Distributed PIN Verification Scheme for Improving Security of Mobile Devices

The main driving force for the rapid acceptance rate of small sized mobile devices is the capability to perform e-commerce transactions at any time and at any place, especially while on the move. There are, however, also weaknesses of this type of e-commerce, often called mobile e-commerce, or m-commerce. Due to their small size and easy portability mobile devices can easily be lost or stolen. Whereas the economic values and privacy threats protected with Personal Identification Numbers (PIN) are not particularly high for normal voice-enabled mobile phones, this is not true any more when phones have developed to Personal Trusted Devices (PTDs). Still, PINs are used also in this new context for authorization and identification purposes. PINs are currently used both for protection of the devices and for authentication, as well as authorization of the users. It is commonly recognized that not many techniques of storing the PINs into the memory of the device or on the SIM card are safe. Even less sophisticated thieves might uncover the PIN inside the stolen mobile devices and for sophisticated thieves uncovering the PIN stored safely might be possible. In this paper we propose a new scheme to cope with the problem of uncovering the PIN that reduces the risks of m-commerce. The basic idea is that instead of storing the entire PIN digits (or some hash value) in the mobile device, we store part of the PIN in a remote machine in the network. The PIN verification then involves both the mobile device and the remote machine, which must verify their respective parts of the PIN. Also, the improvements of the security over the existing schemes are shown using a probabilistic model. In the best case, where the probability of discovering the PIN irrespective of the storage scheme is negligible in relation to directly uncovering it, the increase in security is over 1000%.