PhoneCo.in is designed to be easy to use and secure. The server which processes your text message communicates with a separate server processing the bitcoin transaction. The data from your text message is sent using AES-265 encryption and is signed using HMAC-SHA1. This combination of security measures makes it very difficult to initiate a PhoneCo.in transaction in any way other than using a cell phone, as any requests to the bitcoin server must originate from the text message processing server.
We require you to reply with a 5 character confirmation code within 5 minutes when sending a payment. This is necessary to verify that your phone has initiated the payment request (and that someone isn’t spoofing your phone number when contacting our server). Spoofing another phone number is illegal in the United States and punishable with fines up to $10,000. If you receive a confirmation code for a payment you didn’t initiate, contact us so we can help track the offender.
I think it is probably adequate for its intended purpose but not adequate for managing large balances.
The biggest problem is the risk of compromise or theft of your phone or phone number. Anyone who obtains physical access to your phone while it’s unlocked (or who is able to unlock it) can look through your text messages and can transfer your Bitcoins to themselves. The Bitcoins are effectively completely untraceable and permanently lost at this point.
The lack of a way to secure your account with PhoneCo.in without your phone is, in my opinion, a serious problem. What if I can’t find my phone but might just have left it a friend’s house? Am I supposed to disable my phone with my provider only to re-enable it in twenty minutes when I find it? Or am I supposed to have a 20 minute window in which someone can break into my phone and steal my Bitcoins? (Will a mobile company shut off your phone immediately even at 3AM?)
If your phone is lost or stolen, you have to have it disabled immediately — even if it’s locked, even if you might find it in a few minutes.
Another problem with the accounts only being associated with a phone number is that I have to trust my mobile provider. If I lose my mobile account for any reason, I lose my coins too. If my phone number is erroneously transferred to someone else, they get my Bitcoins or at the very least, I cannot get them. If my mobile provider suddenly decides I broke some rule and they cancel my contract “for security reasons”, how can I prove to PhoneCo.in that it’s my account?
So, the service is simple. It’s convenient. And its security is about comparable to a physical wallet (that can also be lost or stolen).