Features

net.wars: Mobile key infrastructure

Could mobile phones be the solution to online security problems? Fred Piper posed this question yesterday to a meeting of the UK branch of the Information Systems Security Association (something like half of whom he'd taught at one point or another).

It wasn't that Piper favoured the idea. He doesn't, he said, have a mobile phone. He was put off the whole idea long ago by an ad he saw on TV that said the great thing about mobile phones was when you left the office it would go with you. He doesn't want to be that available. (This is, by the way, an old concern. I have a New Yorker cartoon from about the 1970s that shows a worried, harassed-looking businessman walking down the street being followed by a ringing telephone on a very long cord.)

But from his observation, mobile phones (PPT) are quietly sneaking their way into the security chain without anyone's thinking too much or too deeply about it. This trend he calls moving from two-factor authentication to two-channel authentication. You can see the sense of it. You want to do some online banking, so for extra security your bank could, in response to your entering your user name and password, send you a code to your previously registered mobile phone, which you then type into the Web site (PDF) as an extra way of proving you're you.

One reason things are moving in this direction is that even though security is supposed to be getting better in some ways it's actually regressing. For one thing, these days impersonating someone is easier than cracking the technology – so impersonation has become the real threat.

For another thing, there are traditionally three factors that may be used in creating an authentication system: something you know (a PIN or credit card number), something you have (a physical credit, ATM, or access card), or something you are (a personal characteristic such as a biometric). In general, good security requires at least two such factors. That way, if one factor is compromised although the security system is weakened it's not broken altogether.

But, despite the encryption protecting credit card details online, since you are not required to present the physical card, most of the time our online transactions rely for authentication on a single factor: something we know. The upshot is that credit cards no longer are as secure as in the physical world, where they rely on two factors, the physical card and something you know (the PIN or the exact shape of your signature). "The credit card number has become an extended password," he said.

Mobile phones have some obvious advantages. Most people have one, so you're not asking people to buy special readers, as you would have to if you wanted to use a smart card as an authentication token. To the consumer, using a mobile phone for authentication seems like a free lunch. Most people, once they have one, carry them everywhere. So you're not asking them to keep track of anything more than they already are. The channel, as in the connection to the mobile phone, is owned by known entities and already secured by them. And mobile phones are intelligent devices (even if the people speaking into them on the Tube are not).

In addition, if you compare the cost of using mobile phones as a secure channel to exchange one-time passwords for specific sessions to the cost of setting up a public key infrastructure to do the same thing, it's clearly cheaper and less unwieldy.

There are some obvious disadvantages, too. There are black holes with no coverage. Increasingly, mobile phones will be multi-network devices. They will be able to communicate over the owned, relatively secure channel – but they will also be able to use insecure channels such as WiFi. In addition, Bluetooth can add more risks

Another possibility that occurs to me is that if mobile phones start being used in bank authentication systems we will see war-dialling of mobile phone numbers and phishing attacks on a whole new scale. Yes, such an attack would require far greater investment than today's phishing emails, but the rewards could be worth it. In a different presentation at the same meeting, Mike Maddison, a consultant with Deloitte, presented the results of surveys it's conducted of three industry sectors: financial services, telecommunications and media, and life sciences. All three say the same thing: attacks are becoming more sophisticated and more dangerous, and the teenaged hacker has been largely replaced by organised crime.

Piper was not proposing a "Mobile Key Infrastructure" as a solution. What he was suggesting is that phones are already being used in this way, and security professionals should be thinking about what it means and where the gotchas are going to be. In privacy circles, we talk a lot about mission creep. In computer software we talk about creeping featurism.

I don't know if security folks have a standard phrase for what we're talking about here. But it seems to me that if you're going to build a security infrastructure it ought to be because you had a plan, not because a whole bunch of people converged on it.