In a recent report produced by Finextra, the analyst house Ovum warns banks to consider the security risks associated with mobile phones. (Read here). The analyst, Graham Titterington, makes some valuable observations about the potential security breaches possible on mobile transactions and then recommend that banks should look at the problem holistically.He conclude that banks should deploy "end-to-end encryption" techniques from the handset to the back-office systems at the bank. With the increase in computation capability of end-user devices, this is now possible. I cannot agree more.
A few points need to be made though:
- Mobile banking is fundamentally more secure than Internet banking, because the underlying carrier is more secure. One should not loose sight of this.
- Encryption based on specific certificates and derived keys are possible with mobile devices because of a dedicated SIM card. This is the perfect way of distributing identity keys - alternatives in the Internet world is cumbersome. This should be utilised in encryption schemes - it is madness not to consider them
- The encryption algorithms utilised in mobile telephony are already built and available on all handsets. (This is part of the handset license conditions.) Utilising these primitives in encryption schemes must be considered.