1. Optimising and simplifying authentication and authorization services_ Martin Proek Telefnica Czech Republic 06.11.2013

2. About Telefnica Czech Republic Fixed and mobile voice and data, IPTV Operated under commercial brand O2 DISCOVER, DISRUPT, DELIVER

3. Mobile Operator Identification Security SIM card secure asset giving access to the network, protected by PIN DISCOVER, DISRUPT, DELIVER No further interactions

4. SIM-based Identification Simple, convenient Fully sufficient for telco payments (voice, SMS, data) Fails in cases when Phone is stolen Phone is borrowed Data access is shared by WiFi Corporate users DISCOVER, DISRUPT, DELIVER

5. Technical Solution Internal Server AAA AAA Server Server IP address MSISDN resolving Authorization DISCOVER, DISRUPT, DELIVER

6. Technical Solution Internal + External Server Typical example: WAP Gateway Gateway AAA AAA Server Server IP address MSISDN resolving Header enrichment X-Nokia-msisdn: 420602607977 Authorization DISCOVER, DISRUPT, DELIVER

7. Technical Solution Internal + External Server GET / HTTP/1.1 Host: m.o2.cz User-Agent: Mozilla/5.0 (SymbianOS/9.3; Series60/3.2 NokiaE72-1/031.023; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 4 BrowserNG/7.2.3.1 x-wap-profile: "http://nds1.nds.nokia.com/uaprof/NE72-1r100.xml" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en,cs;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0 X-Nokia-msisdn: 420602607977 HTTP/1.0 200 OK Server: Apache-Coyote/1.1, Apache-Coyote/1.1 Cache-Control: no-cache x-cocoon-version: 2.0.3 Expires: Fri, 31 Dec 1999 23:59:59 GMT Date: Wed, 06 Nov 2013 07:19:46 GMT Vary: Accept-Encoding Pragma: no-cache Content-Type: text/html;charset=UTF-8 Content-Encoding: gzip X-Cache: MISS from proxy1, MISS from Proxy1R Connection: close DISCOVER, DISRUPT, DELIVER

8. Technical Solution Smartphone Application API API AAA AAA IP address MSISDN resolving 420602607977 DISCOVER, DISRUPT, DELIVER

9. Technical Solution WiFi MSISDN - if operators WLAN used Login by username password otherwise MT SMS One-Time Password Tricks cookies, certificates DISCOVER, DISRUPT, DELIVER

10. Technical Solution WiFi with MT SMS OTP SMSC SMSC API API Server Server MSISDN OTP OTP MT SMS OTP Authorization DISCOVER, DISRUPT, DELIVER

11. Technical Solution App on WiFi with MO SMS App App Operator Operator Server Server Token SMS with Token Authorization DISCOVER, DISRUPT, DELIVER

12. Mobile Content Payments Natural extension of payments for telco services Mobile Payments with 3rd parties are next step Issues: Authentication not only for operator mechant is included Intangible goods DISCOVER, DISRUPT, DELIVER

13. Mobile Content Payments Risks Communication is not direct anymore Operator Operator Man-in-the-middle (M-I-M) attacks are possible Provider Provider Even the app itself can compromise the payment security App-in-the-middle (A-I-M)* App App Operator Operator Provider Provider Operator Operator * Known examples: fraudulent Premium SMS sending DISCOVER, DISRUPT, DELIVER

14. Mobile Content Payments Risks Typical example: oAuth App App DISCOVER, DISRUPT, DELIVER Operator Operator Server Server

15. Summary Mobile operators are still in best position to assure reliable identification of Users. NETWORK BASED IDENTIFICATION Using SIM card Using other data (location, terminal information) PASSWORD BASED IDENTIFICATION It creates reliable multifactor authentication IDENTITY FEDERATION Evolves from walled garden to modern web environment 15 DISCOVER, DISRUPT, DELIVER