European Network & Information Security Agency Releases Paper on Security of Mobile Devices: Via Privacy Lives

The European Network and Information Security Agency (ENISA) has published a new paper (pdf), “Security Issues in the Context of Authentication Using Mobile Devices (Mobile eID).” ENISA is an independent agency issues advice on technology and security issues to European Union governments and private industry. From the executive summary:

Mobile devices, like smart phones and PDAs, will play an increasingly important role in the digital environment. Besides their primary use, these devices offer, based on the security features of their secure elements, the possibility to electronically authenticate their owners to a service. In the near future we might use our phone to pay our taxes, buy metro tickets, elect a president, play the lottery or open bank accounts. With Hong Kong, Singapore and Taipei being ‘the most mobile-penetrated territories on the planet’, the Asian region in particular is experiencing growing demand for these services. A main driver in the Asian market is the consumer’s interest in convenient solutions which are easy-to- use and involve as few devices as possible. In Europe, enhanced security might become a second incentive for these technologies. Mobile devices can act as a user-interface for online applications and in this way act as a secure, secondary authentication channel.

However, as is the case with many new technologies, the pervasive use of mobile devices also brings new security and privacy risks. Persons who make extensive use of mobile devices continuously leave traces of their identities and transactions, sometimes even by just carrying the devices around in their pockets. Statistics show an increase in the theft of mobile device which nowadays store more and more personal information about their users. Although the secure elements (based on smart card technology) are very suitable for storing data, vulnerabilities do exist and new weaknesses might be discovered. Due to the increasing complexity of mobile devices, they are now prone to attacks which previously only applied to desktop PCs. BitDefender lists the exploitation of mobile device vulnerabilities three times among the top ten ’e-Threats’ for 2008. According to the E-Threats Landscape Report, mobile devices are about to be increasingly targeted by new virus generations because of their permanent connectivity. Classical scam methods using SMS are expected to rise in parallel. Therefore the original notion of seeing the mobile device as a personally, trusted and trustworthy device needs to be re-evaluated.

Throughout this paper we will look at different use-cases for electronic authentication using mobile devices. We will identify the security risks which need to be overcome, give an opinion about their relevance, and present mechanisms that help in mitigating these risks. Furthermore, we will look at use-cases where mobile devices even act as a security- enhancing element by providing an out-of-band channel or a trustworthy display.

Mobile devices have an enormous potential. Many new electronic services are currently being developed and tested and many of them are likely to find customer acceptance because of the opportunities and benefits they offer. We strongly believe that, if these new technologies are applied in the right way, they also constitute a big opportunity when it comes to the secure, sophisticated authentication mechanisms needed for future applications.

Read Original Article (Via Privacy Lives.)