This presentation shortly describes identification methods used by Mobile Operator. The main method is SIM-based identification. But it fails in some cases. There are some technical solution interaction scenarios used for identificatio described in this presentation. Use of NW-based identification, MT SMS OTP, cookies, certificates… Risks for Mobile Content Payments are mentioned.
Citation preview
1. Optimising and simplifying authentication and authorization
services_ Martin Proek Telefnica Czech Republic 06.11.2013
2. About Telefnica Czech Republic Fixed and mobile voice and
data, IPTV Operated under commercial brand O2 DISCOVER, DISRUPT,
DELIVER
3. Mobile Operator Identification Security SIM card secure
asset giving access to the network, protected by PIN DISCOVER,
DISRUPT, DELIVER No further interactions
4. SIM-based Identification Simple, convenient Fully sufficient
for telco payments (voice, SMS, data) Fails in cases when Phone is
stolen Phone is borrowed Data access is shared by WiFi Corporate
users DISCOVER, DISRUPT, DELIVER
5. Technical Solution Internal Server AAA AAA Server Server IP
address MSISDN resolving Authorization DISCOVER, DISRUPT,
DELIVER
6. Technical Solution Internal + External Server Typical
example: WAP Gateway Gateway AAA AAA Server Server IP address
MSISDN resolving Header enrichment X-Nokia-msisdn: 420602607977
Authorization DISCOVER, DISRUPT, DELIVER
7. Technical Solution Internal + External Server GET / HTTP/1.1
Host: m.o2.cz User-Agent: Mozilla/5.0 (SymbianOS/9.3; Series60/3.2
NokiaE72-1/031.023; Profile/MIDP-2.1 Configuration/CLDC-1.1 )
AppleWebKit/525 (KHTML, like Gecko) Version/3.0 4 BrowserNG/7.2.3.1
x-wap-profile: "http://nds1.nds.nokia.com/uaprof/NE72-1r100.xml"
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,cs;q=0.5 Accept-Encoding: gzip, deflate
Connection: keep-alive Cache-Control: max-age=0 X-Nokia-msisdn:
420602607977 HTTP/1.0 200 OK Server: Apache-Coyote/1.1,
Apache-Coyote/1.1 Cache-Control: no-cache x-cocoon-version: 2.0.3
Expires: Fri, 31 Dec 1999 23:59:59 GMT Date: Wed, 06 Nov 2013
07:19:46 GMT Vary: Accept-Encoding Pragma: no-cache Content-Type:
text/html;charset=UTF-8 Content-Encoding: gzip X-Cache: MISS from
proxy1, MISS from Proxy1R Connection: close DISCOVER, DISRUPT,
DELIVER
8. Technical Solution Smartphone Application API API AAA AAA IP
address MSISDN resolving 420602607977 DISCOVER, DISRUPT,
DELIVER
9. Technical Solution WiFi MSISDN - if operators WLAN used
Login by username password otherwise MT SMS One-Time Password
Tricks cookies, certificates DISCOVER, DISRUPT, DELIVER
10. Technical Solution WiFi with MT SMS OTP SMSC SMSC API API
Server Server MSISDN OTP OTP MT SMS OTP Authorization DISCOVER,
DISRUPT, DELIVER
11. Technical Solution App on WiFi with MO SMS App App Operator
Operator Server Server Token SMS with Token Authorization DISCOVER,
DISRUPT, DELIVER
12. Mobile Content Payments Natural extension of payments for
telco services Mobile Payments with 3rd parties are next step
Issues: Authentication not only for operator mechant is included
Intangible goods DISCOVER, DISRUPT, DELIVER
13. Mobile Content Payments Risks Communication is not direct
anymore Operator Operator Man-in-the-middle (M-I-M) attacks are
possible Provider Provider Even the app itself can compromise the
payment security App-in-the-middle (A-I-M)* App App Operator
Operator Provider Provider Operator Operator * Known examples:
fraudulent Premium SMS sending DISCOVER, DISRUPT, DELIVER
14. Mobile Content Payments Risks Typical example: oAuth App
App DISCOVER, DISRUPT, DELIVER Operator Operator Server Server
15. Summary Mobile operators are still in best position to
assure reliable identification of Users. NETWORK BASED
IDENTIFICATION Using SIM card Using other data (location, terminal
information) PASSWORD BASED IDENTIFICATION It creates reliable
multifactor authentication IDENTITY FEDERATION Evolves from walled
garden to modern web environment 15 DISCOVER, DISRUPT, DELIVER