Feeds

Lost your credit card PIN? No worries! Get a new one - over SMS

Mobe firm gets PCI DSS green light for text-crypto service

Remote control for virtualized desktops

Text messaging isn’t secure. It was never meant to be, as befits something which the chair of the SMG4 standards committee thought was a good idea at the time. No-one ever thought that it might be used for particularly valuable data. SMS expects everything to happen in plain txt so nuttin iz encryptd, bruv.

So it’s pretty impressive when a company can pass the rigorous standards for PCI DSS, the Payment Card Industry Data Security Standard, for text messaging.

Croatian company Infobip has done just that with a service it calls SSMS or Secure Smart Messaging Service. Infobip sells its platforms to corporates, notably banks.

Everything from the corporate server is encrypted, all the way through Infobip’s system, and no-one at the company can read it and on to the mobile network SMSC, with two way negotiation to ensure the encryption. From then on it’s down to the standard mobile phone network encryption.

Infobip sees this as being fine for areas where there is a second level of authorisation. Things like sending a customer a temporary password while the user name is sent separately, or, to take a particular example, a new PIN for one's credit card.

CTO Izabel Jelenić says that it’s not secure enough for the ubiquitous payment cards. You can’t build a system which sends the long number, start date and CVV code through the system as that’s enough for a miscreant to misuse it.

For credit card transactions you’d need to create a customer account using something nice and secure, such as an https connection, and then Infobip can issue a token for that customer. The customer can then be charged again and identified through SSMS with just the token, with all the sensitive stuff happening on Infobip’s nice secure PCI DSS-compliant server. This is the way most web merchant systems work, although adding SMS as a transport method is unusual.

Infobip argues that while the final leg of SMS isn’t completely secure, it’s at least as secure as printing a secure envelope and trusting it to the postal system. Given that the card is likely to have gone through the same system, isolating the PIN is possibly more secure. It’s certainly quicker for the customer and much, much cheaper for the banks. And as we know, banks are exceptionally thrifty organisations.

For end user, there's no difference at all. The Infobip solution uses standard mobile phone systems. Unfortunately that means the SMS sits in the phone's memory as plain text in the SMS inbox. However, some techniques can be used to protect the message from being read by unauthorised people. For instance, USSD sessions ensure messages will not be stored on the phone, and security questions can be used to check if the phone is in the right hands before sending confidential information.

A USSD can flash a message to the screen of the phone that, once read, disappears. Of course, there is no control over user behaviour and it would be perfectly understandable if the user then took to writing it down or taking a screenshot of it. You could, however, see it used in special circumstances such as allowing you to withdraw large sums from an ATM if you typed in a one-time PIN flashed to the screen of your phone.

Infobip talks about there being uses outside financial services, but all their concrete examples – such as sending customers balance information – seem to relate to money, possibly because Infobip also has mobile money products. Whatever the application, it’s an interesting way to apply a communication method that just came out of kicking ideas around at a standards committee meeting. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.