This presentation shortly describes identification methods used by Mobile Operator. The main method is SIM-based identification. But it fails in some cases. There are some technical solution interaction scenarios used for identificatio described in this presentation. Use of NW-based identification, MT SMS OTP, cookies, certificates… Risks for Mobile Content Payments are mentioned.

1. Optimising and simplifying
authentication and
authorization services_
Martin Prošek
Telefónica Czech Republic
06.11.2013

2. About Telefónica Czech Republic
Fixed and mobile voice and data, IPTV
Operated under commercial brand O2
DISCOVER, DISRUPT, DELIVER

3. Mobile Operator Identification Security
•
SIM card – secure asset giving access to the
network, protected by PIN
•
DISCOVER, DISRUPT, DELIVER
No further interactions

4. SIM-based Identification
•
Simple, convenient
•
Fully sufficient for telco payments (voice, SMS,
data…)
•
Fails in cases when
Phone is stolen
Phone is borrowed
Data access is shared by WiFi
Corporate users
•
•
•
•
DISCOVER, DISRUPT, DELIVER

5. Technical Solution – Internal Server
AAA
AAA
Server
Server
IP address
MSISDN resolving
Authorization
DISCOVER, DISRUPT, DELIVER

6. Technical Solution – Internal + External Server
Typical example: WAP
Gateway
Gateway
AAA
AAA
Server
Server
IP address
MSISDN resolving
Header enrichment
X-Nokia-msisdn: 420602607977
Authorization
DISCOVER, DISRUPT, DELIVER

7. Technical Solution – Internal + External Server
GET / HTTP/1.1
Host: m.o2.cz
User-Agent: Mozilla/5.0 (SymbianOS/9.3; Series60/3.2 NokiaE72-1/031.023;
Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko)
Version/3.0 4 BrowserNG/7.2.3.1
x-wap-profile: "http://nds1.nds.nokia.com/uaprof/NE72-1r100.xml"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,cs;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
X-Nokia-msisdn: 420602607977
HTTP/1.0 200 OK
Server: Apache-Coyote/1.1, Apache-Coyote/1.1
Cache-Control: no-cache
x-cocoon-version: 2.0.3
Expires: Fri, 31 Dec 1999 23:59:59 GMT
Date: Wed, 06 Nov 2013 07:19:46 GMT
Vary: Accept-Encoding
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Encoding: gzip
X-Cache: MISS from proxy1, MISS from Proxy1R
Connection: close
DISCOVER, DISRUPT, DELIVER

8. Technical Solution – Smartphone Application
API
API
AAA
AAA
IP address
MSISDN resolving
420602607977
DISCOVER, DISRUPT, DELIVER

9. Technical Solution – WiFi
•
•
•
•
MSISDN - if operator‘s WLAN used
Login by username password – otherwise
MT SMS One-Time Password
Tricks – cookies, certificates
DISCOVER, DISRUPT, DELIVER

10. Technical Solution – WiFi with MT SMS OTP
SMSC
SMSC
API
API
Server
Server
MSISDN
OTP
OTP
MT SMS
OTP
Authorization
DISCOVER, DISRUPT, DELIVER

11. Technical Solution – App on WiFi with MO SMS
App
App
Operator
Operator
Server
Server
Token
SMS with Token
Authorization
DISCOVER, DISRUPT, DELIVER

12. Mobile Content Payments
•
•
•
Natural extension of payments for telco services
Mobile Payments with 3rd parties are next step
Issues:
Authentication not only for operator – mechant
is included
Intangible goods
•
•
DISCOVER, DISRUPT, DELIVER

13. Mobile Content Payments Risks
•
Communication is not direct anymore
Operator
Operator
•
Man-in-the-middle (M-I-M) attacks are possible
Provider
Provider
•
Even the app itself can compromise the payment
security – App-in-the-middle (A-I-M)*
App
App
•
Operator
Operator
Provider
Provider
Operator
Operator
* Known examples: fraudulent Premium SMS sending…
DISCOVER, DISRUPT, DELIVER

14. Mobile Content Payments Risks
Typical example: oAuth
App
App
DISCOVER, DISRUPT, DELIVER
Operator
Operator
Server
Server

15. Summary
Mobile operators are still in
best position to assure
reliable identification of
Users.
NETWORK BASED IDENTIFICATION
Using SIM card
Using other data (location, terminal
information…)
PASSWORD BASED IDENTIFICATION
It creates reliable multifactor authentication
IDENTITY FEDERATION
Evolves from walled garden to modern web
environment
15
DISCOVER, DISRUPT, DELIVER