Optimising and simplifying
authentication and
authorization services_
Martin Prošek
Telefónica Czech Republic
06.11.2013
About Telefónica Czech Republic
Fixed and mobile voice and data, IPTV
Operated under commercial brand O2

DISCOVER, DISRUP...
Mobile Operator Identification Security

•

SIM card – secure asset giving access to the
network, protected by PIN

•
DISC...
SIM-based Identification

•

Simple, convenient

•

Fully sufficient for telco payments (voice, SMS,
data…)

•

Fails in c...
Technical Solution – Internal Server

AAA
AAA

Server
Server

IP address
MSISDN resolving

Authorization

DISCOVER, DISRUP...
Technical Solution – Internal + External Server
Typical example: WAP

Gateway
Gateway

AAA
AAA

Server
Server

IP address
...
Technical Solution – Internal + External Server
GET / HTTP/1.1
Host: m.o2.cz
User-Agent: Mozilla/5.0 (SymbianOS/9.3; Serie...
Technical Solution – Smartphone Application

API
API

AAA
AAA

IP address
MSISDN resolving

420602607977

DISCOVER, DISRUP...
Technical Solution – WiFi

•
•
•
•

MSISDN - if operator‘s WLAN used
Login by username password – otherwise
MT SMS One-Tim...
Technical Solution – WiFi with MT SMS OTP

SMSC
SMSC

API
API

Server
Server

MSISDN
OTP
OTP
MT SMS
OTP

Authorization

DI...
Technical Solution – App on WiFi with MO SMS

App
App

Operator
Operator

Server
Server

Token

SMS with Token

Authorizat...
Mobile Content Payments

•
•
•

Natural extension of payments for telco services
Mobile Payments with 3rd parties are next...
Mobile Content Payments Risks

•

Communication is not direct anymore
Operator
Operator

•

Man-in-the-middle (M-I-M) atta...
Mobile Content Payments Risks
Typical example: oAuth

App
App

DISCOVER, DISRUPT, DELIVER

Operator
Operator

Server
Serve...
Summary

Mobile operators are still in

best position to assure
reliable identification of
Users.
NETWORK BASED IDENTIFICA...
Mobile Identity 2013 - Optimising and simplifying authentication and authorization services
Upcoming SlideShare
Loading in …5
×

Mobile Identity 2013 - Optimising and simplifying authentication and authorization services

312
-1

Published on

This presentation shortly describes identification methods used by Mobile Operator. The main method is SIM-based identification. But it fails in some cases. There are some technical solution interaction scenarios used for identificatio described in this presentation. Use of NW-based identification, MT SMS OTP, cookies, certificates… Risks for Mobile Content Payments are mentioned.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
312
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mobile Identity 2013 - Optimising and simplifying authentication and authorization services

  1. 1. Optimising and simplifying authentication and authorization services_ Martin Prošek Telefónica Czech Republic 06.11.2013
  2. 2. About Telefónica Czech Republic Fixed and mobile voice and data, IPTV Operated under commercial brand O2 DISCOVER, DISRUPT, DELIVER
  3. 3. Mobile Operator Identification Security • SIM card – secure asset giving access to the network, protected by PIN • DISCOVER, DISRUPT, DELIVER No further interactions
  4. 4. SIM-based Identification • Simple, convenient • Fully sufficient for telco payments (voice, SMS, data…) • Fails in cases when Phone is stolen Phone is borrowed Data access is shared by WiFi Corporate users • • • • DISCOVER, DISRUPT, DELIVER
  5. 5. Technical Solution – Internal Server AAA AAA Server Server IP address MSISDN resolving Authorization DISCOVER, DISRUPT, DELIVER
  6. 6. Technical Solution – Internal + External Server Typical example: WAP Gateway Gateway AAA AAA Server Server IP address MSISDN resolving Header enrichment X-Nokia-msisdn: 420602607977 Authorization DISCOVER, DISRUPT, DELIVER
  7. 7. Technical Solution – Internal + External Server GET / HTTP/1.1 Host: m.o2.cz User-Agent: Mozilla/5.0 (SymbianOS/9.3; Series60/3.2 NokiaE72-1/031.023; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 4 BrowserNG/7.2.3.1 x-wap-profile: "http://nds1.nds.nokia.com/uaprof/NE72-1r100.xml" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,cs;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0 X-Nokia-msisdn: 420602607977 HTTP/1.0 200 OK Server: Apache-Coyote/1.1, Apache-Coyote/1.1 Cache-Control: no-cache x-cocoon-version: 2.0.3 Expires: Fri, 31 Dec 1999 23:59:59 GMT Date: Wed, 06 Nov 2013 07:19:46 GMT Vary: Accept-Encoding Pragma: no-cache Content-Type: text/html;charset=UTF-8 Content-Encoding: gzip X-Cache: MISS from proxy1, MISS from Proxy1R Connection: close DISCOVER, DISRUPT, DELIVER
  8. 8. Technical Solution – Smartphone Application API API AAA AAA IP address MSISDN resolving 420602607977 DISCOVER, DISRUPT, DELIVER
  9. 9. Technical Solution – WiFi • • • • MSISDN - if operator‘s WLAN used Login by username password – otherwise MT SMS One-Time Password Tricks – cookies, certificates DISCOVER, DISRUPT, DELIVER
  10. 10. Technical Solution – WiFi with MT SMS OTP SMSC SMSC API API Server Server MSISDN OTP OTP MT SMS OTP Authorization DISCOVER, DISRUPT, DELIVER
  11. 11. Technical Solution – App on WiFi with MO SMS App App Operator Operator Server Server Token SMS with Token Authorization DISCOVER, DISRUPT, DELIVER
  12. 12. Mobile Content Payments • • • Natural extension of payments for telco services Mobile Payments with 3rd parties are next step Issues: Authentication not only for operator – mechant is included Intangible goods • • DISCOVER, DISRUPT, DELIVER
  13. 13. Mobile Content Payments Risks • Communication is not direct anymore Operator Operator • Man-in-the-middle (M-I-M) attacks are possible Provider Provider • Even the app itself can compromise the payment security – App-in-the-middle (A-I-M)* App App • Operator Operator Provider Provider Operator Operator * Known examples: fraudulent Premium SMS sending… DISCOVER, DISRUPT, DELIVER
  14. 14. Mobile Content Payments Risks Typical example: oAuth App App DISCOVER, DISRUPT, DELIVER Operator Operator Server Server
  15. 15. Summary Mobile operators are still in best position to assure reliable identification of Users. NETWORK BASED IDENTIFICATION Using SIM card Using other data (location, terminal information…) PASSWORD BASED IDENTIFICATION It creates reliable multifactor authentication IDENTITY FEDERATION Evolves from walled garden to modern web environment 15 DISCOVER, DISRUPT, DELIVER
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×