Mobile Identity Management Mobile Payments Mobile Identity Management Mobile Signatures © Copyright Valimo Wireless Ltd, 2006
Valimo Wireless …is a Finnish company specialized in developing software for performing and securing transactions in fixed and mobile networks …main customer segments are telecom operators, large enterprises and service providers in finance, government, health care, betting and media
Topics Need Key Drivers for Mobile Signature Services - Bank - Mobile Operator - Government Short Overview of the ETSI — MSS Concept How the SIM Card and Mobile Network Operator's Infrastructure Plays a Key Role User experience
Urgent need! Industry has a demand to know the user and get his approval for actions. We must be sure that the user is who he claims to be. We must get user’s approval in a way that user can not claim afterwards that it did not happen. Needs to support mass-market.
Key Stakeholders Bank Mobile Operator Government Consumer Internet Bank & ePayment Services Customer base Mobile Operator Network Infrastucture Subscribers Government More and more public services moving to Web. Strong authentication a must! Consumer User of the value added services
Valimo Need & Key Drivers Banks
VISA & Mastercard fraud figures 40 million credit cards hacked in 2005 Breach at 3rd party payment processor affects 22 million VISA cards and 14 million MasterCards 70% of the losses caused by use of counterfeit cards e-Commerce is the next target Source: Jani Kallio, Security Manager, Luottokunta Eurocard Oy, Finland
Online fraud figures in UK 2004 frauds £5 million 2005 £30 million 2006 EMV launched, POS card frauds going rapidly down, Online services on target Latest news (BBC1 Nov. 7th): Online frauds already doubled comparing to 2005 What it will be at the end of 2006? Source: FSA & BBC, UK
Net users want banks to do something “What could your bank do to boost your confidence in online banking security?” Source: Forrester UK Internet User Monitor, Q2 2005 Base: British Net users
Online Banking Security Concerns
Key Drivers, Banks The mobile phone is a trusted device that provides anywhere, anytime access to confidential, personal and business content and guarantees integrity and non-repudiation of electronic transactions
Key Drivers, Banks Authentication through different channel than the service Makes phishing and Man-in-the-Middle impossible
Key Drivers, Banks Legally binding transactions and agreements by mobile phone. (non-repudiation)
Security Method Analyze A = 1234 D=8273 B = 2345 E=3554 C = 5635 F=6455 OTP via SMS Mobile Signature Hardware token PIN/TAN list Device required GSM phone people has it already GSM phone + PKI SIM people has it and operator manage SIM Separate token Bank has to manage Separate list / mailing Multi application and multi-service channel usage YES - difficult in mobile channel and mobile applications YES – all channels all applications Only for one bank or application limitation with usability of channels Only for one bank or application, usability low – all channels User experience Requires retyping of a different password every time Requires entering the same Authentication #PIN every time Requires retyping of a different number every time Carry around requirement Mobile Phone The token (single purpose) The password-list (single purpose) Customer Service Support No Extra Cost All in operator’s responsibility The issuing bank’s responsibility Limiting features Function requires a mobile phone subscription and network availability Function requires a mobile phone subscription With PKI SIM and network availability Battery expiry Synchronize pins Distribution / support issues Can be copied, list need to be renewed. Phishing & man-in-middle – with users (?) of confidence Distribution costs No Costs Existing SIM logistics Expensive Continuous Mailing Costs (single purpose)
Authentication Methods Costs (annum) PIN/ TAN OTP/ OTC MSS HW Token SW Token Smart Card COST PER YEAR PER USER € 13 € 15 € 12 € 35 € 50 € 100 € USABILITY LOW MEDIUM HIGH Source: Entrust and MSS business model security cost analyze, 10 000 users, 3 year period
Benefits for Bank Increased security level Reduced cost Two factor security Reduced cost No dedicated hardware tokens, scratch-cards or lists Lower administration and maintenance costs with one solution Promote more self service, lower transaction costs Potential for increased revenue Value-added services Authorization for 3. parties Increased consumer convenience Leverages mobile device Simple user interaction Cross channel Same authentication solution for all access points (services) Internet, mobile, digital tv, phone Cross transaction Same solution for all types of transactions Login, payment, workflow approval, digital signing Security for all parties Customer identification Bank identification Confidentiality Non-repudiation of transaction
Summary of eBanking eBanking is usually the most attempting application at starting point with Wireless PKI: Banks have huge need for fraud prevention Security level should be as high as possible Security methods should be cost effective Constant support work should be at minimum level Easy to adopt and to use for customers Tunnistaminen Sisäänkirjautuminen web-pankkiin, -kauppaan, … Sisäänkirjautuminen yrityksen intranettiin, sähköpostiin, … Asioint-kumppanin tunnistaminen: puhelu, web, … Maksaminen Maksun vahvistus web-pankissa, -kaupassa, etc Tilauksen (maksun) vahvistus web-kaupassa, puhelimessa, etc Dokumentin allekirjoitus Sähköinen allekirjoitus Kaiken perusta All above is pointing towards to WPKI
Valimo Need & Key Drivers Mobile Operators
Need! After recent years heavy investments to 3G licenses/network development and heavy price competition, operators are in deep need of new revenue streams New innovative value added services are the only way to generate such streams Services must support mass-market most widely, meaning corporate, governmental and financial market applications At the same time, number transferability has become a big influencer around Western Countries, causing rising churn rate
Key Drivers, Mobile Operators Mobile operator needs to offer many new high security services Business and consumer customers
Key Drivers, Mobile Operators SIM-card with digital keys linked to a mobile signature service may reduce frequent changes of a mobile operator
Mobile PKI Public Key Infrastructure is a ideal technical solution for this need. Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services.
Valimo Need & Key Drivers Government
Key Drivers, Government All possible Governmental & Municipal services will be on Web Any service containing sensitive information (financial, health, etc.) must have strong authentication in place National level eID is/will be based on PKI solution
Key Drivers, Government eIDM Roadmap for EU eIDM 2006 Manchester Declaration, setting objectives for a EU eIDM interoperability and mutual recognition of national eIDM 2007 Common spesifications for interoperable EIDM and call for large scale pilots 2008 Large scale pilots of eIDM in cross-border services 2009 eSignatures in eGovernment, undertake review of take-up in public services 2010 Review the uptake by the Member States, interoperable eIDM at work Countries in piloting phase: Austria/Belgium (leading countries), UK, Germany, Italy, Poland, Netherlands, Portugal, Malta, Estonia + possibly others
ETSI MSS (Mobile Signature Service) Valimo Mobile PKI ETSI MSS (Mobile Signature Service)
Mobile PKI Public Key Infrastructure is a ideal technical solution for this need. Everyone has Mobile Phone – implementing PKI on SIM/UICC card is the ideal solution. PKI on Mobile Terminal is called Wireless PKI or WPKI and sometimes Mobile PKI. Mobile PKI is just an enabler to services.
Mobile PKI In year 2000 Valimo started to develop Mobile Signing solution By that time, no standards for interfaces were existing, solutions were only proprietary First commercial deliveries 2002 2002 ETSI published MSS Standards ETSI 102 206 ETSI 102 207 ETSI 102 204 ETSI 102 203 Now all running systems are upgraded to ETSI Standards based solution
Mobile PKI / MSS
Simplicity in Authentication All You need for secure authentication is one SIM-card. Insert your Authentication PIN code: ****
Legally Binding Legally binding agreements by mobile phone. The non-repudiation Official Identity (issued by Government with Mobile Operators) Or Corporate Identity (issued by Corporate with Mobile Operator) Insert your Signature PIN code: ******
Hiding Mobile PKI Complexity Simultaneous support for multiple Certificate Authorities No technology or policy constraints
ETSI MSS ETSI MSSP (Mobile Signature Service Provider) is based on four entities: - Home Entity (has connection to individual clients) - Acquiring Entity (acquires signatures) - Routing Entity (handles roaming in multiple operator environments) - Verification Entity may be as part of first two. All above may be combined together or alternatively be separate entities (like for example a bank having Acquiring Entity which connects to operator’s Home Entity) ETSI Standards include interfaces between entities and for integrating any application to use mobile signature service
Roles in ETSI 102 specification SIM CA Registration processes CA Registration processes DP OTA MSS HOME Entity MSS Roaming Entity MSS Acquiring Entity Relying Party Service Provider GW WAP gateway PPG ETSI 102 207 Roaming ETSI 102 204 WEB interface OTA DP MSS HOME Entity MSS Roaming Entity MSS Acquiring Entity Relying Party Service Provider GW WAP gateway PPG SIM CA Registration processes CA Registration processes ETSI 102 – Specification for Mobile Signature Services
MSSP Signature Roaming
Valimo Mobile Operator’s Key Role
Solution infrastructure
Operator’s Key Role Everything starts from SIM-card where key-pairs are in tamper-proof storage and signature hash is generated Operator owns SIM-cards and have access to them No third party direct access to SIM-card will be allowed by any operator It would be possible for phone manufacturers to include as tamper-proof key storage as SIM-card by having a chip on their phone’s chipset, but for guite obvious business reasons it will most unlikely happen
Issuing SIM/UICC card containing Private Keys are normally issued by Mobile Operators Identity is based on Certificates issued by CAs. CA can be Official Governmental CA Mobile Operator CA Corporate CA 3rd party CA Certificates are not on SIM/UICC, they are on CA’s directory on the network.
Valimo User experience eBanking
eBanking, Authentication End user is accessing bank website with his UserID Bank system sends authentication request to Operator’s WPKI service, based on user credentials (phone number) User enters his authentication PIN Access to the bank service is allowed
eBanking, Transaction Validation Bank sends validation request through Operator’s WPKI service The signature process is WYSIWYS (what you see is what you sign) Allows 160 character messages All messages can be customised
An infrastructure setup : Bank scenario Mobile Phone Subscriber Bank Network End UserNotebook Internet Bank System Valimo iD Server Financial Application Provider in ETSI terminology MSS XML-messages using SOAP over HTTP PKI-enabled Mobile Phone Valimo Validator - MSSP (Acquiring) MSS XML-messages using SOAP over HTTP (SSL-secured) Mobile Operator Domain Mobile Network Valimo Validator - MSSP (Home)
eBanking, Entities & Action Flow Entities involved BANK Action Flow Authentication Valimo iD Server END USER Web Bank CA Bank’s own or Trusted Third Party User Database Certificate Repository OPERATOR End user browses to Web bank: Web bank requests Valimo iD Server for authentication iD Server sends signing request to Validator – MSSP Validator passes request to end user’s handset (SIM) via OTA End user inserts signing PIN Signature hash is send to MSSP MSSP gets users certificate from CA and sends it along with signature hash to iD Server iD Server validates hash and certificate User is granted to access Registration Server Action Flow Registration Validator - MSSP Messaging Server
mobile phone is a trusted device, providing Our Mobile Vision mobile phone is a trusted device, providing anywhere, anytime access to confidential personal and business content, and easily performs secure transactions. THANK YOU! Erkki Saharanta, Valimo Wireless Ltd +358 44 344 5564 erkki.saharanta@valimo.com www.valimo.com