2012 Accumulate Mobile Everywhere - Standard Product Description

1,041 views

Published on

Podstawowy opis produktu dla platformy uwierzyteniania płatności mobilnych Accumulate ME.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,041
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 Accumulate Mobile Everywhere - Standard Product Description

  1. 1. Mobile EverywhereStandard product description – light versionAccumulate 2011Copyright 2011 Accumulate ABME Standard Product Description
  2. 2. !"#$%$&()$%*&+,( Date Version Status Description Author2011-01-31 1.0 Final First Edition(-..+&#"/(0,( Name Role DateMagnus Westling CTO 2011-02-01((ME Standard Product Description
  3. 3. 1203"(&4(5&*"*%1! Introduction to document 2! 1.1! About Accumulate 2! 1.2! Secure Mobile transactions 2! 1.3! Mobile Banking 3! 1.4! Mobile Payment 3! 1.5! Mobile security 4!2! Mobile Everywhere 5! 2.1! Overview 5! 2.1.1! PDI and OTT processes 6! 2.1.2! Secure transaction system 6! 2.1.3! Transaction system 7! 2.1.4! Multi-tier system 7! 2.1.5! Ecosystem 7! 2.2! ME Services 7! 2.2.1! Service overview 7! 2.2.2! Mobile banking 7! 2.2.3! Secure credit card 8! 2.2.4! Mobile Payments 9! 2.2.5! Mobile security 11! 2.2.6! E-ID 11! 2.3! ME client 12! 2.4! ME core server 13! 2.5! ME ecosystem server 13!3! ME system description 14! 3.1! Logical view 14! 3.2! Function description 14! 3.2.1! Enrolment 15! 3.2.2! Mobile banking 16! 3.2.3! Secure credit card 17! 3.2.4! Point of sale 19! 3.2.5! Online 21! 3.2.6! Person-to-person 23! 3.2.7! Man-to-machine 26! 3.2.8! Remittance 28! 3.2.9! Secure login 30! 3.2.10! Secure signature 32! 3.2.11! e-ID 34! 3.2.12! 3 factor authentication 38!4! Security 40! 4.1! Threat and mitigation 41! 4.2! Mobile client security 41!5! Scalability 43!ME Standard Product Description 1(44)
  4. 4. 6 7*+&/85*$&(*&(/&589"*(The purpose of this documentation is to give a complete overview of the companyAccumulate, its solution Mobile Everywhere and the services that can be launchedusing Mobile Everywhere as the platform. This documentation begins with apresentation of the company. Thereafter follows an overview of the different mobilepayment/banking services that exists in the marketplace today and a description ofthe services that can be launched using Accumulate’s solution for secure mobiletransactions. The different functions and processes that make Accumulate’s solutionunique will be described in detail. The last chapters of this documentation containthrough descriptions of the architecture, the components and the system ofAccumulate’s solution as a whole.6:6 -0&8*(-5589832*"(Accumulate core business is development of online security solutions for mobiledevices. The mission is to be a technology leader in secure mobile authenticationand mobile financial services by using a mobile device. All development withinAccumulate is performed with focus on highest security, ease-of-use, flexibility andlowest TCO for the customer. Accumulate currently holds 8 patents in securingmobile transactions.Milestones • Start 2004 • First mobile transaction platform (Flexion) commercial launch, 2004 • Consolidated to Accumulate 2005 • First pilot 2005 • Opening of UK office 2005 • Reaches 100 000 unique installations 2006 • Second mobile security platform (ME) commercial launch, 2007 • Reaches 1 000 000 unique installations 2007 • First in the world to go live with a 360 degree mobile payment service (June 2009) • Reaches 10 000 000 unique installations 2009 • Reaches 20 000 000 unique installations 2010Accumulate is head quartered in Stockholm, Sweden, from where most of theoperations and business development is run. Furthermore, Accumulate has offices inLondon and Beijing.6:; <"58+"(=&0$3"(*+2%25*$&%(Accumulate’s solution is a multi-factor public key infrastructure (PKI) authenticationplatform where a thin smart security client application is installed on a verified client’smobile device. The security client application communicates securely over tcp/ip withME Standard Product Description 2(44)
  5. 5. a transaction server that in turn communicates with external systems throughstandard API’s. When a user starts the application a connection to the transactionserver is established and the user’s identity is verified. Once verified, the user canperform various kinds of secure authentications.6:> =&0$3"(?2@$A(The term mobile banking is widely interpreted, as there is no universal standard forwhat is included within the terminology. However, mobile banking is oftensynonymous with informational services (mobile banking 1.0).Accumulate sees mobile banking as an additional access channel to the traditionalbanking services whether they are informational or transactional (mobile banking2.0).Accumulate’s solution enables an optimized security allowing the implementation oftransactional services. With Accumulate’s Mobile Banking solution, banks canprovide a more secure, flexible and feature rich communication/transaction channeland by that providing its customers with offers like: • Informational services • Money transfer (inter/intra bank) • Invoice payment • Additional services (notifications, branch/ATM locator, etc)The authentication method and the very high security features of Accumulate’ssolution makes it a perfect companion for people on the move, providing the samefunctionalities as the banks Internet channel but without the need of a computer orhardware token.6:B =&0$3"(C2,9"*(Mobile payment has commonly been known as SMS payments or different person-to-person solutions generally covering only one payment situation (mobile payment1.0).Accumulate’s solution moves mobile payment to a complete 360 degree mobilepayment service, meaning that it covers all payment situations and this using oneplatform with the highest security foundation (mobile payment 2.0). • Contactless mobile payment - using RFID, Accumulate OTT, NFC stickers or NFC integrated phones • Person to person money transfers - secure, fast and easy way to perform money transfers transactions • Money remittance • Online payments • Vending machine paymentME Standard Product Description 3(44)
  6. 6. • Payment information services - get info direct on the mobile, balance, transaction history and even receipts of purchases • Other services - mobile ticketing, coupons and mobile loyalty card are examples of new and future services that can be enabled using Accumulate’s solutionThis illustration specifies the different components that Accumulate can provide to amobile payment ecosystem.6:D =&0$3"(%"58+$*,(Accumulate’s solution is based on industry security standards PKI. Adding uniqueand patented technology and processes and multi-factor authentication incombination with dual line communication gives Accumulate’s solution unparalleledsecurity. By using Accumulate’s solution, banks can avoid many of the securityissues in today’s transaction environment such as data integrity online, man-in-the-middle issues and phishing.ME Standard Product Description 4(44)
  7. 7. ; =&0$3"(E#"+,F)"+"(;:6 G#"+#$"F(Mobile Everywhere (hereafter ME) is the name of Accumulate’s solution and is acomplete platform for mobile secure transactions. ME is a multi-tier solution formultiple services built upon a generic secure transaction and security basics.The basic concept is a connected mobile client that holds a secure and identifiedconnection to a transaction server. The client (an application downloaded over theair, OTA) with its secure channels to the server becomes a Safe Frame in whichsecure transactions can be executed. The flexibility of ME makes it possible for theservice provider at the server side to add and revoke services. The client is animportant security entity but regarding services and graphic user interface (GUI), it isjust a thin client displaying server side services and GUI.Services can be of two generic types: local services or eco system services. Localservices are directly integrated in the ME core and global eco system services areintegrated to an eco system component. ME is composed of a client application, localserver side components and global server side eco system components.ME has several advantages; • Security – ME has many security advantages over other solutions such as dual line communication and the “sign what you see” functionality. ME also abolish many of the security issues in today’s transaction environment such as data integrity online, man-in-the-middle issues and phishing of id & password. • User friendliness – All services are focused on being easy to use and minimizing the procedure for the end user to execute transactions and other actions • Independency – ME works independently of operator, SIM-card, network type, subscription type or make- and model of handset. • Cost efficiency – Cost savings in hardware and distribution compared to current solutions. Furthermore there is no transaction cost (example. compared with OTP via SMS or scratch card). Using ME, cost associated with fraud attacks can be decreased. • Speed – ME qualifies for a transaction environment where speed is of essence for instance in a point of sales environment. • Flexibility - Within the ME platform many services in mobile payment, mobile banking and other mobile security transactions can be enabled.ME virtually supports all mobile phones released since 2004, the minimumrequirement is Java MIDP2 phones since the application always connect to theInternet using a socket. The terminal database currently holds more than 4500ME Standard Product Description 5(44)
  8. 8. different mobile phone models and is continuously being updated as new models arereleased.Supported platforms are: ! iPhone ! Android ! BlackBerry ! Symbian ! Windows Mobile ! Java ME;:6:6 CH7(2/(G11(.+&5"%%"%(Accumulate uses two different patented processes for authentication; One-Time-Ticket (OTT), or a process defined as Predefined Identity (PDI).The server sends an OTT to the mobile security application. Authentication isexecuted by communicating the one time ticket to the authentication party. Anauthentication party could be a web service, a point of sales terminal or a login page.The authentication party is connected back-end to the transaction server, whichmatches the OTT from the authentication party with the stock of valid OTT’s at thattime. When the transaction server finds a match, it sends the details of thetransaction to the mobile device for confirmation. An OTT is only valid for a shortperiod of time.The other process is the PDI where the authentication is executed by the userentering a pre-defined identity at the authentication party. The identity is alreadypredefined at the server. The authentication party is connected back-end to thetransaction server, which matches the PDI with the PDI’s defined at the server. Whena valid PDI is matched, a confirmation request is sent to the users’ mobile device withthe details of the transaction.;:6:; <"58+"(*+2%25*$&(%,%*"9(ME is specially designed to handle secure transactions; the high security level isaccomplished through the ME client that communicates in a secure way with the METransaction Server. By having a secure and identified enrolment process where theuser is identified and the two-factor authentication (2FA) in the authenticationprocess, the integrity of the user is kept. Several layers of secure methods help toretain this integrity and further strengthen that the system ensures that only theperson that is registered to the service and the owner of the mobile device canaccess and use the functionality of the service.ME Standard Product Description 6(44)
  9. 9. ;:6:> 1+2%25*$&(%,%*"9(ME is apart from a secure transaction system also a high capacity transactionsystem. This is accomplished by having a layered and multi- threaded architecturewith maximum possibilities to scale. The high performance transaction system meansthat it is built for large scale expansion and scaling without limitations, but at thesame time withholding the transaction integrity.;:6:B =83*$I*$"+(%,%*"9(ME is designed with the allowance of interaction between multiple instances. Thisfacilitates the creation of an eco-system consisting of different services and serviceproviders. This means that ME is prepared as a multi-tier system where moreinstances can be added. This makes the ME extremely scalable and flexible in itsdesign.;:6:D E5&%,%*"9((The ME solution is prepared with an Inter Transaction Router (ITSR) that can routetransactions between different issuers and acquirers, an Other Service Router (OSR)that routes transactions to different service providers and an e-ID router to directsignatures and authentications. This means that all mobile payment services, otherservices and the e-ID service can be used both as proprietary services and asecosystem services.;:; =E(<"+#$5"%(ME Services cover all the different services that can be performed within the MEplatform. Furthermore, ME Services describe the client and different types of serversalong with the security features.;:;:6 <"+#$5"(&#"+#$"F( Mobile banking Secure credit card Point of sale (POS) Person-to-person money transfer Online payments Man-to-machine Remittance Other services Login Signature e-ID;:;:; =&0$3"(02@$A(Using ME, banks can provide its customers with a more secure, flexible and featureME Standard Product Description 7(44)
  10. 10. rich mobile banking service that can be used as a communication/transactionchannel. Due to the security features of the security client application it is possible tosecurely provide traditional mobile banking services (informational services) but theprovision of transactional servicers that requires a higher security is also possible.Accumulate’s mobile banking solution empowers financial institutions to provide allInternet banking services in the mobile channel.!"!"!"# $%&()*+,%-./(0,1/.-Informational services is divided into account information which is informationregarding the account holders specific account and general information which isuniversal information regarding the bank. All these informational services are todaywidely regarded as mobile banking.!"!"!"#"# $%%&()*+(,&-./)+&(* • Balance statement • Transaction history • Payment notifications • Online purchase notifications • Abroad purchase notifications • Withdrawals notifications • Transactions notifications • Fraud alerts • Bonus/loyalty points • Access to loan statements • Access to card statements • Real-time stock quotes • PIN provision, change of PIN • Blocking of (lost, stolen) card!"!"!"#"! 01(1-/2*+(,&-./)+&(* • Offers • Current bank related news • ATM locator • Branch locator!"!"!"! 2(*%.*1+,%*3-./(0,1/.-Transactional services are services that allow the user to execute monetarytransactions within the mobile banking solution. Examples of transactional servicesare: • Inter/intra bank transfers • Bill payment • Stock/fund trading;:;:> <"58+"(5+"/$*(52+/(The services within Secure Credit Card are aiming to increase the security of onlineME Standard Product Description 8(44)
  11. 11. card purchases while simplifying the procedure for the end user.!"!"4"# 456-./17(/-Verification of the online purchase in the mobile phone, the 3-D secure serviceeliminates the need of a 3-D secure hardware token. Not only does this servicereduce cost in hardware and distribution it also simplifies the purchase procedure forthe end user since the verification device is the mobile phone: a device that is alwaysavailable to the user.!"!"4"! 8%/-+,)/-1(/9,+-1*(9-:82;;<-The OTCC is a service that generates a one time card number for online purchases.This service drastically decreases fraud as the card number becomes obsolete afterthe purchase. The OTCC number is generated in the mobile application consisting ofthe issuer identifying number along with a one-time ticket. When the purchase isbeing processed the verification of the purchase is executed in the mobile applicationallowing the user only to have the phone as a device for the online purchase.!"!"4"4 8%/-+,)/-+,1=/+-5-1(/9,+-1*(9-The OTT service is a service that completely eliminates the need of sensitiveinformation being entered at the online merchant site. The only information beinggiven at the online merchant is the one time ticket generated in the application. Whenthe purchase is being processed the verification of the purchase is also executed inthe application. In order to be able to introduce the OTT service, merchants needs tocomplete minor modifications to its checkout page to be able to accept OTTpayments and a credit card or account needs to be linked to the application.;:;:B =&0$3"(C2,9"*%(Using ME as the platform, a 360° mobile payment service can be provided. Thismeans that all the different payment situations including point of sale purchases,online payments, person-to-person transfers and man-to-machine payments aresupported. Additionally, ME’s mobile payment solution supports a great variety ofother services ranging from ticketing to purchase codes etc. In other words, ME canbe used to provide three different areas within the scope of mobile payments:proximity payments, remote payments and other services.!"!">"# ?(@,),+A-B*A)/%+.-Proximity payments are transactions being executed in nearness of the payee andwith an interaction between the payer and the payee.!"!"3"#"# 4&+()*&,*5/21*A point of sale transaction can be executed either via integrated NFC, NFC sticker1or via one-time-ticket. Since ME supports the OTT process, it is enabled to serve asa bridging solution for NFC point of sale purchases until the roll out of NFC handsetsand point of sale terminals has been completed.1 Integrated NFC and NFC stickers are different forms of predefined identityauthentications. Please see section 2.1.1ME Standard Product Description 9(44)
  12. 12. !"!"3"#"! 6(2+(1*The online payment service enables the end user to pay at online merchants. Thistransaction is based on the OTT process. Today, online purchases are often done byproviding the payment receiver with sensitive credit card information. By using OTT,this information sharing and the associated risks are eliminated.!"!"3"#"7 41-5&(8)&891-5&(*)-/(5,1-*The P2P service enables end users to execute monetary transfers between accountsonly using the telephone number or an OTT as the identifier. The sender as well asthe recipient needs be in active state (initiated payment) in order to execute thetransfer, this in order to eliminate transfers to the wrong recipient.!"!"3"#"3 :/(8)&8./%;+(1*The man-to-machine service allows end users to execute payments to different typesof machines i.e. vending machines, parking meters, charging poles etc. The OTTprocess is used to complete the payment. The machine only needs to be equippedwith embedded connected software, to be able to receive online transactions.!"!">"! C/)+/-?*A)/%+.-!"!"3"!"# <1.+))/(%1*The remittance service enables end users the opportunity to send monetarytransfers. The service can be applied for internal as well as cross border remittance.This service is very similar to the person-to-person service with the difference beingthat the sender and the receiver are at different locations and that the receiver doesnot need to be in an active state.!"!">"4 8+D/(-./(0,1/.-The area other services is composed of non-traditional payment services along withadditional features. Other services eco systems where a service provider (SP) canenter are presented below.!"!"3"7"# =+%>1)+(?*The ticketing service is an in-application2 payment method where the end user buysand receives the ticket within the application. This does not only simplify thepurchase procedure for the end user but also enhances the validation possibilities forthe seller due to the possible incorporation of barcode and OTT verification.Examples of tickets can be public transportation, events and more.!"!"3"7"! @&)+(?*Voting is an in-application payment method where the end user can purchase votesfor TV shows such as Idol (or other similar shows where voting from the audienceand the viewers is common). The service also has the possible to use dimensionvoting, where the voter can grade its vote i.e. on a scale 1-5, which generates morevotes and therefore also revenue streams.2 In-application is defined as an application that is downloaded to the users phonewith all the functionalities embeddedME Standard Product Description 10(44)
  13. 13. !"!"3"7"7 A&B/2)B*The loyalty feature is an in-application that the end user can connect their differentloyalty programs to, in order to earn points on purchases. It is also possible to usepoints to complete purchases.!"!"3"7"3 4-%;/51*%&C15*The purchase code payment method allows the user to, within an in-application,purchase merchandise that has been promoted with a certain purchase code in forexample magazines, billboards, TV commercial etc. The end user simply enters thepurchase code in the application and the merchandise will be sent to the registeredaddress.!"!"3"7"D E&9&(5*The coupon feature enables the user to consume its digital coupons received troughdifferent loyalty programs or special hand-out offers.;:;:D =&0$3"(%"58+$*,(!"!"E"# F/17(/-3G,%-The secure login service replaces security solutions, such as security tokens, one-time pass codes and digital certificates and gives banks a secure and cost efficientauthentication solution. The secure login service enables the end user to use itsmobile phone as the security device: Since the mobile phone is a device that the enduser carries with him/her at all times, using the mobile phone as a security device willincrease the accessibility to the internet bank and also eliminate costs associatedwith manufacturing and distribution of hardware. .!"!"E"! F/17(/-.,G%*+7(/--The signature service allows the end user to sign different actions taken within themobile application. Actions that can be used for signing is different types oftransactions, increasing/decreasing credit limits, loan applications etc. The serviceprovides a complete “Sign what you see” experience and is compliant with EUDirective 1999/93/EC of advanced electronic signature giving the end user acomplete overview of the exact data he/she is signing.;:;:J EI7H(The e-ID solution basically consists of secure login and secure signature but with theaddition of eco-system components in order to be able to function in a global eco-system.ME Standard Product Description 11(44)
  14. 14. ;:> =E(53$"*(The ME client is a thin application (previously in this documentation defined as asecurity client application but from now on defined as the “safe frame”) consisting ofdifferent security features that creates a safe frame which is a connected securityapplication that is installed on the end users mobile device. The client safe frame is athin client with sophisticated security features which connects to the ME core server.The safe frame enables the user to perform transactions in a secure way. Key features • Security application installed over the air • True PKI secure client • Thin client • Advanced security features • Pin code protected • Connects to transaction server when started • Instant provisioning • GUI controlled from server • Flexibility in terms of branding • Supports most handsetsThe Safe Frame can also be implemented as a library on to existing mobile bankingapplications. By doing so, a security layer on the existing mobile banking solution isattached, allowing for the execution of transactional services.ME Standard Product Description 12(44)
  15. 15. ;:B =E(5&+"(%"+#"+(The ME core server manages the integrity of each user and each client safe frame. Itis an integral part of the security and service enabled trough the ME client the coretransaction server is flexible in terms of configurations and new services.Key features • Advanced security features • Flexibility in terms of configuration • Flexibility in terms of branding • Instant provisioning of new services • Scalability;:D =E("5&%,%*"9(%"+#"+(The ecosystem server components enable routing of transactions in a multiplesystem with several independent service providers in one common ecosystem. Thereare several components within the ecosystem server: • Inter transaction router (ITSR) is the component that enables routing of authentication transactions in a multiple system and handles integrations to banks for account integration and enrolment. • Other service router (OSR) is connecting different service provider as well as routing components that enables routing other services transaction such as ticketing and loyalty programs. • The electronic ID router is a routing component for signatures and authentications in an electronic ID ecosystem.ME Standard Product Description 13(44)
  16. 16. > =E(%,%*"9(/"%5+$.*$&(>:6 K&A$523(#$"F(The logical view below explains the structure of the services offered within the MEplatform. The services can be of two generic types: local services or eco systemservices. Local services are directly integrated in the transaction server and globaleco system services are integrated to an eco system component.>:; L85*$&(/"%5+$.*$&(The functional description defines the user experiences of the different services andother functionalities like enrolment and 3-factor authentication. All the services doneed integration towards external systems in order to be operational.ME Standard Product Description 14(44)
  17. 17. >:;:6 E+&39"*(This section defines the user experience for enrolment trough a website.1. The user enrols to the mobile solution 2.The banks site displays an activationtrough the banks website by entering code for the mobile applicationhis/her MSISDN (mobile telephonenumber)3.The user downloads that application 4.The user enters the activation code and chooses its PIN*Note that the enrolment process might differ for different operating systems.ME Standard Product Description 15(44)
  18. 18. >:;:; =&0$3"(02@$A(This section describes the user experience for an informational mobile bankingservice1. The user initiates the application; RSA 2.The user chooses account balancekey and IMEI verification is executed andthe user enter his/her PIN.3. The application displays the currentaccount balanceME Standard Product Description 16(44)
  19. 19. >:;:> <"58+"(5+"/$*(52+/(This section describes the user experience of a 3-d secure purchase.1. The user initiates the application; RSA 2.The user chooses secure credit cardkey and IMEI verification is executed andthe user enter his/her PIN.3. The card is activated for purchases 4. The user chooses the item to buy and enters the credit card information at the merchant site5. The merchant site requests the user to 6. Information regarding merchant, itemverify the purchase in the mobile and price are displayed in the mobileapplication application and the user verifies the purchase by entering his/her PINME Standard Product Description 17(44)
  20. 20. 7.The status of the purchase is displayed 8. The status of the purchase isin the mobile application displayed at the merchants’ siteME Standard Product Description 18(44)
  21. 21. >:;:B C&$*(&4(%23"(This section describes the user experience for a POS purchase.1. The user initiates the application; RSA 2.The user chooses Paymentkey and IMEI verification is executed andthe user enter his/her PIN.3.The mobile application informs the 4.The user either swipes the phone overuser to either use NFC or the OTT the point of sale terminal or gives theprocess in order to initiate the purchase merchant the OTTME Standard Product Description 19(44)
  22. 22. 5.Information regarding merchant, item 6.The status of the purchase is displayedand price are displayed in the mobile in the mobile applicationapplication and the user verifies thepurchase by entering his/her PIN7.The point of sale terminal prints thereceipt of the purchaseME Standard Product Description 20(44)
  23. 23. >:;:D G3$"(This section defines the user experience for an online purchase using an OTT.1. The user initiates the application; RSA 2. The user chooses Paymentkey and IMEI verification is executed andthe user enter his/her PIN.3.The mobile application displays an 4.The user chooses the item to buy andOTT valid for the transaction enters the OTT at the merchant site5.The merchant site requests the user to 6.Information regarding merchant, itemverify the purchase in the mobile and price are displayed in the mobileapplication application and the user verifies the purchase by entering his/her PINME Standard Product Description 21(44)
  24. 24. 7.The status of the purchase is displayed 8.The status of the purchase is displayedin the mobile application at the merchants’ site(ME Standard Product Description 22(44)
  25. 25. >:;:J C"+%&I*&I."+%&(This section defines the user experience for a person-to-person transfer.1. The user initiates the application; RSA 2.The sender and the receiver chooseskey and IMEI verification is executed and person-to-person transferthe user enter his/her PIN.3.The sender chooses send money 4.The receiver chooses receive moneyME Standard Product Description 23(44)
  26. 26. 5.The sender enters amount of the 6.The receiver communicates his/hertransfer MSISDN or the OTT to the sender7.The sender enters the MSISDN or the 8.The sender mobile application displaysOTT the information regarding the transfer and asks the sender to verify it with its PINME Standard Product Description 24(44)
  27. 27. 9.The status of the transfer is displayed 10.The status of the transfer is displayedin the senders’ mobile application in the receivers’ mobile applicationME Standard Product Description 25(44)
  28. 28. >:;:M =2I*&I925)$"(This section defines the user experience for a man-to-machine purchase, in this casea vending machine.1. The user initiates the application; RSA 2.The user chooses vending machinekey and IMEI verification is executed and purchasethe user enter his/her PIN.3. The user enters the serial number of 4. The mobile application returns with thethe machine in the mobile application information about the location of the machine and asking for the amount to transfer along with the verification with the PINME Standard Product Description 26(44)
  29. 29. 5.The status of the transfer is displayed 6.The user can now, depending on thein the mobile application service of the machine choose which product/service to collectME Standard Product Description 27(44)
  30. 30. >:;:N !"9$**25"(This section defines the user experience for a remittance.1. The user initiates the application; RSA 2.The user chooses remittancekey and IMEI verification is executed andthe user enter his/her PIN.3. The sender enters the amount 4. The sender enters the recipients MSISDNME Standard Product Description 28(44)
  31. 31. 5.If the receiver isn’t in active state 6.The sender mobile application displays(initiated application) the sender receives the information regarding the transferinformation about it and asks the sender to verify it with its PIN7.The status of the transfer is displayedin the senders mobile applicationME Standard Product Description 29(44)
  32. 32. >:;:O <"58+"(3&A$(This section defines the user experience for login.1. The user initiates the application; RSA 2.The user chooses Loginkey and IMEI verification is executed andthe user enter his/her PIN.3.The mobile application displays an 4. The user enters the OTT at theOTT valid for the login websiteME Standard Product Description 30(44)
  33. 33. 5.The site requests the user to verify the 6.Information regarding which websitelogin in the mobile application the user attempts to login to is displayed in the mobile application and the user verifies the login by entering his/her PIN7.The mobile application confirms the 8. The user is now logged in at thelogin. websiteME Standard Product Description 31(44)
  34. 34. >:;:6P <"58+"(%$A2*8+"(This section defines the user experience for a secure signature.1. The user initiates the application; RSA 2. The user chooses signaturekey and IMEI verification is executed andthe user enter his/her PIN.3. Signature mode is activated 4. On the website the user confirms to go ahead and sign an actionME Standard Product Description 32(44)
  35. 35. 5. The site requests the user to verify the 6. The user receives the informationaction in the mobile application regarding the action he/she want to sign, and is asked to verify it with its PIN7. The status of the signature is 8. The status of the signature isdisplayed in the mobile application displayed at the websiteME Standard Product Description 33(44)
  36. 36. >:;:66 "I7H(4"!"##"# H7+D/%+,1*+,%-This section defines the user experience for a login with an e-ID.1. The user initiates the application; RSA 2.The user chooses Loginkey and IMEI verification is executed andthe user enter his/her PIN.3.The mobile application displays an 4. The user enters the OTT at theOTT valid for the login websiteME Standard Product Description 34(44)
  37. 37. 5.The site requests the user to verify the 6.Information regarding which websitelogin in the mobile application the user attempts to login to is displayed in the mobile application and the user verifies the login by entering his/her PIN7. The mobile application confirms the 8. The user is now logged in at thelogin. websiteME Standard Product Description 35(44)
  38. 38. 4"!"##"! F,G%*+7(/-This section defines the user experience for a signature with an e-ID.1. The user initiates the application; RSA 2. The user chooses signaturekey and IMEI verification is executed andthe user enter his/her PIN.3. Signature mode is activated 4. On the website the user confirms to go ahead and sign an actionME Standard Product Description 36(44)
  39. 39. 5. The site requests the user to verify the 6. The user receives the informationaction in the mobile application regarding the action he/she want to sign, and is asked to verify it with its PIN7. The status of the signature is 8. The status of the signature isdisplayed in the mobile application displayed at the websiteME Standard Product Description 37(44)
  40. 40. >:;:6; >(425*&+(28*)"*$52*$&(This section defines the user experience of the 3 factor authentication solution thatcan be applied for application login, site login or signature.1. The user initiates the application; RSA 2. The user chooses verify voicekey and IMEI verification is executed andthe user enter his/her PIN.3. The user presses the start recording 4. The user verifies his/her voice bybutton recording the text being displayed in the mobile applicationME Standard Product Description 38(44)
  41. 41. 5.The mobile application displays theresult of the voice verification*Note that an enrolment of the voice is necessary prior to being able to execute voiceverificationME Standard Product Description 39(44)
  42. 42. B <"58+$*,(The basic idea behind the ME solution is to use a secure connection to a mobilephone to authenticate a user. To obtain a high security level it is crucial to first createa secure and safe origin authentication and then in a very secure manner containand reuse that origin authentication. The ME system uses, in its current version, a2FA (2 Factor Authentication) to obtain the secure link to the origin authentication.The two factors used are: • Something you have. In this case the identity of the application installed in a specific phone, with a specific MSISDN, where a specific set asymmetric keys is stored. The asymmetric keys are a common RSA key set. The private part is stored on the mobile device and the public key stored on the server (as of standard PKI). • Something you know. A PIN-code/pass phrase with any length and a possible variation of digits and characters. The PIN/Pass phrase is always validated on the server side to avoid brute forcing. It is possible to implement any biz logic and rules for PIN/pass phrase use and reuse.The ME solution is built with a true secure connection between the server (TS) andthe client. Within that secure channel different services can be offered the user. Thisconcept is called Safe Frame and is a key basic for the security in METhe unsymmetrical keys stored in the client are stored in the common memory spaceintegrated with the client SW. In the ME solution the unique client SW with itsunsymmetrical keys are bound to the mobile phone and the operator and MSISDN.By doing that it is ensured that the application and the keys cannot be moved orcopied for use in other devices. This ensures that the right device must be used andprevents mass fraud.The ME solution is built to be able to use multiple unsymmetrical keys and multiplecertificates. This means that every single service can have its own keys andcertificates.ME has an advanced security architecture and the security level is achieved both byits technical design, by the technical components but also by its processes. ME is a2-factor solution using a private key infrastructure for the communication between theapplication and the server. ME stores the private keys in the application. The privatekeys are protected by a number of checks that are processed when a client connectsto the server side to ascertain the integrity of the application and the user. Anotherimportant security component is that ME uses two simultaneous communication linesto execute an authorization. A third factor using biometric properties can be added tothe solution such as voice or face recognition.ME Standard Product Description 40(44)
  43. 43. B:6 1)+"2*(2/(9$*$A2*$&(Threat Possibility MitigationStolen phone + security Possible PIN Control, RevokeapplicationStolen phone + security Unlikely Revokeapplication + pinStolen security application Very unlikely PIN Control, IMEI, SIM validationStolen security application Very unlikely PIN Control, IMEI, SIM+ pin validationStolen security application Very unlikely PIN Control, IMEI, SIM+ PIN + IMEI validationStolen client application + Very unlikely Prefix OTTPIN + IMEI + Proxy installStolen client application + Very unlikely 3 factor authenticationPIN + IMEI + Proxy installB:; =&0$3"(53$"*(%"58+$*,(Each client application is uniquely distributed and contains a unique identitycombined with a private RSA keys, the size of the keys varies from 512 bit to 2048 bitdepending on the speed of the target handset. The keys in combination with theidentity of the application are used to establish a secure 256-bit AES encryptedconnection with the server.The server controls which key size to use, depending on the phone model. Theconnection with the server is socket based, not HTTP, in order to avoid the risk of“session hijacking”. The client application can be seen as a tiny browser with built-inclient certificate authentication and locked with a pin code.The clients are also linked to the phones serial number and implement processes toverify the SIM to prevent future attacks like Trojans and key loggers on mobiledevices. This makes the software based certificate in the client “hard” preventing useon another device.An Accumulate developed TCP server handles the connection with the clients usingonly asynchronous IO to allow many connections without using a lot of applicationthreads. Any number of TCP servers can be deployed (using a load balancer) andthe TCP server is communicating with the core components using EJB.ME Standard Product Description 41(44)
  44. 44. The core components can communicate back with the TCP server to pushconfirmation to a user directly on the socket channel.ME Standard Product Description 42(44)
  45. 45. D <52320$3$*,(ME is, both from an application and an infrastructure point of view, totally scalable. Itis possible to add any number of ME server instances, and each server can haveunlimited number of users connecting. There are no bottlenecks when it comes totransactions.Vertical scaling is normally not applicable; the only time where it might be the bestscaling method is when more memory database storage is required but withoutactual need of more CPU capacity. In this situation, a simple upgrade of RAMmemory is the most efficient upgrade. Normally, horizontal scaling is used to improvecapacity even though the most common method to improve performance is code orconfiguration improvements.Load balancing is done through Linux Virtual Server using direct routing (DR) andusing keep alive as heartbeat between the master and the slave. This allows additionof virtually any number of real servers without the load balancer being a bottleneck.ME Standard Product Description 43(44)
  46. 46. ME Standard Product Description 44(44)

×