Mobile banking in Africa is becoming a well-known example of how technical and business innovation can benefit poor people around the world (on NPR, for isntance). Such systems now existing in other countries, but they are all more or less based on the same technical and business models.
On the technical side, these financial applications are all SIM Toolkit applications. This means that the applications are actually running on the SIM card, simply delegating the interaction part to the mobile. The interface with the remote servers is usually performed using SMS. Of course, this is a financial system, so the level of security must be sufficient to reduce fraud to a minimum.
Among the features that contribute to the security of the system, we have:
- Private network. Mobile networks are private, which makes them more the information that circulates on them more difficult to attack than the information that flows on Internet.
- Application running on the SIM, with some cryptography. SIM cards aren’t the most secure smart cards, but getting access to the data stored on a SIM card remains a long and difficult process, even for card evaluators. So, stealing/forging keys is hard.
- SIM Toolkit driver buried deep in the phone’s software. Since the application logic is on the SIM card, the mobile phone only provides a generic driver that manages the user interaction. This driver is handled by the phone’s baseband processor, which is usually not the most accessible piece of software. As a result, it is difficult to attack this interaction
Don’t get me wrong; I am not claiming that the system cannot be attacked. I am just claiming that the inherent security properties of SIM Toolkit applications are sufficient to guarantee the security of the small data transfers performed daily in developed countries. Now, if you want to use that system to buy a €500,000 house, I may want to take a very different stand.
Actually, the main reason for which this reasoning cannot be extended to developed countries is that SIM Toolkit definitely went out of fashion with the advent of smartphones. The STK text-based interface is simply not acceptable on today’s phones, where we expect fully interactive applications.
That means that our current status is quite different with our smartphone applications:
- Internet connectivity. Forget the private network, we are connected directly to the Internet, and that’s where we want to do our transactions.
- Mobile applications. We get our applications from our local application store, so protecting data (both in storage and in communication) is a bit hard.
- Customized interactions. We like our interactions to be customized for each application. In many cases, the interaction at least partly comes from Internet, and HTML5 is going to make this more common. Here, no need to attack a low-level device driver to get to our stuff.
So far, this is fear-inducing rhetoric. You should be afraid, because your applications are not secure. Yet, there aren’t that many attacks, and mobile transactions are becoming more common on phones. With the announced success of NFC and the announced Google wallet, the future is looking bright in 2011. One of the reasons is that secure elements are becoming fashionable again on smartphones. Another one is that Apple, Google, and the others are keeping a rather tight control on our devices, and the users feel safe. Jailbreakers pose a small problem, but this is marginal for transactions (hint: if a payment application gets hacked on your jailbroken phone, “losing” the phone and denying the jailbreak sounds like a good option). Overall, I have no problem performing transactions with my phone today.
The really interesting question is: Would I feel just as safe if one of the financial app became as popular as M-Pesa is in Africa? A financial transaction application installed by 50 million users in Europe and the U.S. would sure make a tempting target for hackers around the world, especially with the average balance of our accounts.
In such a case, I would be tempted to say that the various stakeholders would like to have a few additional guarantees. The smart card and security industries have some answers to that: Let’s perform Common Criteria security certifications on cards to prove their security! Let’s add a security layer in the phone to enhance its security! Let’s obfuscate this application to make it more difficult to hack!
All of these things work, and some of them even work well. Each counteremasure makes the cost of attacking the system slightly higher. But all these things provide incremental improvements, and they are definitely not disruptive. Disruption is more likely to come from the outside, from the “hundreds of start-up companies” promised by Eric Schmidt around NFC.
An example: Bump. It is not about NFC, but it is a mobile security measure that “makes connecting as simple as bumping two phones into each other”. It relies on humans to perform most of the security checks, and leverages this on Internet. This is the way to go as our mobile devices become more personal, as they get closer to actually representing us on the Internet; the human being who holds the device will need to participate actively in the security protocols, and not only be entering a code. Disruption will come from those who make the security experience better, not from those who make the mobile experience more secure.