Image: "Signature", courtesy of Sebastien Wiertz, (CC BY-ND 2.0)
3 min read
Digital signatures in mobile banking and payment processing
Cryptomathic : 10. November 2016
Over the past 8-10 years, we’ve witnessed a huge rise in the use and application of mobile banking. At first we could check our account balances and activity from the internet and bank-specific applications. Not too far down the road, we were able to deposit mobile checks without having to run into brick and mortar locations. Fast forward to two years ago and we saw the rise of Apple Pay and their competitors; now we can make purchases using our smart phones in place of a credit card.
As we are in the midst of this Fin-Tech era, banking organizations of all sizes are zeroed in on decreasing go-to-market time with their products, resulting in a large amount of innovation in a short period of time. With the proliferation of mobile banking and payments processing services, we can’t help but ask the question that is possibly on many minds: has the security world been able to keep up?
Common challenges
Mobile phones, even more than regular computers, depreciate and become antiquated very quickly, usually in a matter of 2-3 years at most. This may not seem like a relevant issue, but when you consider that the technology is involved in applying digital signatures and encryption (e.g. SIM cards, SD cards, etc.) it becomes a topic of concern. Technology which might have been valid 3 years ago, may considered to be invalid now – thus interfering with the veracity of the signature.
Furthermore, PKI technologies cannot easily be applied to mobile devices. In the past, it has been difficult to apply Wireless Application Protocol (WAP) in mobile environments due to the low mobile bandwidth and limitations in computing power. Also, mobile devices do not yet house physical PKI technology as the phone would simply be unable to support it.
What security solutions are being implemented?
Mobile-PKI and e-signature technologies have been a widely discussed topic for years, even before smart phones really became widespread. It is a difficult topic, given the challenges discussed above. Some of the options below have come into light, as they have provided potential ways forward.
Smart SIM cards, SD cards, and other cryptographic enabled hardware
Mobile devices typically lack the power and resources to utilize typical PKI solutions, such as RSA asymmetric algorithms with extensive key lengths, and advanced web browser services for verification. In theory, smart phones – like desktop computers – could be used to produce digital signatures. Options exist that would involve PKI hardware, such as sticker SIM cards which attaches on to the existing phone’s SIM card, as well as improved SD cards and cryptographic devices and tokens. In particular, a secure micro-SD card could be very useful to implement strong authentication and authorization with banking servers, creating an extremely secure ecosystem. However, this is quite a problematic approach, as the average person now uses multiple financial services products across many different providers. Furthermore, because these solutions are highly technology and device-dependent, it would be very difficult for financial services organizations to govern the use of such technology.
Biometrics
One large improvement introduced for e-signatures to phones in the last 3 years was biometrics, which is the use of thumbprints, facial recognition, and other methods to authenticate users. As banks and credit card companies seek to secure their mobile banking and transactions services, they are looking to utilize biometrics information and PKI to make a more concrete security solution. As many users are still on outdated phones that lack the ability to check for biometrics, the question arises whether or not they will be allowed to partake in these mobile banking services.
Beyond Mobile Banking
E-signatures have been a driving force for e-commerce and online banking, and will continue to be pertinent as the numbers of remote transactions continue to occur on mobile devices and computers. While there are secure hardware solutions for mobile phones such as SIM cards, we are more likely to have success implementing digital and e-signature technologies in the middleware and application layers.
Gartner Research predicts that by the year 2020, the Internet of Things market will grow by 30% - to a whopping 20.8 billion “things”, being mobile devices. While we’ve been focused on phones in this discussion, the matter of security and the need for digital signatures will apply to all types of devices – smart watches, smart home devices, cars, etc. This conversation is only the beginning of what will be a long, interesting road ahead for the mobile security world.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internet Banking Services (2016), Hong Kong Monetary Authority