Feeds

Lost your credit card PIN? No worries! Get a new one - over SMS

Mobe firm gets PCI DSS green light for text-crypto service

Choosing a cloud hosting partner with confidence

Text messaging isn’t secure. It was never meant to be, as befits something which the chair of the SMG4 standards committee thought was a good idea at the time. No-one ever thought that it might be used for particularly valuable data. SMS expects everything to happen in plain txt so nuttin iz encryptd, bruv.

So it’s pretty impressive when a company can pass the rigorous standards for PCI DSS, the Payment Card Industry Data Security Standard, for text messaging.

Croatian company Infobip has done just that with a service it calls SSMS or Secure Smart Messaging Service. Infobip sells its platforms to corporates, notably banks.

Everything from the corporate server is encrypted, all the way through Infobip’s system, and no-one at the company can read it and on to the mobile network SMSC, with two way negotiation to ensure the encryption. From then on it’s down to the standard mobile phone network encryption.

Infobip sees this as being fine for areas where there is a second level of authorisation. Things like sending a customer a temporary password while the user name is sent separately, or, to take a particular example, a new PIN for one's credit card.

CTO Izabel Jelenić says that it’s not secure enough for the ubiquitous payment cards. You can’t build a system which sends the long number, start date and CVV code through the system as that’s enough for a miscreant to misuse it.

For credit card transactions you’d need to create a customer account using something nice and secure, such as an https connection, and then Infobip can issue a token for that customer. The customer can then be charged again and identified through SSMS with just the token, with all the sensitive stuff happening on Infobip’s nice secure PCI DSS-compliant server. This is the way most web merchant systems work, although adding SMS as a transport method is unusual.

Infobip argues that while the final leg of SMS isn’t completely secure, it’s at least as secure as printing a secure envelope and trusting it to the postal system. Given that the card is likely to have gone through the same system, isolating the PIN is possibly more secure. It’s certainly quicker for the customer and much, much cheaper for the banks. And as we know, banks are exceptionally thrifty organisations.

For end user, there's no difference at all. The Infobip solution uses standard mobile phone systems. Unfortunately that means the SMS sits in the phone's memory as plain text in the SMS inbox. However, some techniques can be used to protect the message from being read by unauthorised people. For instance, USSD sessions ensure messages will not be stored on the phone, and security questions can be used to check if the phone is in the right hands before sending confidential information.

A USSD can flash a message to the screen of the phone that, once read, disappears. Of course, there is no control over user behaviour and it would be perfectly understandable if the user then took to writing it down or taking a screenshot of it. You could, however, see it used in special circumstances such as allowing you to withdraw large sums from an ATM if you typed in a one-time PIN flashed to the screen of your phone.

Infobip talks about there being uses outside financial services, but all their concrete examples – such as sending customers balance information – seem to relate to money, possibly because Infobip also has mobile money products. Whatever the application, it’s an interesting way to apply a communication method that just came out of kicking ideas around at a standards committee meeting. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.