Mobile eID security issues examined by ENISA
Your mobile is fast becoming your new PC, wallet, identity card, but is it secure? The EU Agency ENISA (the European Network and Information Security Agency) launches a Position Paper on authentication issues for mobile eID, with 11 security threats and 7 key conclusions to enhance security.
In the near future, we will pay our taxes, buy metro tickets or open bank accounts over our phone. Mobile devices, national ID-cards, smart phones and (Personal Digital Assistant) PDAs, will play an ever more important role in the digital environment. The mobile devices can act as an identity or payment card for online services. In Asia, there is already a growing demand for these services, particularly in Hong Kong, Singapore and Taiwan. The main driver in Asia is consumer interest for convenient, easy solutions, in as few devices as possible. In Europe, by contrast, the main driver is enhanced security with the mobile phone seen as a security identification tool for example in electronic ticketing, payment and even online banking.
However, as is the case with many new technologies, the pervasive use of mobile devices also brings new security and privacy risks. Persons who make extensive use of mobile devices continuously leave traces of their identities and transactions, sometimes even by just carrying the devices around in their pockets. Statistics show an increase in the theft of mobile devices which nowadays store more and more personal information about their users.
Although the secure elements (based on smart card technology) are very suitable for storing data, vulnerabilities do exist and new weaknesses might be discovered. Due to the increasing complexity of mobile devices, they are now prone to attacks which previously only applied to desktop PCs. BitDefender lists the exploitation of mobile device vulnerabilities three times among the top ten ‘e-Threats’ for 2008.
According to the E-Threats Landscape Report, mobile devices are about to be increasingly targeted by new virus generations because of their permanent connectivity. Classical scam methods using SMS are expected to rise in parallel. Therefore the original notion of seeing the mobile device as a personally, trusted and trustworthy device needs to be re-evaluated.
Throughout this paper ENISA looks at different use-cases for electronic authentication using mobile devices. They identify the security risks which need to be overcome, give an opinion about their relevance, and present mechanisms that help in mitigating these risks. Furthermore, they look at use-cases where mobile devices even act as a security-enhancing element by providing an out-of-band channel or a trustworthy display.