Paul Crocker & Vasco Nicolau - | DI
Transcript of Paul Crocker & Vasco Nicolau - | DI
Paul Crocker & Vasco Nicolau
The 2nd National eID & ePassport Conference, 2010
Topics
• Current and New Payment Environments
• Pilots about Mobile Authentication/Payment
• Security and Usage Concerns in Mobile Environments
• Challenge’s in Mobile Environment
• Examples of Mobile Pilots in Portugal
• A new Proposal for Secure Authentication for Payments in Mobile Environment
Traditional Payment Environment
Client
BankMerchant
Evolution to Mobile Centralization
The mobile phone An essential and irreplaceable part of everyday life.
New and Future Mobile Services
New Payment Environment
Views on Using Mobile For Payment
OperatorsBanks
Payment Agents
The Banks and the mobile network operators createdifferent projects instead of converging to a genericsolution for all.
Reference: Mobile Paymemnts Portio Research –2008
New Mobile Authentication/Payment
NFC
QR‐Code
SimPKI
Mobile Devices carrying Identityin constant Mobility
Mobile Projects for Authentication
Transport TicketsLoyalty & Couponing
Coupon Access to the Event
Projects using Mobile for Payment
M‐PesaMB Phone
Visa NFC ‐ PaymentsSMS Payments
OTP via SMS SIM‐PKI Token OTP PIN CardHardware Mobile phone Mobile + SIMPKI Mobile + Token Mobile + PIN card
Different Solutions for Secure Mobile Authentication/Payment
Many solutions for secure authentication and payment
• However one always needs to balance: Security vs Price vs Ease use• No single perfect solution
Mobile Security Concerns
Mobile Theft/Loss Mobile Vulnerabilities
Mobile CyberCrime
Highly unlikely that your national id will be in your mobile (ENISA, 2008) ??
Mobile Usage Concerns
Digital Wallet
• Fear the use of mobile with bank credentials
• Memorize another PIN• Understand the new mobile
concept & usage• Theft of Personal Information• Do not Trust Merchants
• Fake clients• Insecure payments• Cybercrimes• Vulnerabilities• Technology Problems• New Attacks
Challenge’sProcessing Speed Innovative and Desirables applications
Investments infrastructures/technologies Universality of system
Ease of use Security
Cooperation with all players in environment
Simplify the mobile environment
Use the best available security authentication methods
Ideal Solution
Gains:‐Clients Confidence‐New Services‐ Partners‐ Increase Revenues
Example of Mobile Projects .pt
Complex use of mobile to pay for services ( vending machine )Banking operations on a mobile
phone application (SIBS)
-Multiple steps needed to activate -It is not accepted by all banks -Difficult to use: there is a list of codes for each operation.-Difficult to use: keyboard, screen size-Operators (Vodafone, Optimus TMN) supply the application. -High cost , 20,30,++ cents, for each transaction, on your phone bill
-Identify the Machine.-Send SMS with Serial Nº. (cost to client)-To complete transaction an Internet connection is required (cost to client)-Long time waiting for transaction to complete (GSM Modem on Vending Machine)-Necessary to memorize “one more” PIN. -Associating a bank account in a mobile encounters some resistance.-Limited Nº/Value of operations per day.
Security Concerns Remain• What are the best answers for Vulnerabilities / Theft / Cybercrimes / Social Engineering
Attacks etc ?
• The General Public has difficulty in understanding the security methods.
• The new concept of mobile payment environment needs to be simplified in order for people to have confidence/trust and be made similar to current procedures/habits.
Mobile NFC
Payments: The future ? Perhaps, but concerns about payment- Untrustworthy interface / browser vulnerabilities / Phishing / Trojans- Skimming ( speak with unauthorized device )- Eavesdropping - PIN discovery (snooping, mobile browser caches etc )
Authentication- Theft/Loss device (a mobile could somehow be used to verify an individual identity)- Authentication of valid purchased tickets on Mobile device that grant access to
goods and services
Resume
Associate e-ID to e-Ticket.
Ticket-ID is a new solution for onlineticketing incorporating NFC technologiesfor seamless communication between allthe main players - the client, the paymentagent and the merchant.
The National e-id card is used to providesecurity capabilities thus enabling greatersecurity for all the players involved andincreasing the trust in the overall system.
Ticket-ID
Proposed Idea
Use Mobile Technology Transporter/ValidatorUse Best New Technologies Qr-Code NFC Use potentialities of Portuguese citizen (e-id) card to grant security
Web Reservation
1SMS
Ref. Product
2
4 Ticket (NFC/QR-Code)
3
Payment Agent
Secure Authentication for PaymentTicket-ID General Overview
MerchantValidation
1. Buy anything on the Internet and receive in your mobile phone one SMSwith the product reference.Existing Example. www.ticketline.pt
2. Go to payment agent. Send the product reference via NFC to the paymentagent terminal. Next the Citizen Card will be read by the payment agent inorder to build the electronic ticket with citizens credentials.
Existing ExamplePhysical. Payshop (utilities, prepaid cards, internet shopping)Web. PayPal
Payment AgentRef. Product1 2Web
Reservation
Web Reservation
• Payment Agent = Travel Agentbuy, pay, receive your travel ticket on mobile
• Payment Agent = Transport Systems Vending Machinesbuy, pay, receive metro tickets or monthly pass on mobile
Payment Agent
Direct Purchase
3. The agent sends (NFC/MMS) to the clients mobile phone a QR-Codethat contains an electronic representation of the ticket.
4. The client goes to the merchant and sends via NFC/QR-Code Readerthe ticket on his mobile phone to the merchant receiver.In order to pick up goods/service from the Merchant, three possibleauthentication methods - weak (not using e-id card) or strong/verystrong (using the e-id card with or without biometrics) are available.
34
Payment Agent
Ticket (NFC/QR-Code)
MerchantValidation
Validation
(Secure) Validation/Authentication
Client
Simple
Strong
Extra Strong
(1) Purchase a Football Tickets:Payment Agent : PayShop, Clubs Ticket Offices, Online site of Club.Weak Validation – in normal game situationsStrong Validation – on high risk games (Internationals, Derby’s, World Cup)Flexibility - U2 Concert in Portugal
(2) Public Transport Tickets:Payment Agent : Ticketing Shop, Transport Company, Vending Machines.Weak Validation– Always.
(3) Picking up a Medical Prescription:Payment Agent and Merchant: PharmacyStrong Validation– Always.
(4) Purchase an airplane Ticket or a Travel Package Payment Agent: Travel agency, Transport CompanyMerchant: Airport Security, HotelStrong Validation – Always.Extra Strong Validation – Always.
Examples
Details – Quick Sketch
1. Create e-Ticket2. Create Ticket-Control (Sign e-Ticket )3. QR-Encode Ticket-Control4. Delivery to citizens mobile
Important !!• information is sent to trusted service provider
(back-office) for merchant.
• Information is written to notepad of the CC.• 1kb of free space
Ticket-ID Advantages• Use mobile to store/transport the ticket - a Common use
• Use CC to create a secure authentication for payments and validation CC is a trusted, secure and credible documentUsed the same way as credit card chip&pin
• Use the best of current technologies NFC/QR-CODE in mobile environmentA response to many challenges such as quick/secure validations
• Innovative - ID is associated with an object Gives more value to the possession of an e-ID
• Payment Agent Resolves problem about money and concerns about security and usage for people.
Thoughts about MobilePKI• Ticket-ID familiarizes the public with the concept of signing a digital entity
and associating it with a personnel identification.• Increases trust and knowledge about PKI first steps towards a MobilePKI.• The future of PKI in Mobile is also dependent on the best solutions for
Mobile Security
Conclusion
• Ticket-ID provides a mechanism for flexible, secureauthentication and validation of tickets.
• Ticket-ID provides a simplified view of the mobilepayment authentication and validation environment,doesn’t change the common habits of people.
Questions ?
Thanks to : Companies supporting Research and Development in electronic certification, communication and security.
Dr. Paul Crocker Bsc [email protected]
http://cc.di.ubi.pt/ticketid