Subscribe

Mobile security a reality

Cryptographic authentication offers a secure identity solution for banks.

Maeson Maherry
By Maeson Maherry
Johannesburg, 26 Feb 2014

The ability to put a digital certificate on a mobile phone puts a cryptographic authenticator under the control of the organisation relying on the identity, and removes reliance on SMS-based authentication. This also opens the door for secure digital signatures to be created on mobile phones.

More and more people are working on their mobile devices (smartphones and tablets). This is useful because it enables people to transact wherever they are and whenever they need to, but puts companies in a position where they need to identify a person who is not necessarily using a tool that supports strong authentication. For example, a USB smart card authentication device can be plugged into a PC, but not a tablet or a smartphone.

On the whole, smartphones have not been particularly secure devices to date, but industry is now working to make secure key stores more widely available on mobile devices. A key store is a location where the device can securely store digital certificates and public key certificates. Having a secure key store on a device means users can download a digital certificate to use for cryptographic strong authentication, and store it securely.

Improving dependability

Everyone has seen the news stories about SIM swaps, where someone swaps a user's SIM out, gets an SMS intended for the user and accesses the user's bank accounts to empty them into their own bank account, for example. By registering and verifying a user and giving them a digital certificate, a trustworthy endpoint can be created, which can't be cloned, so mobile becomes a far more reliable endpoint for businesses to use.

Businesses have not been able to encrypt e-mail, to date, either, and have been having to rely on vendor mechanisms in closed communities. Standards like S-Mime (a standard for public key encryption and signing of e-mail data) have not been useful, because if something is encrypted, the receiver cannot be forced to read the e-mail on the one machine where the decrypt key is sitting. Support from mobile devices for secure key stores means the same key can be put on any device a person wants to use, and allows the person to read e-mails on a phone or tablet, if the person wishes.

In addition to storing digital certificates in secure stores, mobile devices can also be used as strong cryptographic authentication devices for work being done on a notebook or PC - a phone can be used virtually as a smart card. This is incredibly useful, because an external USB cryptographic token or smart card and reader do not need to be carried around anymore. The laptop uses Bluetooth and sees the phone as if it was a smart card plugged in to the device. This offers great opportunities for truly strong security, which is convenient to carry around. People will try and bypass anything that makes their lives more difficult, so the easier and more convenient something is the better.

Mobile or nothing

For many people in South Africa, and Africa, the first way they will access the Internet is via mobile phone, and the first (and only) place they will interact with government, banking or other financial services is via mobile phone. This makes it imperative to ensure these transactions can be secured.

Developments like these are making cryptography practical for implementation. This is becoming increasingly critical as a result of the increased sensitivity to authorisation that has been forced on users legislatively, and due to increased awareness overall of security threats. The lesson here is that everything becomes more practical when vendors follow standards.

The combination of ubiquity (of mobile devices) and technological advancement of security standards for mobile means security is converging on a single device. Having a single, strong identity means a mobile phone can be used for logical access into a system, cloud identity, e-mail encryption, digital signing and physical access, because mobile phones do NFC as well as Bluetooth, and as such, can be used to replace access cards.

From a corporate point of view, this achieves multiple security goals - it's more secure, more user-friendly, and drives down the long-term cost of ownership by using a device the user actually likes and chooses to carry around. Given the advances in mobile security and the ease of use it offers, the banks finally have a viable alternative to one-time PIN SMS to provide customer security.