2 Valimo Wireless…is a Finnish company specialized in developing software for performing and securing transactions in fixed and mobile networks…main customer segments are telecom operators, large enterprises and service providers in finance, government, health care, betting and media
3 Topics Need Key Drivers for Mobile Signature Services - Bank - Mobile Operator- GovernmentShort Overview of the ETSI — MSS ConceptHow the SIM Card and Mobile Network Operator's Infrastructure Plays a Key RoleUser experience
4 Urgent need!Industry has a demand to know the user and get his approval for actions.We must be sure that the user is who he claims to be.We must get user’s approval in a way that user can not claim afterwards that it did not happen.Needs to support mass-market.
5 Key Stakeholders Bank Mobile Operator Government Consumer Internet Bank & ePayment ServicesCustomer baseMobile OperatorNetwork InfrastuctureSubscribersGovernmentMore and morepublic services moving to Web.Strong authentication a must!ConsumerUser of the value added services
7 VISA & Mastercard fraud figures 40 million credit cards hacked in 2005Breach at 3rd party payment processor affects 22 million VISA cards and 14 million MasterCards70% of the losses caused by use of counterfeit cardse-Commerce is the next targetSource: Jani Kallio, Security Manager, Luottokunta Eurocard Oy, Finland
8 Online fraud figures in UK 2004 frauds £5 million2005 £30 million2006 EMV launched, POS card frauds going rapidly down, Online services on targetLatest news (BBC1 Nov. 7th): Online frauds already doubled comparing to 2005What it will be at the end of 2006?Source: FSA & BBC, UK
9 Net users want banks to do something “What could your bank do to boost your confidence in online banking security?”Source: Forrester UK Internet User Monitor, Q Base: British Net users
11 Key Drivers, Banks The mobile phone is a trusted device that provides anywhere, anytime access toconfidential, personal and business contentand guarantees integrity and non-repudiationof electronic transactions
12 Key Drivers, BanksAuthentication through different channel than the serviceMakes phishing and Man-in-the-Middle impossible
13 Key Drivers, BanksLegally binding transactions and agreements by mobile phone.(non-repudiation)
14 Security Method Analyze A = D=8273B = E=3554C = F=6455OTP via SMSMobile SignatureHardware tokenPIN/TAN listDevice requiredGSM phonepeople has it alreadyGSM phone + PKI SIM people has it and operator manage SIMSeparate tokenBank has to manageSeparate list / mailingMulti application and multi-service channel usageYES- difficult in mobile channel and mobile applicationsYES – all channelsall applicationsOnly for one bankor application limitation with usability of channelsOnly for one bank or application, usability low – all channelsUser experienceRequires retyping of a different password every timeRequires entering the same Authentication #PIN every timeRequires retyping of a different number every timeCarry around requirementMobile PhoneThe token (single purpose)The password-list(single purpose)Customer Service SupportNo Extra CostAll in operator’s responsibilityThe issuing bank’s responsibilityLimiting featuresFunction requires a mobile phone subscription and network availabilityFunction requires a mobile phone subscriptionWith PKI SIM and network availabilityBattery expirySynchronize pinsDistribution / support issuesCan be copied, list need to be renewed. Phishing & man-in-middle – with users (?) of confidenceDistribution costsNo CostsExisting SIM logisticsExpensiveContinuous Mailing Costs (single purpose)
15 Authentication Methods Costs (annum) PIN/TANOTP/OTCMSSHWTokenSW TokenSmartCardCOSTPER YEARPER USER €13 €15 €12 €35 €50 €100 €USABILITYLOWMEDIUMHIGHSource: Entrust and MSS business model security cost analyze, users, 3 year period
16 Benefits for Bank Increased security level Reduced cost Two factor securityReduced costNo dedicated hardware tokens, scratch-cards or listsLower administration and maintenance costs with one solutionPromote more self service, lower transaction costsPotential for increased revenueValue-added servicesAuthorization for 3. partiesIncreased consumer convenienceLeverages mobile deviceSimple user interactionCross channelSame authentication solution for all access points (services)Internet, mobile, digital tv, phoneCross transactionSame solution for all types of transactionsLogin, payment, workflow approval, digital signingSecurity for all partiesCustomer identificationBank identificationConfidentialityNon-repudiation of transaction
17 Summary of eBankingeBanking is usually the most attempting application at starting point with Wireless PKI:Banks have huge need for fraud preventionSecurity level should be as high as possibleSecurity methods should be cost effectiveConstant support work should be at minimum levelEasy to adopt and to use for customersTunnistaminenSisäänkirjautuminen web-pankkiin, -kauppaan, …Sisäänkirjautuminen yrityksen intranettiin, sähköpostiin, …Asioint-kumppanin tunnistaminen: puhelu, web, …MaksaminenMaksun vahvistus web-pankissa, -kaupassa, etcTilauksen (maksun) vahvistus web-kaupassa, puhelimessa, etcDokumentin allekirjoitusSähköinen allekirjoitusKaiken perustaAll above is pointing towards to WPKI
19 Need!After recent years heavy investments to 3G licenses/network development and heavy price competition, operators are in deep need of new revenue streamsNew innovative value added services are the only way to generate such streamsServices must support mass-market most widely, meaning corporate, governmental and financial market applicationsAt the same time, number transferability has become a big influencer around Western Countries, causing rising churn rate
20 Key Drivers, Mobile Operators Mobile operator needs to offer many new high security servicesBusiness and consumer customers
21 Key Drivers, Mobile Operators SIM-card with digital keys linked to a mobile signature service may reduce frequent changes of a mobile operator
22 Mobile PKIPublic Key Infrastructure is a ideal technical solution for this need.Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution.PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI.Mobile PKI is just an enabler to services.
24 Key Drivers, Government All possible Governmental & Municipal services will be on WebAny service containing sensitive information (financial, health, etc.) must have strong authentication in placeNational level eID is/will be based on PKI solution
25 Key Drivers, Government eIDM Roadmap for EU eIDM2006 Manchester Declaration, setting objectives for a EU eIDM interoperability and mutual recognition of national eIDM2007 Common spesifications for interoperable EIDM and call for large scale pilots2008 Large scale pilots of eIDM in cross-border services2009 eSignatures in eGovernment, undertake review of take-up in public services2010 Review the uptake by the Member States, interoperable eIDM at workCountries in piloting phase:Austria/Belgium (leading countries), UK, Germany, Italy, Poland, Netherlands, Portugal, Malta, Estonia + possibly others
27 Mobile PKIPublic Key Infrastructure is a ideal technical solution for this need.Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution.PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI.Mobile PKI is just an enabler to services.
28 Mobile PKIIn year 2000 Valimo started to develop Mobile Signing solutionBy that time, no standards for interfaces were existing, solutions were only proprietaryFirst commercial deliveries 20022002 ETSI published MSS StandardsETSIETSIETSIETSINow all running systems are upgraded to ETSI Standards based solution
30 Simplicity in Authentication All You need for secure authentication is one SIM-card.Insert your Authentication PIN code: ****
31 Legally Binding Legally binding agreements by mobile phone. The non-repudiationOfficial Identity (issued by Government with Mobile Operators)Or Corporate Identity (issued by Corporate with Mobile Operator)Insert your Signature PIN code: ******
32 Hiding Mobile PKI Complexity Simultaneous support for multiple Certificate AuthoritiesNo technology or policy constraints
33 ETSI MSSETSI MSSP (Mobile Signature Service Provider) is based on four entities:- Home Entity (has connection to individual clients)- Acquiring Entity (acquires signatures)- Routing Entity (handles roaming in multiple operatorenvironments)- Verification Entity may be as part of first two.All above may be combined together or alternatively be separateentities (like for example a bank having Acquiring Entity whichconnects to operator’s Home Entity)ETSI Standards include interfaces between entities and for integrating any application to use mobile signature service
34 Roles in ETSI 102 specification SIMCARegistration processesCARegistration processesDPOTAMSSHOMEEntityMSSRoamingEntityMSSAcquiringEntityRelyingPartyService ProviderGWWAPgatewayPPGETSIRoamingETSIWEB interfaceOTADPMSSHOMEEntityMSSRoamingEntityMSSAcquiringEntityRelyingPartyService ProviderGWWAPgatewayPPGSIMCARegistration processesCARegistration processesETSI 102 – Specification for Mobile Signature Services
38 Operator’s Key RoleEverything starts from SIM-card where key-pairs are in tamper-proof storage and signature hash is generatedOperator owns SIM-cards and have access to themNo third party direct access to SIM-card will be allowed by any operatorIt would be possible for phone manufacturers to include as tamper-proof key storage as SIM-card by having a chip on their phone’s chipset, but for guite obvious business reasons it will most unlikely happen
39 IssuingSIM/UICC card containing Private Keys are normally issued by Mobile OperatorsIdentity is based on Certificates issued by CAs.CA can beOfficial Governmental CAMobile Operator CACorporate CA3rd party CACertificates are not on SIM/UICC, they are on CA’s directory on the network.
41 eBanking, Authentication End user is accessing bank website with his UserIDBank system sends authentication request to Operator’s WPKI service, based on user credentials (phone number)User enters his authentication PINAccess to the bank service is allowed
42 eBanking, Transaction Validation Bank sends validation request through Operator’s WPKI serviceThe signature process is WYSIWYS (what you see is what you sign)Allows 160 character messages All messages can be customised
43 An infrastructure setup : Bank scenario Mobile Phone SubscriberBank NetworkEnd UserNotebookInternet Bank SystemValimo iD Server FinancialApplication Provider in ETSI terminologyMSS XML-messages using SOAP over HTTPPKI-enabled Mobile PhoneValimo Validator - MSSP(Acquiring)MSS XML-messages using SOAP over HTTP(SSL-secured)Mobile Operator DomainMobile NetworkValimo Validator - MSSP(Home)
44 eBanking, Entities & Action Flow Entities involvedBANKAction Flow AuthenticationValimo iD ServerEND USERWeb BankCABank’s own or Trusted Third PartyUser DatabaseCertificate RepositoryOPERATOREnd user browses to Web bank:Web bank requests Valimo iD Server for authenticationiD Server sends signing request to Validator – MSSPValidator passes request to end user’s handset (SIM) via OTAEnd user inserts signing PINSignature hash is send to MSSPMSSP gets users certificate from CA and sends it along with signature hash to iD ServeriD Server validates hash and certificateUser is granted to accessRegistration ServerAction Flow RegistrationValidator - MSSPMessaging Server
45 mobile phone is a trusted device, providing Our Mobile Visionmobile phone is a trusted device, providinganywhere, anytimeaccess to confidential personal and business content, and easily performs secure transactions.THANK YOU!Erkki Saharanta, Valimo Wireless Ltd
Your consent to our cookies if you continue to use this website.