This document discusses mobile financial services and the growing use of mobile phones. It provides statistics on the rising number of mobile phone and payment card users worldwide. It then discusses how mobile phones are integrated into people's daily lives and routines. The document proposes a model for mobile information and financial services that combines mobile banking, mobile payments, and near field communication technologies. It outlines some of the security measures needed for mobile payment systems, including authentication, data integrity, and privacy.

1. Moldova ICT summit
18-19 May, 2011
March 2011
Mobile Financial Services
Evgeny Bondarenko
Deputy General director
Intervale, Russia
Vice–Chairman ITU-D SG2
Vice-Rapporteur Q17-3/2
E-mail: bondarenko@intervale.ru

2. Prerequisites and
factors
2

3. Payment and mobile services market volume
Payment card users worldwide Mobile services users worlwide
1,3 billion
1,6 billion 2003
2008
2,4 billion 2006
3,1 billion 2008
5,3 billion 2010
According to Edgar Dunn & Company, 2007-2008 and ITU-D surways
3

4. Is there a life without mobile phone?
60%*1 take the mobile phone to bed
72%*2 use the mobile phone as the alarm-clock
73%*2 use the mobile phone instead of the watch
33%*2 fear that they lose the mobile
phone rather than the wallet
*1 BBDO survey 3,000 users worldwide
*2 5,500 Nokia users
4

5. Resume
• The penetration rate of mobile services and NGN networks is
very high
• The only worldwide spread mass retail non-cash mean of
payment is bank card mainly branded by international payment
systems
• Limited penetration rate of existing payment systems due to
necessity of sufficient investments in payment infrastructure
(Bank branches, kiosks, POS terminals, etc.)
• Low security level due to technological imperfection of business
schemes. Lots of low volume fraud the losses shift to the market
participants.
5

6. The Mobile Phone for Clients
Account management Information services
Mobile marketing Subscription
Asset Management Bank Authentication
Money transfer MVNO NFC
6

7. Mobile information
and financial services
7

8. Mobile information and financial services
= +
Mobile information Mobile banking M-commerce
and financial
services
8

9. Mobile Banking Services
Most convenient
Most available
Most secure
If powered by Mobile Operator capabilities
9

10. Mobile Banking
Mobile banking provides innovative and secure way of remote
access to traditional banking services:
• Personalized information
• Various Notifications
• Subscription and Service Requests
• Channel for personalized or special offers
• Banking services
• Account management
• Transaction policies definition
• Remittances
• Currency conversion
• Transaction requests
• Payments
• Bill payments
• Top ups
10

11. M-commerce
= +
M-commerce Mobile payments NFC
11

12. Operator-oriented model
Users
Merchant Merchant Merchant
Mobile
Operator
Mobile
Service
Provider
(MSP)
Bank Bank Bank Bank
Issuer Issuer Acquirer Acquirer
Payment
System
12

13. Bank-oriented model
Users
Merchant Merchant Merchant
MSP Payment
Gate
Bank
Bank
MSP
Acquirer
Bank
Payment
System
13

14. Example of the Mobile Client Application
14

15. Security

16. Security
System of user identification and
authentication provides security of
Mobile Payment System transactions. This
solution, consisting of software-hardware
modules and based on communication
security principles, provides synergy of
wireless communication and international
payment systems secure technologies;
16

17. Security
Confidentiality (encoded messages
between Agency and Client)
Integrity of data
Impossibility of refusal and
attributing of authorship of
transaction
Multifactor authentication
(establishment of authority)
– Knows something
– Owns something
Geneva, 30 March 2011
17

18. ITU-T X-805 Recommendation.
Eight Security Dimensions
• Limit & control access to
network elements, services & Access Control
• Provide Proof of Identity
applications
• Examples: shared secret,
• Examples: password, ACL,
firewall
Authentication PKI, digital signature, digital
certificate
• Prevent ability to deny that an
activity on the network Non-repudiation
• Ensure confidentiality of data
occurred • Example: encryption
• Examples: system logs,
Data Confidentiality
digital signatures
• Ensure data is received as
• Ensure information only flows Communication Security sent or retrieved as stored
from source to destination • Examples: MD5, digital
• Examples: VPN, MPLS, L2TP signature, anti-virus software
Data Integrity
Availability
• Ensure network elements, • Ensure identification and
services and application network use is kept private
available to legitimate users Privacy • Examples: NAT, encryption
• Examples: IDS/IPS, network
redundancy, BC/DR
ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications

19. ITU-T X.805 Recommendation.
Secured Platform: Three Security Layers
3 - Applications Security Layer:
Applications Security
• Network-based applications accessed by end-
THREATS users
Destruction
• Examples:
Services Security
Corruption – Basic applications (e.g. FTP, web
VULNERABILITIES
Removal access)
Disclosure – Fundamental applications (e.g. email)
Vulnerabilities can exist Interruption – High-end applications (e.g. e-
in each Layer Infrastructure Security
ATTACKS commerce, e-government, e-learning,
e-health, etc.)
1 - Infrastructure Security Layer: 2 - Services Security Layer:
• Fundamental building blocks of networks • Services Provided to End-Users
services and applications • Examples:
• Examples: – Basic IP transport
– Individual routers, switches, servers – IP support services (e.g., AAA, DNS,
– Point-to-point WAN links DHCP)
– Value-added services: (e.g. VPN, VoIP,
– Ethernet links QoS)
• Each Security Layer has unique vulnerabilities, threats
• Infrastructure security enables services security that enables applications security
ITU-T X.805 Security Architecture for Systems Providing End-to-End Communications

20. ITU-T Y.2740 Recommendation.
Four Security Levels of Mobile Payment System
Security Level
Security Dimension
Level 1 Level 2 Level 3 Level 4
Access Control The access to every system component shall be granted only as provided by the System personnel or end-user access level.
In-person connection to services where
The authentication in personal data with obligatory
the System is Single-factor identification is used.
Multi-factor authentication at the
Authentication ensured by the NGN authentication at the Multi-factor authentication at the
System services usage
data transfer System services usage System services usage.
environment Obligatory usage of a Hardware
Cryptographic Module.
The impossibility of a transaction initiator or participant to deny his or her actions upon their completion is ensured by legally
Non-repudiation stated or reserved in mutual contracts means and accepted authentication mechanisms. All system personnel and end-user
actions shall be logged. Event logs shall be change-proof and hold all actions of all users.
Data confidentiality At data transfer, their confidentiality is ensured
by the data transfer environment At message transfer data
(communications security), and by the confidentiality is ensured by
Data integrity mechanism of data storage together with the additional message encryption
means of system access control – at data together with data transfer
storage and processing. protocols that ensure the security
of the data being transferred by
The implementation of the Level 3
the interoperation participants
requirements with the obligatory usage
(including data integrity
Privacy is ensured by the absence of sensitive of hardware cryptographic and data
verification); at data storage and
data in the messages being transferred as well security facilities on the Client’s side
processing their confidentiality,
as by the implementation of the required (Hardware Cryptographic module).
integrity and privacy are ensured
mechanisms of data storage and the System
Privacy by additional mechanisms of
access control facilities.
encryption and masking together
The System components must not have latent
with well-defined distribution of
possibilities of unauthorized data acquisition and
access in concordance with
transfer.
privileges and permissions.
The delivery of a message to the addressee is ensured as well as the security against unauthorized disclosure at time of
Communication security transfer over the communications channels. It is ensured by the NGN communications providers.
It ensures that there is no denial of authorized access to the System data and services. Availability is assured by the NGN
Availability communications providers as well as the service providers
Geneva, 30 March 2011
ITU-T Y.2740 Security requirements for mobile remote financial transactions 20

21. ITU-T Y.2741 Recommendation.
Architecture of MPS
Client Mobile Merchant
operator
-Security
provider
Issuer Acquirer
-Client
authentication
iMAP -Service provider aMAP
(MSP)
Geneva, 30 March 2011
ITU-T Y.2741 Architecture of secure mobile financial transactions 21

22. Projects
22

23. Successful main implemented projects
Mobile banking and M-commerce bank–oriented models
• Gazprombank (Java , Windows Mobile and iPhone
applet,SMS)
• Halyk-bank (STK applet, Java, Windows Mobile and
iPhone applet, SMS)
• Raiffeisen Bank Russia (Java and Windows Mobile
applet, SMS)
• Rosbank (Java, Windows Mobile and iPhone applet,
SMS)
• Sberbank (Java and Windows Mobile applet, SMS)
Operator-oriented models
• MTS (STK applet, Java , Windows Mobile and iPhone
applet, SMS, bank account)
• Megafon (WAP, operator account)
23

24. Summary
24

25. Summary
• Currently, the penetration rate of mobile services and NGN networks
development allows to organize new types of services not only directly
associated with the main purpose of networks.
• NGN networks may become a new infrastructure for convenient and safe
conduction of financial transactions.
• Information and financial services based on NGN networks include not
only mobile banking and mobile commerce services and in addition thereto
may become “infrastructure” basis for providing public services to
individual customers.
25

26. About the company
26

27. About Intervale
Intervale Ltd. Subsidiary
Mobile services solutions developer and
mobile financial transaction provider
Head Office – Moscow, Russia SmartCardLink
Mobile Service Provider
Intervale Kazakhstan Ltd. Moscow, Russia
Representative office and Mobile Service
Provider
Kazakhstan
Intervale Europe Ltd. Mobile Payments Ltd.
Representative office Mobile Service Provider
Czech Republic and mobile financial
transaction provider
Intervale Ukraine Ltd. Belarus
Representative office
Ukraine
Year of foundation – 1999
Customers – banks, processing companies,
mobile operator in Russia, CIS and Europe
27

28. The Intervale solution
The solution is taken as a
basis for the standards
being developed within ITU
(the leading United Nations agency
for information and
communication technology
issues)
in collaboration with ISO
and UPU
28

29. Thank you!
127083, Moscow, ul. 8 Marta, 10-Б 3
Tel./Fax: +7 (495) 789-8202, +7 (495) 967-6975
E-mail: intervale@intervale.ru
29