SMS for mobile authentication

Matthew has applied for an account on T-Mobile’s WLAN hotspot Anytime. Applying via SMS lets him come to this conclusion:

“I applied for a WLAN hotspot account using an SMS? Think about it. It took a couple of hours for the relevance to hit me.
It’s not about GSM or 3G or WLAN – it’s about mobility and connectivity. And the mobile operators don’t really care what it’s called in the end.
Because they win anyway.”

I’m not yet fully convinced, as the former telecoms monopoly in germany may make this easier for T-Mobile compared to other mobile operators. Still, it’s a good thing convergence now starts to appear, and I will surely be signing up, too.

Thinking about doing that made me hesitate: my mobile phone is being paid for by my employer. I have immediately sent out an email advocating we all sign up, as this is far cheaper and faster than GPRS, which is what we’re doing now when on the road. For a moment, however, my thoughts were “if I just sign up – will anyone even notice?”. My phone bill is being paid by someone who hasn’t the faintest idea what all the positions on the bill are for. If the final amount isn’t too far off, nobody will be concerned.

The situation gets worse when you think about that some more: what if a colleague signs up using *my* phone while I’m away from my desk? I’d never know, and I wouldn’t even see the bill. Using SMS for authentication purposes may make things easier for the operator, but it has some serious security implications not only for the recipient, but for *any* mobile phone owner: if somebody with knowledge of your phone number has access to your phone in your absence, you are in danger of identity fraud.

I’m sure this isn’t the last application of this technology, yet it makes me wonder if security is on anybody’s mind there. For example, I have also signed up for T-Mobile’s mobile wallet, entered my credit card details, and all I ever received in confirmation was a password SMS. No written confirmation or email at all.

Somebody else could have done that, and could subsequently pay on the internet with that account even without the phone!

Again, it could have been anybody – all they know is somebody who knew the phone number also had the phone in his hands for a minute….