Feeds

Lost your credit card PIN? No worries! Get a new one - over SMS

Mobe firm gets PCI DSS green light for text-crypto service

Secure remote control for conventional and virtual desktops

Text messaging isn’t secure. It was never meant to be, as befits something which the chair of the SMG4 standards committee thought was a good idea at the time. No-one ever thought that it might be used for particularly valuable data. SMS expects everything to happen in plain txt so nuttin iz encryptd, bruv.

So it’s pretty impressive when a company can pass the rigorous standards for PCI DSS, the Payment Card Industry Data Security Standard, for text messaging.

Croatian company Infobip has done just that with a service it calls SSMS or Secure Smart Messaging Service. Infobip sells its platforms to corporates, notably banks.

Everything from the corporate server is encrypted, all the way through Infobip’s system, and no-one at the company can read it and on to the mobile network SMSC, with two way negotiation to ensure the encryption. From then on it’s down to the standard mobile phone network encryption.

Infobip sees this as being fine for areas where there is a second level of authorisation. Things like sending a customer a temporary password while the user name is sent separately, or, to take a particular example, a new PIN for one's credit card.

CTO Izabel Jelenić says that it’s not secure enough for the ubiquitous payment cards. You can’t build a system which sends the long number, start date and CVV code through the system as that’s enough for a miscreant to misuse it.

For credit card transactions you’d need to create a customer account using something nice and secure, such as an https connection, and then Infobip can issue a token for that customer. The customer can then be charged again and identified through SSMS with just the token, with all the sensitive stuff happening on Infobip’s nice secure PCI DSS-compliant server. This is the way most web merchant systems work, although adding SMS as a transport method is unusual.

Infobip argues that while the final leg of SMS isn’t completely secure, it’s at least as secure as printing a secure envelope and trusting it to the postal system. Given that the card is likely to have gone through the same system, isolating the PIN is possibly more secure. It’s certainly quicker for the customer and much, much cheaper for the banks. And as we know, banks are exceptionally thrifty organisations.

For end user, there's no difference at all. The Infobip solution uses standard mobile phone systems. Unfortunately that means the SMS sits in the phone's memory as plain text in the SMS inbox. However, some techniques can be used to protect the message from being read by unauthorised people. For instance, USSD sessions ensure messages will not be stored on the phone, and security questions can be used to check if the phone is in the right hands before sending confidential information.

A USSD can flash a message to the screen of the phone that, once read, disappears. Of course, there is no control over user behaviour and it would be perfectly understandable if the user then took to writing it down or taking a screenshot of it. You could, however, see it used in special circumstances such as allowing you to withdraw large sums from an ATM if you typed in a one-time PIN flashed to the screen of your phone.

Infobip talks about there being uses outside financial services, but all their concrete examples – such as sending customers balance information – seem to relate to money, possibly because Infobip also has mobile money products. Whatever the application, it’s an interesting way to apply a communication method that just came out of kicking ideas around at a standards committee meeting. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.