Two-factor authentication such as Chip & PIN in the UK has significantly lowered the risk for consumers and retailers as well as credit card companies of becoming victims of fraud. Unfortunately, the same cannot be said for online transactions where fraud is on the increase and the era of user ID and a static password is fading fast due to these security attacks. Whether it is through phishing, Trojans or keyboard loggers, it is estimated that one in ten consumers in the UK has been affected by on-line fraud. Financial losses due to online banking fraud in the UK were an estimated £14 million in the first half of 2005 alone.
Strong, two-factor authentication can reduce fraud of online transactions and the payment industry is formulating plans for the mass roll-out of EMV authentication. However, in the mean time alternative solutions are being considered based on the mobile phone as a key tool in providing stronger online authentication. Advantages include its ubiquitous use and penetration in the market, convenient handling and, perhaps most importantly, zero distribution costs for the banking industry. Furthermore, the distribution and support infrastructure for mobile phones is already well established, eliminating another crucial cost factor for the banks.
A mobile phone lends itself to several authentication methods. For example, one-off security details can be delivered to the user through the handset that, when entered on the internet, authenticate a particular banking or payment transaction. Or handsets can be equipped with special software to turn them into cryptographic devices or loaded with dedicated banking applications to effectively transform them into mobile ATMs. Last but not least, Radio Frequency Identification technology (RFID) installed on mobile phones allows a contactless form of payment whereby users simply pass the handset in front of a scanner to make a payment.
However, even using mobile phones for user authentication does not fully guarantee protection from fraud. They are relatively safe as long as they are only being used for making phone calls and texting. However, mobile phones will eventually become as vulnerable as PCs due to the growing use of mobiles as Internet terminals with download functionality, Wi-Fi capabilities and other IT connections. With these technological changes the number of attacks on mobile phones is expected to increase leaving users open to ID theft from their mobile as well as their PC.
The solution? Mobile phones will need to utilise the cryptographic functionality readily embedded within phone SIM cards. This effectively replicates the level of security provided by Chip & PIN. Pilot programmes for mobile PKI security are already taking place in countries such as Sweden. However, progress has been slow due to the number of parties involved. Compared to Chip & PIN, which predominately involves the financial services and retail industry, mobile and SIM card-based authentication requires collaboration between handset manufacturers, mobile operators, banks and SIM card manufactures. And crucially, all of them have to see a clear commercial benefit in driving mobile security solutions forward.
The author is Head of transaction security of the e-security activities of Thales