Mobile Financial Services
-
Upload
usaid-ceed-ii-project-moldova -
Category
Business
-
view
870 -
download
0
description
Transcript of Mobile Financial Services
Mobile Financial Services
Evgeny Bondarenko
Deputy General director
Intervale, Russia
Vice–Chairman ITU-D SG2
Vice-Rapporteur Q17-3/2
E-mail: [email protected]
Moldova ICT summit 18-19 May, 2011
March 2011
2
Prerequisites and factors
3
Payment and mobile services market volume
According to Edgar Dunn & Company, 2007-2008 and ITU-D surways
Payment card users worldwide Mobile services users worlwide
1,6 billion
2008
5,3 billion 2010
3,1 billion 2008
2,4 billion 2006
1,3 billion
2003
4
Is there a life without mobile phone?
60%*1 take the mobile phone to bed
72%*2 use the mobile phone as the alarm-clock
73%*2 use the mobile phone instead of the watch
33%*2 fear that they lose the mobile
phone rather than the wallet
*1 BBDO survey 3,000 users worldwide
*2 5,500 Nokia users
5
• The penetration rate of mobile services and NGN networks is
very high
• The only worldwide spread mass retail non-cash mean of
payment is bank card mainly branded by international payment
systems
• Limited penetration rate of existing payment systems due to
necessity of sufficient investments in payment infrastructure
(Bank branches, kiosks, POS terminals, etc.)
• Low security level due to technological imperfection of business
schemes. Lots of low volume fraud the losses shift to the market
participants.
Resume
6
The Mobile Phone for Clients
Bank
Information services
Subscription Account management Mobile marketing
NFC MVNO Money transfer
Authentication Asset Management
7
Mobile information and financial services
8
Mobile information and financial services
Mobile information
and financial
services
M-commerce Mobile banking
+ =
9
Mobile Banking Services
Most convenient
Most available
Most secure
If powered by Mobile Operator capabilities
10
Mobile Banking
Mobile banking provides innovative and secure way of remote access to traditional banking services:
•Personalized information
•Various Notifications
•Subscription and Service Requests
•Channel for personalized or special offers
•Banking services
•Account management
•Transaction policies definition
•Remittances
•Currency conversion
•Transaction requests
•Payments
•Bill payments
•Top ups
11
M-commerce
M-commerce NFC
= +
Mobile payments
12
Bank
Issuer
Users
Merchant Merchant Merchant
Payment
System
Bank
Issuer
Bank
Acquirer
Bank
Acquirer
Mobile
Operator
Mobile
Service
Provider
(MSP)
Operator-oriented model
13
Bank
Bank
Bank-oriented model
Users
MSP
Payment
Gate MSP
Bank
Acquirer
Merchant Merchant Merchant
Payment
System
14
Example of the Mobile Client Application
Security
16
System of user identification and authentication provides security of Mobile Payment System transactions. This solution, consisting of software-hardware modules and based on communication security principles, provides synergy of wireless communication and international payment systems secure technologies;
Security
Geneva, 30 March 2011
Security
Confidentiality (encoded messages between Agency and Client)
Integrity of data
Impossibility of refusal and attributing of authorship of transaction
Multifactor authentication (establishment of authority) – Knows something
– Owns something
17
Access Control
Authentication
Non-repudiation
Data Confidentiality
Communication Security
Data Integrity
Availability
Privacy
• Limit & control access to network elements, services & applications
•Examples: password, ACL, firewall
•Prevent ability to deny that an activity on the network occurred
•Examples: system logs, digital signatures
•Ensure information only flows from source to destination
•Examples: VPN, MPLS, L2TP
•Ensure network elements, services and application available to legitimate users
•Examples: IDS/IPS, network redundancy, BC/DR
•Provide Proof of Identity •Examples: shared secret, PKI, digital signature, digital certificate
•Ensure confidentiality of data •Example: encryption
•Ensure data is received as sent or retrieved as stored
•Examples: MD5, digital signature, anti-virus software
•Ensure identification and network use is kept private
•Examples: NAT, encryption
ITU-T X-805 Recommendation. Eight Security Dimensions
ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications
• Each Security Layer has unique vulnerabilities, threats
• Infrastructure security enables services security that enables applications security
Infrastructure Security
Applications Security
Services Security
THREATS
VULNERABILITIES
ATTACKS
Destruction
Disclosure
Corruption
Removal
Infrastructure Security
Applications Security
Services Security VULNERABILITIES
Interruption Vulnerabilities can exist
in each Layer
1 - Infrastructure Security Layer:
• Fundamental building blocks of networks services and applications
• Examples:
– Individual routers, switches, servers
– Point-to-point WAN links
– Ethernet links
2 - Services Security Layer:
• Services Provided to End-Users
• Examples:
– Basic IP transport
– IP support services (e.g., AAA, DNS, DHCP)
– Value-added services: (e.g. VPN, VoIP, QoS)
3 - Applications Security Layer:
• Network-based applications accessed by end-users
• Examples: – Basic applications (e.g. FTP, web
access) – Fundamental applications (e.g. email)
– High-end applications (e.g. e-
commerce, e-government, e-learning,
e-health, etc.)
ITU-T X.805 Recommendation. Secured Platform: Three Security Layers
ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications
ITU-T Y.2740 Recommendation. Four Security Levels of Mobile Payment System
Security Dimension Security Level
Level 1 Level 2 Level 3 Level 4
Access Control The access to every system component shall be granted only as provided by the System personnel or end-user access level.
Authentication
The authentication in the System is ensured by the NGN data transfer environment
Single-factor authentication at the System services usage
Multi-factor authentication at the System services usage
In-person connection to services where personal data with obligatory identification is used. Multi-factor authentication at the System services usage. Obligatory usage of a Hardware Cryptographic Module.
Non-repudiation
The impossibility of a transaction initiator or participant to deny his or her actions upon their completion is ensured by legally stated or reserved in mutual contracts means and accepted authentication mechanisms. All system personnel and end-user actions shall be logged. Event logs shall be change-proof and hold all actions of all users.
Data confidentiality At data transfer, their confidentiality is ensured by the data transfer environment (communications security), and by the mechanism of data storage together with the means of system access control – at data storage and processing.
At message transfer data confidentiality is ensured by additional message encryption together with data transfer protocols that ensure the security of the data being transferred by the interoperation participants (including data integrity verification); at data storage and processing their confidentiality, integrity and privacy are ensured by additional mechanisms of encryption and masking together with well-defined distribution of access in concordance with privileges and permissions.
The implementation of the Level 3 requirements with the obligatory usage of hardware cryptographic and data security facilities on the Client’s side (Hardware Cryptographic module).
Data integrity
Privacy
Privacy is ensured by the absence of sensitive data in the messages being transferred as well as by the implementation of the required mechanisms of data storage and the System access control facilities. The System components must not have latent possibilities of unauthorized data acquisition and transfer.
Communication security The delivery of a message to the addressee is ensured as well as the security against unauthorized disclosure at time of transfer over the communications channels. It is ensured by the NGN communications providers.
Availability It ensures that there is no denial of authorized access to the System data and services. Availability is assured by the NGN communications providers as well as the service providers
Geneva, 30 March 2011
20 ITU-T Y.2740 Security requirements for mobile remote financial transactions
Geneva, 30 March 2011
ITU-T Y.2741 Recommendation. Architecture of MPS
21
Client Mobile operator
Merchant
Issuer
-Security provider -Client authentication -Service provider (MSP)
Acquirer
iMAP aMAP
ITU-T Y.2741 Architecture of secure mobile financial transactions
22
Projects
23
Successful main implemented projects
Mobile banking and M-commerce bank–oriented models
• Gazprombank (Java , Windows Mobile and iPhone applet,SMS)
• Halyk-bank (STK applet, Java, Windows Mobile and iPhone applet, SMS)
• Raiffeisen Bank Russia (Java and Windows Mobile applet, SMS)
• Rosbank (Java, Windows Mobile and iPhone applet, SMS)
• Sberbank (Java and Windows Mobile applet, SMS)
Operator-oriented models
• MTS (STK applet, Java , Windows Mobile and iPhone applet, SMS, bank account)
• Megafon (WAP, operator account)
24
Summary
25
• Currently, the penetration rate of mobile services and NGN networks
development allows to organize new types of services not only directly
associated with the main purpose of networks.
• NGN networks may become a new infrastructure for convenient and safe
conduction of financial transactions.
• Information and financial services based on NGN networks include not
only mobile banking and mobile commerce services and in addition thereto
may become “infrastructure” basis for providing public services to
individual customers.
Summary
26
About the company
27 27
About Intervale
Intervale Ltd. Mobile services solutions developer and mobile financial transaction provider Head Office – Moscow, Russia Intervale Kazakhstan Ltd. Representative office and Mobile Service Provider Kazakhstan Intervale Europe Ltd. Representative office Czech Republic Intervale Ukraine Ltd. Representative office Ukraine Year of foundation – 1999 Customers – banks, processing companies, mobile operator in Russia, CIS and Europe
Subsidiary
SmartCardLink Mobile Service Provider Moscow, Russia Mobile Payments Ltd. Mobile Service Provider and mobile financial transaction provider Belarus
28
The Intervale solution
The solution is taken as a basis for the standards being developed within ITU (the leading United Nations agency for information and communication technology issues)
in collaboration with ISO and UPU
29
127083, Moscow, ul. 8 Marta, 10-Б 3
Tel./Fax: +7 (495) 789-8202, +7 (495) 967-6975
E-mail: [email protected]
Thank you!