Mobile phones key to e-commerce security

RSA Security has launched an authentication product that uses SMS messages to grant access to business Web sites. RSA Mobile is intended to help merchants and customers on the Web trust each other -- without the need for special hardware or software on the end-user's system. "Distributing a key to the user's phone means that the user does not have to install any hardware or software, and the interface is intuitive," said Sarah Kent, business & corporate development manager at RSA Security. The service has been tested by service providers including BT Ignite and Your Communications, and is intended to allow employees to access corporate applications, or end users to access commerce sites. Right now, in both cases, authentication is usually by password or PIN, although two-factor authentication, in which the user has to have some sort of token as well as knowing a password, is considered more secure. The problem is that most tokens, such as smart cards, are expensive to distribute and can be tricky to use. When the user enters a PIN to a site's log-in screen, the system will send an SMS message to the user's mobile phone, giving them a "virtual token", usually an eight-digit number. The user cannot get full access until this is entered, ensuring that they know the PIN and have the phone. The token can also be sent by email. Losing your mobile phone or having it stolen might compromise the system, if a hacker also knew the PIN number. "But if you lose your mobile phone, you cancel it quite quickly," said Kent, pointing out that users are likely to cancel a lost mobile phone more quickly than a dedicated token which they use less often. Your Communications, a telecoms company in the north-east of England, has been piloting the system for eight months, and will offer it as a managed service. "RSA mobile is a third option in our portfolio alongside passwords and SecurID tokens," said Damon Crawford, principal consultant at Your Communications. Around 200 mobile engineers at United Utilities, Your's parent company, are using RSA Mobile to access applications such as job schedules. "The engineers thought tokens were great -- for about a week," said Crawford. "Then they found that key fobs are easy to lose. However, they all have mobile phones, and they are sacrosanct." Also at Your, a prototype application will let United Utilities customers pay their bills online after authenticating with RSA Mobile. Your then plans to offer it as a managed service for financial services companies, insurance companies and other utilities. BT Ignite engineers are also using the product to get jobs and eliminate paper workflow documents, while another prototype BT application gives mortgage advisors access to financial information. The product is being launched worldwide on 4 September, and Kent expects the option to send tokens by email to be more popular in the US, where messages to CDMA phones are sent this way. The product will be available for companies that want to manage their own authentication, as well as to those using a managed service such as that provided by Your. "We are seeing a shift towards managed services with our existing SecurID (hardware token) product," said Kent. Managed authentication services using hardware tokens typically cost between £80 to £100 per user per year, while services based on RSA Mobile will cost "significantly less than that," said Crawford. Users will have to pay for the SMS messages, he pointed out. The product has been integrated with Microsoft's Passport, with the intention of offering a higher level of authentication. The product is compliant with the rival Liberty specifications and will work with Liberty products when they emerge.

---