Original URL: https://www.theregister.com/2014/04/16/ssms_safer_than_ssl/

Lost your credit card PIN? No worries! Get a new one - over SMS

Mobe firm gets PCI DSS green light for text-crypto service

By Simon Rockman

Posted in Security, 16th April 2014 07:02 GMT

Text messaging isn’t secure. It was never meant to be, as befits something which the chair of the SMG4 standards committee thought was a good idea at the time. No-one ever thought that it might be used for particularly valuable data. SMS expects everything to happen in plain txt so nuttin iz encryptd, bruv.

So it’s pretty impressive when a company can pass the rigorous standards for PCI DSS, the Payment Card Industry Data Security Standard, for text messaging.

Croatian company Infobip has done just that with a service it calls SSMS or Secure Smart Messaging Service. Infobip sells its platforms to corporates, notably banks.

Everything from the corporate server is encrypted, all the way through Infobip’s system, and no-one at the company can read it and on to the mobile network SMSC, with two way negotiation to ensure the encryption. From then on it’s down to the standard mobile phone network encryption.

Infobip sees this as being fine for areas where there is a second level of authorisation. Things like sending a customer a temporary password while the user name is sent separately, or, to take a particular example, a new PIN for one's credit card.

CTO Izabel Jelenić says that it’s not secure enough for the ubiquitous payment cards. You can’t build a system which sends the long number, start date and CVV code through the system as that’s enough for a miscreant to misuse it.

For credit card transactions you’d need to create a customer account using something nice and secure, such as an https connection, and then Infobip can issue a token for that customer. The customer can then be charged again and identified through SSMS with just the token, with all the sensitive stuff happening on Infobip’s nice secure PCI DSS-compliant server. This is the way most web merchant systems work, although adding SMS as a transport method is unusual.

Infobip argues that while the final leg of SMS isn’t completely secure, it’s at least as secure as printing a secure envelope and trusting it to the postal system. Given that the card is likely to have gone through the same system, isolating the PIN is possibly more secure. It’s certainly quicker for the customer and much, much cheaper for the banks. And as we know, banks are exceptionally thrifty organisations.

For end user, there's no difference at all. The Infobip solution uses standard mobile phone systems. Unfortunately that means the SMS sits in the phone's memory as plain text in the SMS inbox. However, some techniques can be used to protect the message from being read by unauthorised people. For instance, USSD sessions ensure messages will not be stored on the phone, and security questions can be used to check if the phone is in the right hands before sending confidential information.

A USSD can flash a message to the screen of the phone that, once read, disappears. Of course, there is no control over user behaviour and it would be perfectly understandable if the user then took to writing it down or taking a screenshot of it. You could, however, see it used in special circumstances such as allowing you to withdraw large sums from an ATM if you typed in a one-time PIN flashed to the screen of your phone.

Infobip talks about there being uses outside financial services, but all their concrete examples – such as sending customers balance information – seem to relate to money, possibly because Infobip also has mobile money products. Whatever the application, it’s an interesting way to apply a communication method that just came out of kicking ideas around at a standards committee meeting. ®