Calling up mobile security

News

Research from the IST could make mobile phone fraud a thing of the past by using biometric data to confirm a caller’s identity.

The IST SecurePhone project employs physical attributes to enable the user to digitally sign audio, text or image files, providing proof of their origin and authenticity.

SecurePhone technical coordinator Roberto Ricci said, “Because biometric data never leaves the device’s SIM card and cannot be accessed, except by the verification module which also runs on the SIM card, the user’s biometric profile is completely safe. This is important to meet the highest privacy requirements.”

Currently, text, audio and image files can be sent by anyone to anyone with no authentication. This makes data exchanged over mobile devices of limited use for legally binding transactions. However, a digitally signed and authenticated voice recording during a telephone conversation would, for example, give the speaker’s words legal value.

The system developed by the SecurePhone project partners consists of two main elements. The first, an authentication module, uses biometric security applications to verify the user’s identity. That in turn gives them access to the second module which digitally signs the data using a Public Key Infrastructure (PKI).

The system offers three methods of biometric identification. One employs a phone camera along with a face recognition application to identify the user based on their facial features. Another uses voice recognition software, which also detects any asynchrony between speech and lip movements. The third verifies the handwritten signature of the user on a PDA touch screen. The three methods are used in combination to enhance the overall levels of security and reliability, and most importantly they require no hardware additions to mobile devices.

“The SecurePhone platform is entirely software based. This is important if it is to be adopted by device manufacturers as it keeps costs down and makes implementing it much easier. There is no need to add fingerprint or iris scanners. Instead, the system uses elements that already exist in the device and which serve alternative purposes as well, while the type of verification carried out is non-intrusive for the user,” Ricci said.

The authentication data and the digital signature are stored on a SIM card, giving users a single security token that they can transfer between devices with minimal inconvenience.