Paul Crocker & Vasco Nicolau

The 2nd National eID & ePassport Conference, 2010

Topics

• Current and New Payment Environments

• Pilots about Mobile Authentication/Payment

• Security and Usage Concerns in Mobile Environments

• Challenge’s in Mobile Environment

• Examples of Mobile Pilots in Portugal

• A new Proposal for Secure Authentication for Payments in Mobile Environment

Traditional Payment Environment

Client

BankMerchant

Evolution to Mobile Centralization

The mobile phone An essential and irreplaceable part of everyday life.

New and Future Mobile Services

New Payment Environment

Views on Using Mobile For Payment

OperatorsBanks

Payment Agents

The Banks and the mobile network operators createdifferent projects instead of converging to a genericsolution for all.

Reference: Mobile Paymemnts Portio Research –2008

New Mobile Authentication/Payment

NFC

QR‐Code

SimPKI

Mobile Devices carrying Identityin constant Mobility

Mobile Projects for Authentication

Transport TicketsLoyalty & Couponing

Coupon Access to the Event

Projects using Mobile for Payment

M‐PesaMB Phone

Visa NFC ‐ PaymentsSMS Payments

OTP via SMS SIM‐PKI Token OTP PIN CardHardware Mobile phone Mobile + SIMPKI Mobile + Token Mobile + PIN card

Different Solutions for Secure Mobile Authentication/Payment

Many solutions for secure authentication and payment

• However one always needs to balance: Security vs Price vs Ease use• No single perfect solution

Mobile Security Concerns

Mobile Theft/Loss Mobile Vulnerabilities

Mobile CyberCrime

Highly unlikely that your national id will be in your mobile (ENISA, 2008) ??

Mobile Usage Concerns

Digital Wallet

• Fear the use of mobile with bank credentials

• Memorize another PIN• Understand the new mobile

concept & usage• Theft of Personal Information• Do not Trust Merchants

• Fake clients• Insecure payments• Cybercrimes• Vulnerabilities• Technology Problems• New Attacks

Challenge’sProcessing Speed Innovative and Desirables applications

Investments infrastructures/technologies Universality of system

Ease of use Security

Cooperation with all players in environment

Simplify the mobile environment

Use the best available security authentication methods

Ideal Solution

Gains:‐Clients Confidence‐New Services‐ Partners‐ Increase Revenues

Example of Mobile Projects .pt

Complex use of mobile to pay for services ( vending machine )Banking operations on a mobile

phone application (SIBS)

-Multiple steps needed to activate -It is not accepted by all banks -Difficult to use: there is a list of codes for each operation.-Difficult to use: keyboard, screen size-Operators (Vodafone, Optimus TMN) supply the application. -High cost , 20,30,++ cents, for each transaction, on your phone bill

-Identify the Machine.-Send SMS with Serial Nº. (cost to client)-To complete transaction an Internet connection is required (cost to client)-Long time waiting for transaction to complete (GSM Modem on Vending Machine)-Necessary to memorize “one more” PIN. -Associating a bank account in a mobile encounters some resistance.-Limited Nº/Value of operations per day.

Security Concerns Remain• What are the best answers for Vulnerabilities / Theft / Cybercrimes / Social Engineering

Attacks etc ?

• The General Public has difficulty in understanding the security methods.

• The new concept of mobile payment environment needs to be simplified in order for people to have confidence/trust and be made similar to current procedures/habits.

Mobile NFC

Payments: The future ? Perhaps, but concerns about payment- Untrustworthy interface / browser vulnerabilities / Phishing / Trojans- Skimming ( speak with unauthorized device )- Eavesdropping - PIN discovery (snooping, mobile browser caches etc )

Authentication- Theft/Loss device (a mobile could somehow be used to verify an individual identity)- Authentication of valid purchased tickets on Mobile device that grant access to

goods and services

Resume

Associate e-ID to e-Ticket.

Ticket-ID is a new solution for onlineticketing incorporating NFC technologiesfor seamless communication between allthe main players - the client, the paymentagent and the merchant.

The National e-id card is used to providesecurity capabilities thus enabling greatersecurity for all the players involved andincreasing the trust in the overall system.

Ticket-ID

Proposed Idea

Use Mobile Technology Transporter/ValidatorUse Best New Technologies Qr-Code NFC Use potentialities of Portuguese citizen (e-id) card to grant security

Web Reservation

1SMS

Ref. Product

2

4 Ticket (NFC/QR-Code)

3

Payment Agent

Secure Authentication for PaymentTicket-ID General Overview

MerchantValidation

1. Buy anything on the Internet and receive in your mobile phone one SMSwith the product reference.Existing Example. www.ticketline.pt

2. Go to payment agent. Send the product reference via NFC to the paymentagent terminal. Next the Citizen Card will be read by the payment agent inorder to build the electronic ticket with citizens credentials.

Existing ExamplePhysical. Payshop (utilities, prepaid cards, internet shopping)Web. PayPal

Payment AgentRef. Product1 2Web

Reservation

Web Reservation

• Payment Agent = Travel Agentbuy, pay, receive your travel ticket on mobile

• Payment Agent = Transport Systems Vending Machinesbuy, pay, receive metro tickets or monthly pass on mobile

Payment Agent

Direct Purchase

3. The agent sends (NFC/MMS) to the clients mobile phone a QR-Codethat contains an electronic representation of the ticket.

4. The client goes to the merchant and sends via NFC/QR-Code Readerthe ticket on his mobile phone to the merchant receiver.In order to pick up goods/service from the Merchant, three possibleauthentication methods - weak (not using e-id card) or strong/verystrong (using the e-id card with or without biometrics) are available.

34

Payment Agent

Ticket (NFC/QR-Code)

MerchantValidation

Validation

(Secure) Validation/Authentication

Client

Simple

Strong

Extra Strong

(1) Purchase a Football Tickets:Payment Agent : PayShop, Clubs Ticket Offices, Online site of Club.Weak Validation – in normal game situationsStrong Validation – on high risk games (Internationals, Derby’s, World Cup)Flexibility - U2 Concert in Portugal

(2) Public Transport Tickets:Payment Agent : Ticketing Shop, Transport Company, Vending Machines.Weak Validation– Always.

(3) Picking up a Medical Prescription:Payment Agent and Merchant: PharmacyStrong Validation– Always.

(4) Purchase an airplane Ticket or a Travel Package Payment Agent: Travel agency, Transport CompanyMerchant: Airport Security, HotelStrong Validation – Always.Extra Strong Validation – Always.

Examples

Details – Quick Sketch

1. Create e-Ticket2. Create Ticket-Control (Sign e-Ticket )3. QR-Encode Ticket-Control4. Delivery to citizens mobile

Important !!• information is sent to trusted service provider

(back-office) for merchant.

• Information is written to notepad of the CC.• 1kb of free space

Ticket-ID Advantages• Use mobile to store/transport the ticket - a Common use

• Use CC to create a secure authentication for payments and validation CC is a trusted, secure and credible documentUsed the same way as credit card chip&pin

• Use the best of current technologies NFC/QR-CODE in mobile environmentA response to many challenges such as quick/secure validations

• Innovative - ID is associated with an object Gives more value to the possession of an e-ID

• Payment Agent Resolves problem about money and concerns about security and usage for people.

Thoughts about MobilePKI• Ticket-ID familiarizes the public with the concept of signing a digital entity

and associating it with a personnel identification.• Increases trust and knowledge about PKI first steps towards a MobilePKI.• The future of PKI in Mobile is also dependent on the best solutions for

Mobile Security

Conclusion

• Ticket-ID provides a mechanism for flexible, secureauthentication and validation of tickets.

• Ticket-ID provides a simplified view of the mobilepayment authentication and validation environment,doesn’t change the common habits of people.

Questions ?

Thanks to : Companies supporting Research and Development in electronic certification, communication and security.

Dr. Paul Crocker Bsc PhDcrocker@di.ubi.pt

http://cc.di.ubi.pt/ticketid