Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Identity Management Mobile Payments Mobile Signatures © Copyright Valimo Wireless Ltd, 2006.

Similar presentations


Presentation on theme: "Mobile Identity Management Mobile Payments Mobile Signatures © Copyright Valimo Wireless Ltd, 2006."— Presentation transcript:

1 Mobile Identity Management Mobile Payments Mobile Signatures © Copyright Valimo Wireless Ltd, 2006

2 Valimo Wireless …is a Finnish company specialized in developing software for performing and securing transactions in fixed and mobile networks …main customer segments are telecom operators, large enterprises and service providers in finance, government, health care, betting and media

3 Topics Need Key Drivers for Mobile Signature Services - Bank - Mobile Operator - Government Short Overview of the ETSI MSS Concept How the SIM Card and Mobile Network Operator's Infrastructure Plays a Key Role User experience

4 Urgent need! Industry has a demand to know the user and get his approval for actions. We must be sure that the user is who he claims to be. We must get users approval in a way that user can not claim afterwards that it did not happen. Needs to support mass-market.

5 Key Stakeholders Bank Internet Bank & ePayment Services Customer base Mobile Operator Network Infrastucture Subscribers Government More and more public services moving to Web. Strong authentication a must! Consumer User of the value added services

6 Valimo Need & Key Drivers Banks

7 VISA & Mastercard fraud figures 40 million credit cards hacked in 2005 Breach at 3rd party payment processor affects 22 million VISA cards and 14 million MasterCards 70% of the losses caused by use of counterfeit cards e-Commerce is the next target Source: Jani Kallio, Security Manager, Luottokunta Eurocard Oy, Finland

8 Online fraud figures in UK 2004 frauds £5 million 2005 £30 million 2006 EMV launched, POS card frauds going rapidly down, Online services on target Latest news (BBC1 Nov. 7th): Online frauds already doubled comparing to 2005 What it will be at the end of 2006? Source: FSA & BBC, UK

9 Source: Forrester UK Internet User Monitor, Q Base: British Net users What could your bank do to boost your confidence in online banking security? Net users want banks to do something

10 Online Banking Security Concerns

11 Key Drivers, Banks The mobile phone is a trusted device that provides anywhere, anytime access to confidential, personal and business content and guarantees integrity and non-repudiation of electronic transactions

12 Key Drivers, Banks Authentication through different channel than the service Makes phishing and Man-in-the-Middle impossible

13 Key Drivers, Banks Legally binding transactions and agreements by mobile phone. (non-repudiation)

14 A = 1234 D=8273 B = 2345 E=3554 C = 5635 F=6455 OTP via SMSMobile SignatureHardware tokenPIN/TAN list Device required GSM phone people has it already GSM phone + PKI SIM people has it and operator manage SIM Separate token Bank has to manage Separate list / mailing Bank has to manage Multi application and multi-service channel usage YES - difficult in mobile channel and mobile applications YES – all channels all applications Only for one bank or application limitation with usability of channels Only for one bank or application, usability low – all channels User experience Requires retyping of a different password every time Requires entering the same Authentication #PIN every time Requires retyping of a different number every time Carry around requirementMobile Phone The token (single purpose) The password-list (single purpose) Customer Service Support No Extra Cost All in operators responsibility No Extra Cost All in operators responsibility The issuing banks responsibility Limiting features Function requires a mobile phone subscription and network availability Function requires a mobile phone subscription With PKI SIM and network availability Battery expiry Synchronize pins Distribution / support issues Can be copied, list need to be renewed. Phishing & man-in-middle – with users (?) of confidence Distribution costsNo CostsExisting SIM logistics Expensive (single purpose) Continuous Mailing Costs (single purpose) Security Method Analyze

15 Authentication Methods Costs (annum) AUTHENTICATIO N METHOD PIN/ TAN OTP/ OTC MSSHW Token SW Token Smart Card COST PER YEAR PER USER USABILITY LOWMEDIUMHIGHLOWMEDIUMLOW Source: Entrust and MSS business model security cost analyze, users, 3 year period

16 Benefits for Bank Increased security level Two factor security Reduced cost No dedicated hardware tokens, scratch-cards or lists Lower administration and maintenance costs with one solution Promote more self service, lower transaction costs Potential for increased revenue Value-added services Authorization for 3. parties Increased consumer convenience Leverages mobile device Simple user interaction Cross channel Same authentication solution for all access points (services) Internet, mobile, digital tv, phone Cross transaction Same solution for all types of transactions Login, payment, workflow approval, digital signing Security for all parties Customer identification Bank identification Confidentiality Non-repudiation of transaction

17 Summary of eBanking eBanking is usually the most attempting application at starting point with Wireless PKI: Banks have huge need for fraud prevention Security level should be as high as possible Security methods should be cost effective Constant support work should be at minimum level Easy to adopt and to use for customers All above is pointing towards to WPKI

18 Valimo Need & Key Drivers Mobile Operators

19 Need! After recent years heavy investments to 3G licenses/network development and heavy price competition, operators are in deep need of new revenue streams New innovative value added services are the only way to generate such streams Services must support mass-market most widely, meaning corporate, governmental and financial market applications At the same time, number transferability has become a big influencer around Western Countries, causing rising churn rate

20 Key Drivers, Mobile Operators Mobile operator needs to offer many new high security services Business and consumer customers

21 Key Drivers, Mobile Operators SIM-card with digital keys linked to a mobile signature service may reduce frequent changes of a mobile operator

22 Mobile PKI Public Key Infrastructure is a ideal technical solution for this need. Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services.

23 Valimo Need & Key Drivers Government

24 Key Drivers, Government All possible Governmental & Municipal services will be on Web Any service containing sensitive information (financial, health, etc.) must have strong authentication in place National level eID is/will be based on PKI solution

25 Key Drivers, Government eIDM Roadmap for EU eIDM 2006 Manchester Declaration, setting objectives for a EU eIDM interoperability and mutual recognition of national eIDM 2007 Common spesifications for interoperable EIDM and call for large scale pilots 2008 Large scale pilots of eIDM in cross-border services 2009 eSignatures in eGovernment, undertake review of take-up in public services 2010 Review the uptake by the Member States, interoperable eIDM at work Countries in piloting phase: Austria/Belgium (leading countries), UK, Germany, Italy, Poland, Netherlands, Portugal, Malta, Estonia + possibly others

26 Valimo Mobile PKI ETSI MSS (Mobile Signature Service)

27 Mobile PKI Public Key Infrastructure is a ideal technical solution for this need. Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services.

28 Mobile PKI In year 2000 Valimo started to develop Mobile Signing solution By that time, no standards for interfaces were existing, solutions were only proprietary First commercial deliveries ETSI published MSS Standards ETSI ETSI ETSI ETSI Now all running systems are upgraded to ETSI Standards based solution

29 Mobile PKI / MSS

30 Simplicity in Authentication All You need for secure authentication is one SIM- card. Insert your Authentication PIN code: ****

31 Legally Binding Legally binding agreements by mobile phone. The non-repudiation Official Identity (issued by Government with Mobile Operators) Or Corporate Identity (issued by Corporate with Mobile Operator) Insert your Signature PIN code: ******

32 Hiding Mobile PKI Complexity Simultaneous support for multiple Certificate Authorities No technology or policy constraints

33 ETSI MSS ETSI MSSP (Mobile Signature Service Provider) is based on four entities: - Home Entity (has connection to individual clients) - Acquiring Entity (acquires signatures) - Routing Entity (handles roaming in multiple operator environments) - Verification Entity may be as part of first two. All above may be combined together or alternatively be separate entities (like for example a bank having Acquiring Entity which connects to operators Home Entity) ETSI Standards include interfaces between entities and for integrating any application to use mobile signature service

34 Roles in ETSI 102 specification ETSI 102 – Specification for Mobile Signature Services Relying Party Service Provider ETSI WEB interface ETSI Roaming MSS Acquiring Entity Relying Party Service Provider MSS Acquiring Entity MSS Roaming Entity MSS Roaming Entity CA Registration processes CA Registration processes MSS HOME Entity MSS HOME Entity SIM CA Registration processes CA Registration processes GW DP OTA WAP gateway PPG GW OTA DP WAP gateway PPG

35 MSSP Signature Roaming

36 Valimo Mobile Operators Key Role

37 Solution infrastructure

38 Operators Key Role Everything starts from SIM-card where key-pairs are in tamper-proof storage and signature hash is generated Operator owns SIM-cards and have access to them No third party direct access to SIM-card will be allowed by any operator It would be possible for phone manufacturers to include as tamper-proof key storage as SIM-card by having a chip on their phones chipset, but for guite obvious business reasons it will most unlikely happen

39 Issuing SIM/UICC card containing Private Keys are normally issued by Mobile Operators Identity is based on Certificates issued by CAs. CA can be Official Governmental CA Mobile Operator CA Corporate CA 3rd party CA Certificates are not on SIM/UICC, they are on CAs directory on the network.

40 Valimo User experience eBanking

41 eBanking, Authentication 1.End user is accessing bank website with his UserID 2.Bank system sends authentication request to Operators WPKI service, based on user credentials (phone number) 3.User enters his authentication PIN 4.Access to the bank service is allowed

42 eBanking, Transaction Validation 1.Bank sends validation request through Operators WPKI service 2.The signature process is WYSIWYS (what you see is what you sign) Allows 160 character messages All messages can be customised

43 An infrastructure setup : Bank scenario Mobile Network PKI-enabled Mobile Phone Mobile Operator Domain Valimo Validator - MSSP (Acquiring) End UserNotebook Valimo iD Server Financial MSS XML-messages using SOAP over HTTP Bank Network Valimo Validator - MSSP (Home) MSS XML-messages using SOAP over HTTP (SSL-secured) Internet Bank System Application Provider in ETSI terminology Mobile Phone Subscriber

44 eBanking, Entities & Action Flow Entities involved END USER BANK Valimo iD Server Validator - MSSP OPERATOR Web Bank Certificate Repository CA Messaging Server Action Flow Authentication User Database Banks own or Trusted Third Party Registration Server Action Flow Registration

45 Our Mobile Vision mobile phone is a trusted device, providing anywhere, anytime access to confidential personal and business content, and easily performs secure transactions. THANK YOU! Erkki Saharanta, Valimo Wireless Ltd


Download ppt "Mobile Identity Management Mobile Payments Mobile Signatures © Copyright Valimo Wireless Ltd, 2006."

Similar presentations


Ads by Google