Cellphone security re-think

I found the case study of how not to implement mobile banking security as described on the Digital Soapbox very interesting. It is a fact that we cannot implement Internet banking security paradigms directly (as is) on the mobile phone. This is because of the following reasons:
  • Many security advances on the Internet (like virus checkers, firewalls, security warnings etc.) have not been implemented on phones. It is also unlikely that these will be implemented on phones as the capacity and computing speed is such that it cannot mimic computer functionality.

Phones have characteristics that computers don't have that can be utilised to make security more powerful. Think of the characteristics of the SIM card, the uniqueness of the Phone ID, or cellphone number. (Computers do not have this). GSM have built-in security on the bearer channel where-as computers have to switch their's on with SSL. One should think about using cellphone characteristics in mobile banking.

The most classic pitfall (as is described on the Digital Soapbox) is where Internet banking security is enhaced through the cellphone channel and this is then transported as is to celllphone banking. Security that have been based on dual channels is suddenly reduced to one channel with inferior security protection... Problem.