Mobile Financial Services

Evgeny Bondarenko

Deputy General director

Intervale, Russia

Vice–Chairman ITU-D SG2

Vice-Rapporteur Q17-3/2

E-mail: bondarenko@intervale.ru

Moldova ICT summit 18-19 May, 2011

March 2011

2

Prerequisites and factors

3

Payment and mobile services market volume

According to Edgar Dunn & Company, 2007-2008 and ITU-D surways

Payment card users worldwide Mobile services users worlwide

1,6 billion

2008

5,3 billion 2010

3,1 billion 2008

2,4 billion 2006

1,3 billion

2003

4

Is there a life without mobile phone?

60%*1 take the mobile phone to bed

72%*2 use the mobile phone as the alarm-clock

73%*2 use the mobile phone instead of the watch

33%*2 fear that they lose the mobile

phone rather than the wallet

*1 BBDO survey 3,000 users worldwide

*2 5,500 Nokia users

5

• The penetration rate of mobile services and NGN networks is

very high

• The only worldwide spread mass retail non-cash mean of

payment is bank card mainly branded by international payment

systems

• Limited penetration rate of existing payment systems due to

necessity of sufficient investments in payment infrastructure

(Bank branches, kiosks, POS terminals, etc.)

• Low security level due to technological imperfection of business

schemes. Lots of low volume fraud the losses shift to the market

participants.

Resume

6

The Mobile Phone for Clients

Bank

Information services

Subscription Account management Mobile marketing

NFC MVNO Money transfer

Authentication Asset Management

7

Mobile information and financial services

8

Mobile information and financial services

Mobile information

and financial

services

M-commerce Mobile banking

+ =

9

Mobile Banking Services

Most convenient

Most available

Most secure

If powered by Mobile Operator capabilities

10

Mobile Banking

Mobile banking provides innovative and secure way of remote access to traditional banking services:

•Personalized information

•Various Notifications

•Subscription and Service Requests

•Channel for personalized or special offers

•Banking services

•Account management

•Transaction policies definition

•Remittances

•Currency conversion

•Transaction requests

•Payments

•Bill payments

•Top ups

11

M-commerce

M-commerce NFC

= +

Mobile payments

12

Bank

Issuer

Users

Merchant Merchant Merchant

Payment

System

Bank

Issuer

Bank

Acquirer

Bank

Acquirer

Mobile

Operator

Mobile

Service

Provider

(MSP)

Operator-oriented model

13

Bank

Bank

Bank-oriented model

Users

MSP

Payment

Gate MSP

Bank

Acquirer

Merchant Merchant Merchant

Payment

System

14

Example of the Mobile Client Application

Security

16

System of user identification and authentication provides security of Mobile Payment System transactions. This solution, consisting of software-hardware modules and based on communication security principles, provides synergy of wireless communication and international payment systems secure technologies;

Security

Geneva, 30 March 2011

Security

Confidentiality (encoded messages between Agency and Client)

Integrity of data

Impossibility of refusal and attributing of authorship of transaction

Multifactor authentication (establishment of authority) – Knows something

– Owns something

17

Access Control

Authentication

Non-repudiation

Data Confidentiality

Communication Security

Data Integrity

Availability

Privacy

• Limit & control access to network elements, services & applications

•Examples: password, ACL, firewall

•Prevent ability to deny that an activity on the network occurred

•Examples: system logs, digital signatures

•Ensure information only flows from source to destination

•Examples: VPN, MPLS, L2TP

•Ensure network elements, services and application available to legitimate users

•Examples: IDS/IPS, network redundancy, BC/DR

•Provide Proof of Identity •Examples: shared secret, PKI, digital signature, digital certificate

•Ensure confidentiality of data •Example: encryption

•Ensure data is received as sent or retrieved as stored

•Examples: MD5, digital signature, anti-virus software

•Ensure identification and network use is kept private

•Examples: NAT, encryption

ITU-T X-805 Recommendation. Eight Security Dimensions

ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications

• Each Security Layer has unique vulnerabilities, threats

• Infrastructure security enables services security that enables applications security

Infrastructure Security

Applications Security

Services Security

THREATS

VULNERABILITIES

ATTACKS

Destruction

Disclosure

Corruption

Removal

Infrastructure Security

Applications Security

Services Security VULNERABILITIES

Interruption Vulnerabilities can exist

in each Layer

1 - Infrastructure Security Layer:

• Fundamental building blocks of networks services and applications

• Examples:

– Individual routers, switches, servers

– Point-to-point WAN links

– Ethernet links

2 - Services Security Layer:

• Services Provided to End-Users

• Examples:

– Basic IP transport

– IP support services (e.g., AAA, DNS, DHCP)

– Value-added services: (e.g. VPN, VoIP, QoS)

3 - Applications Security Layer:

• Network-based applications accessed by end-users

• Examples: – Basic applications (e.g. FTP, web

access) – Fundamental applications (e.g. email)

– High-end applications (e.g. e-

commerce, e-government, e-learning,

e-health, etc.)

ITU-T X.805 Recommendation. Secured Platform: Three Security Layers

ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications

ITU-T Y.2740 Recommendation. Four Security Levels of Mobile Payment System

Security Dimension Security Level

Level 1 Level 2 Level 3 Level 4

Access Control The access to every system component shall be granted only as provided by the System personnel or end-user access level.

Authentication

The authentication in the System is ensured by the NGN data transfer environment

Single-factor authentication at the System services usage

Multi-factor authentication at the System services usage

In-person connection to services where personal data with obligatory identification is used. Multi-factor authentication at the System services usage. Obligatory usage of a Hardware Cryptographic Module.

Non-repudiation

The impossibility of a transaction initiator or participant to deny his or her actions upon their completion is ensured by legally stated or reserved in mutual contracts means and accepted authentication mechanisms. All system personnel and end-user actions shall be logged. Event logs shall be change-proof and hold all actions of all users.

Data confidentiality At data transfer, their confidentiality is ensured by the data transfer environment (communications security), and by the mechanism of data storage together with the means of system access control – at data storage and processing.

At message transfer data confidentiality is ensured by additional message encryption together with data transfer protocols that ensure the security of the data being transferred by the interoperation participants (including data integrity verification); at data storage and processing their confidentiality, integrity and privacy are ensured by additional mechanisms of encryption and masking together with well-defined distribution of access in concordance with privileges and permissions.

The implementation of the Level 3 requirements with the obligatory usage of hardware cryptographic and data security facilities on the Client’s side (Hardware Cryptographic module).

Data integrity

Privacy

Privacy is ensured by the absence of sensitive data in the messages being transferred as well as by the implementation of the required mechanisms of data storage and the System access control facilities. The System components must not have latent possibilities of unauthorized data acquisition and transfer.

Communication security The delivery of a message to the addressee is ensured as well as the security against unauthorized disclosure at time of transfer over the communications channels. It is ensured by the NGN communications providers.

Availability It ensures that there is no denial of authorized access to the System data and services. Availability is assured by the NGN communications providers as well as the service providers

Geneva, 30 March 2011

20 ITU-T Y.2740 Security requirements for mobile remote financial transactions

Geneva, 30 March 2011

ITU-T Y.2741 Recommendation. Architecture of MPS

21

Client Mobile operator

Merchant

Issuer

-Security provider -Client authentication -Service provider (MSP)

Acquirer

iMAP aMAP

ITU-T Y.2741 Architecture of secure mobile financial transactions

22

Projects

23

Successful main implemented projects

Mobile banking and M-commerce bank–oriented models

• Gazprombank (Java , Windows Mobile and iPhone applet,SMS)

• Halyk-bank (STK applet, Java, Windows Mobile and iPhone applet, SMS)

• Raiffeisen Bank Russia (Java and Windows Mobile applet, SMS)

• Rosbank (Java, Windows Mobile and iPhone applet, SMS)

• Sberbank (Java and Windows Mobile applet, SMS)

Operator-oriented models

• MTS (STK applet, Java , Windows Mobile and iPhone applet, SMS, bank account)

• Megafon (WAP, operator account)

24

Summary

25

• Currently, the penetration rate of mobile services and NGN networks

development allows to organize new types of services not only directly

associated with the main purpose of networks.

• NGN networks may become a new infrastructure for convenient and safe

conduction of financial transactions.

• Information and financial services based on NGN networks include not

only mobile banking and mobile commerce services and in addition thereto

may become “infrastructure” basis for providing public services to

individual customers.

Summary

26

About the company

27 27

About Intervale

Intervale Ltd. Mobile services solutions developer and mobile financial transaction provider Head Office – Moscow, Russia Intervale Kazakhstan Ltd. Representative office and Mobile Service Provider Kazakhstan Intervale Europe Ltd. Representative office Czech Republic Intervale Ukraine Ltd. Representative office Ukraine Year of foundation – 1999 Customers – banks, processing companies, mobile operator in Russia, CIS and Europe

Subsidiary

SmartCardLink Mobile Service Provider Moscow, Russia Mobile Payments Ltd. Mobile Service Provider and mobile financial transaction provider Belarus

28

The Intervale solution

The solution is taken as a basis for the standards being developed within ITU (the leading United Nations agency for information and communication technology issues)

in collaboration with ISO and UPU

29

127083, Moscow, ul. 8 Marta, 10-Б 3

Tel./Fax: +7 (495) 789-8202, +7 (495) 967-6975

E-mail: intervale@intervale.ru

Thank you!