Convergence Plus Logo


www Convergence Plus
 
Sections Online
Telecommunications
Mobility
Information Technology
InfoSecurity

InfoSecurity

May 17, 2006
A False Sense of SMS Security

Anupam Ratha

Consider this scenario - I receive an SMS from my Manager for a discussion on some major changes in our product development strategy. I show up for the discussion but our Manager was not aware of such an arrangement. Later on, I receive a call from our CEO who was traveling at that point in time, who explained that the SMS was actually from him, and the whole thing got straightened out of course. Can you personally relate to a similar experience of a false sense of security and trust caused by our favorite mode of mobile communications - SMS?

NEW DELHI -- We always wonder why banks and other financial institutions are yet to make a big impression with mobile commerce (m-commerce) -- mainly SMS-commerce. Text messaging (SMS) has captured widespread interest and has an almost ubiquitous accessibility to mobile consumers, thus presenting enormous business opportunities. However, there are still no signs of such services being rolled out, be it service from banks, financial investment firms or debit card vendors despite the fact that mobile commerce presents a new and viable revenue stream.

Backed by more in-depth research and analysis, the result shows that the m-commerce idea is put off simply due to the fact that the security flaws inherent within SMS have become an impediment for such services. In order to further examine this topic, lets understand the underlying challenges and vulnerabilities of SMS.

SMS: Enhancing the overall productivity

Mobile communications play an integral part in the lives of over two billion people worldwide. Businesses are gradually turning to mobile devices to “get the message across” to their employees anywhere, anytime. Consequently, SMS has become one of the more innovative and cost effective ways to enhance the overall productivity of our routine.

As SMS travels as plain text, privacy of the contents during this process is not guaranteed. The privacy issue might not be a matter to some, but those who rely on SMS to transmit confidential data are skeptical. This is one of the major reasons behind slow growth of m-commerce.

SMS services, which are offered by vendors, banks or other businesses, are mostly passive in nature with the SMS not being allowed to cause an active transaction because of the well-known gaps in security and vulnerabilities. Gradual change and demand of active SMS-based services can be met only by a solution that can address existing SMS security concerns in an end-to-end manner.

There are a multitude of active SMS services that can be brought to users at a personal and business level in the form of SMS messaging. For example:

Banking: Check balances, transfer funds between accounts, and paying bills using credit cards. VAS is valuable not only for the subscriber but also for financial institutions offering this service.

Customer service: Charge a customer's credit card right at the table, at any time, instead of going to a fixed POS terminal located by the register.

Tracking the location of a moving asset: Interchange small amounts of information in an inexpensive manner, such as the longitude and latitude, current time, and perhaps parameters like temperature or humidity.

Home security and vehicle security: Alerts and notifications in the event of a break in.

Security Issues

The contents of SMS messages are known to the network operator's systems and personnel, which make SMS an inappropriate technology for secure communications. Most users do not realise how easy it is to intercept an SMS. Gartner, for example, has already expressed reservations about security in the UK trials of SMS voting in local elections held in May 2002. Enterprises, including governments, should not use SMS for any confidential communications. Rather, such enterprises, which seek secure communication channels to mobile employees, should consider encrypted end-to-end solutions on devices that boast additional security features.

The underlying specifications and technology for SMS transmission leaves many security gaps. These gaps make SMS vulnerable to snooping, SMS interception, spoofing, modification, etc.

SMS Security: What is Needed?

While an end-to-end key-based encryption technology for SMS plugs the gaps in the transit security, authentication added for resident SMS security access coupled with encryption, addresses the 'Confidentiality' issue. In addition, adding features for the validation of message integrity and the digital signing of SMS solve the problem of providing 'Integrity' and 'Non Repudiation'. By having the above features integrated into the SME (smart message entities), users can be completely assured of the security and authenticity of SMS and the transactions that they involve.

(The author is senior manager, technology, Network Security Solutions.)








Anupam Ratha, Senior Manager - Technology, Network Security Solutions.
Disclaimer: No content may be used from this site without the written permission of the authors, Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd. The views expressed on this site are solely those of the authors and do not reflect those of Convergence Plus, Comnet Publishers Pvt. Ltd. and Exhibitions India Pvt. Ltd.