Authentication With SMS

Although not a secure application, SMS can be used to complement authentication methods.

If John Q. Subscriber orders something online by giving a credit-card number, then denies having made the purchase, someone has to eat the cost of that transaction. Depending on the country in which the transaction is made, that unlucky someone will be either the subscriber or the credit-card company. According to Patrice Peyret, MobileWay CEO (www.mobileway.com), that's why MasterCard and Visa both (www.visa.com) are seeking ways to identify mobile customers (www.mastercard.com) as they make transactions and to record those transactions for future reference. One seldom-discussed method involves using SMS messages in a secure environment.

A View From Abroad

Recently, a wireless messaging and content-distribution company known as MobileWay teamed with MasterCard to develop and market an authentication method to verify cardholders and substantiate mobile transactions for MasterCard's more than 20,000 member banks. For carriers, the authentication system could be a chance to earn additional profits.

MobileWay's system uses 2-way SMS to send messages between subscribers and financial institutions. For instance, if the subscriber buys an airline ticket, the travel agency would notify the credit-issuing bank of the purchase attempt. The bank would then send a message to the cardholder's mobile phone, asking for a PIN code to verify that the cardholder is about to make the purchase.

This method uses what banks refer to as 2-factor authentication, Peyret said. In other words, authentication depends on the combination of something the card-holder owns — the mobile phone, and something he knows — the PIN.

Because SMS is not a secure system, MobileWay and MasterCard are developing a security application that will live inside SIM cards of GSM phones. To validate a transaction, MasterCard would encrypt a message and send it through the SMS channel, said Greg Pinter, MobileWay general manager & vice president of the Americas. Once the message reaches the handset, it would be routed automatically to a program in the SIM card that would decrypt the message and ask for user authorization of the transaction and a PIN code. After the PIN has been entered, the message would be re-encrypted and returned to the financial institution.

Currently, MobileWay is deploying this authentication system exclusively in the GSM world outside of North America. Although MobileWay has been discussing the system with handset manufacturers and CDMA and TDMA carriers in North America, no agreements have been reached at this time. Pinter doubts that U.S. carriers will use this authentication method any time soon; although, in other parts of the world, roll-outs are scheduled for early next year or sooner.

According to Pinter, consumers abroad are more interested in validation services than U.S. consumers because of liability laws.

“For example, in Germany, if you make a transaction and you dispute it, you are liable up to $25,000. So, it becomes a significant issue to validate that transaction,” Pinter said. “Here in the United States, I believe we're liable up to $25.”

So, for consumers, there is less incentive; however, according to Pinter, North American financial institutions and credit-card companies are interested because they're liable for fraudulent purchases. Pinter said the banks are telling MobileWay that North American consumers just don't see a need for the authentication services, which means the banks' customers likely would not use the services if they were available.

Nevertheless, North American carriers would benefit from reduced churn if these services were adopted, MobileWay's Peyret said. Also, MobileWay pays carriers to shuttle messages via their data gateways through an agreed upon interface.

“Carriers are paid proportionally to the number of messages transferred,” he said. “Payment mechanisms can be based on mobile-terminated traffic or on mobile-originated traffic or both.”

Although MobileWay performs the integration with the networks, carriers must tell the company which application programming interfaces, access-control measures and protocols to use to interface with their data gateways.

One Way or Two?

Because SMS has no built-in security, ASP Air2Web combines wireless (www.air2web.com) voice with SMS in its authentication services. For example, a user would give his phone number at the time of signup, and if that user called into the bank to check his balance, Air2Web's system would begin authentication by capturing data from the user's phone. Then the customer would be asked to enter a PIN or would be authenticated using voice-trend biometrics, which measure voice-wave patterns against a previously saved sample of the user's voice.

In another scenario, the bank could initiate contact with the customer via 1-way SMS; the customer would return the call and be validated on a voice service. According to Fred Tanzella, Air2Web CEO, 2-way SMS typically is used to initiate authentication in Europe. With 2-way SMS, the bank might send the subscriber a message containing an embedded phone number, saying, “Check your balance today. Press talk.” Upon pressing “talk,” the customer automatically would be connected with the bank and asked to enter a PIN code for authentication.

Air2Web authenticates the SMS transactions by sending the data to Verisign for a real-time check to see whether the digital certificate is valid.

“If you want to get a higher level of authentication, you need to go to public key infrastructure (PKI),” Tanzella said, explaining that PKI only can be used if the handset supports it.

Digital Security Definitions

Privacy is required when passing sensitive information such as credit-card numbers or financial details around networks, and it means that the information cannot be seen or used by other parties. Encrypting the data traditionally ensures confidentiality.

Authentication refers to the verification of the second party's identity. “Spoofing” is a common hacker's tactic that involves disguising the hacker's identity by pretending to be someone else, hence the need to authenticate that you really know with whom you are dealing at the other end of that connection.

Integrity ensures the detection of any change in the content of a message between the time it is sent and the time it is received. For example, when a user instructs a bank to transfer $1,000 from one account to another, integrity guarantees that the account numbers and dollar amount in the user's message cannot be altered without the bank or the user noticing.

Non-repudiation refers to a system that ensures users cannot deny they took part in a transaction after the fact. Non-repudiation requires successful authentication of the user but goes further to establish a credible record of all transactions that cannot later be denied.