sending a customer a temporary password while the user name is sent separately, or, to take a particular example, a new PIN for one's credit card.

CTO Izabel Jelenić says that it’s not secure enough for the ubiquitous payment cards. You can’t build a system which sends the long number, start date and CVV code through the system as that’s enough for a miscreant to misuse it.

For credit card transactions you’d need to create a customer account using something nice and secure, such as an https connection, and then Infobip can issue a token for that customer. The customer can then be charged again and identified through SSMS with just the token, with all the sensitive stuff happening on Infobip’s nice secure PCI DSS-compliant server. This is the way most web merchant systems work, although adding SMS as a transport method is unusual.

Infobip argues that while the final leg of SMS isn’t completely secure, it’s at least as secure as printing a secure envelope and trusting it to the postal system. Given that the card is likely to have gone through the same system, isolating the PIN is possibly more secure. It’s certainly quicker for the customer and much, much cheaper for the banks. And as we know, banks are exceptionally thrifty organisations.

For end user, there's no difference at all. The Infobip solution uses standard mobile phone systems. Unfortunately that means the SMS sits in the phone's memory as plain text in the SMS inbox. However, some techniques can be used to protect the message from being read by unauthorised people. For instance, USSD sessions ensure messages will not be stored on the phone, and security questions can be used to check if the phone is in the right hands before sending confidential information.

A USSD can flash a message to the screen of the phone that, once read, disappears. Of course, there is no control over user behaviour and it would be perfectly understandable if the user then took to writing it down or taking a screenshot of it. You could, however, see it used in special circumstances such as allowing you to withdraw large sums from an ATM if you typed in a one-time PIN flashed to the screen of your phone.

Infobip talks about there being uses outside financial services, but all their concrete examples – such as sending customers balance information – seem to relate to money, possibly because Infobip also has mobile money products. Whatever the application, it’s an interesting way to apply a communication method that just came out of kicking ideas around at a standards committee meeting. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.