This document discusses mobile-based authentication and payment using near field communication (NFC) technology. It provides an overview of NFC, including how it works using RFID at 13.56 MHz, typical operating distances of 10 cm, and compatibility with existing RFID standards. Examples of potential NFC uses discussed include mobile payment and ticketing applications.
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Mobile based authentication and payment
1. NISnet Winterschool, April 2008
Mobile based authentication and payment
Josef Noll
Prof. stip.
University Graduate Center/
University of Oslo
josef@unik.no
2. Research and
Education at Kjeller
Close relation to FFI,
IFE, NILU,...
Prof. from Univ. of
Trondheim and Oslo
2
Mobile Payment and Access April 2008, Josef Noll
3. Outline
Admittance, service access and payment
Mobile extensions
Introduction of RFID and NFC
Message: “Using the phone for payment and access”
–
Interfaces and standardisation
–
Phone implementations
–
Activities worldwide
Snapshots, Standardisation
–
“Who owns the SIM?”
My security infrastructure
–
Ownership versus management
–
3
Mobile Payment and Access April 2008, Josef Noll
4. Service development
Personalised broadband
B3G:
wireless services
3G: Multimedia communication
Mobile telephony, SMS, FAX,
2G:
Data
1G:
Mobile telephony
2000
1970 1980 1990 2010
Josef Noll, 26.4.2005 RFID - NFC tutorial 4
5. The Service Challenge
Mobile and Proximity Services
Mobile services
Internet services
te
services in the mobile
fica –
ti
cer
mobile network services
–
signed
certificates
Internet services
–
NFC
Proximity services
Mobile initiated NFC
service access
Proximity services
Payment
–
Access, Admittance
–
5
Mobile Payment and Access April 2008, Josef Noll
6. Current Access & Authentication
mechanisms
Login/password
Admission card
Payment card
Biometrics
6
Mobile Payment and Access April 2008, Josef Noll
7. My phone collects all my security
SIM with
NFC & PKI
7
Mobile Payment and Access April 2008, Josef Noll
8. Mobile Services, incl. NFC
• NFC needs next
• Focus in 2008 on
generation phones
mobile web
• S60, UIQ, ...
• Push content upcoming
• Common Application
development
• Integrated
SMS authentication Mobile Web
Push content NFC payment
60
development
45
30
15
0
2006 2008 2010
Expected customer usage [%] “have tried” of
mobile services in the Nordic Market
[“Mobile Phone Evolution”, Movation White paper, May 2007]
8
Josef Noll, “Who owns the SIM?”, 5 June 2007
9. Mobile Phone supported access
SMS one-time password
MMS, barcode
eCommerce (SMS exchange)
Network authentication
WAP auto access
Applets: PIN code generation
(Bank ID)
Future SIM
9
Mobile Payment and Access April 2008, Josef Noll
10. WAP gateway
Seamless authentication
HTTP request HTTP request
Hash
94815894 cTHG8aseJPIjog==
Pictures for ’rzso’.
Password:1234
sID: cTHG8aseJPIjog==
10
Mobile Payment and Access April 2008, Josef Noll
11. Banking
from the mobile phone
Security considerations
Equally secure as SMS Welcome Josef:
(get your account status) SIM authentication
Easy to use
Advanced functionality
Advanced
through PIN (if required) Information: functionality
Seamless phone (SIM)
Using SIM,
authentication BankID or PIN
no customer input
(double security)
Advanced security when required
required
BankID or
–
Transfer,
NFC
communication
Account status
PIN
– unit
payments
NFC2
SIM
SIM
Smartcard interfaces
ISO/IEC 7816
11
Mobile Payment and Access April 2008, Josef Noll
12. MyBank example:
Banking from the mobile phone
User incentive:
“My account is just one
click away”
“enhanced security for
transactions”
Phone (SIM) authentication
Level 2 security through
PKI/BankID/PIN?
12
Mobile Payment and Access April 2008, Josef Noll
13. Authentication provider
Seamless
authentication
Auth.
provider
Content
Service Physical access, .mp3,
VPN
access access .jpg
Josef Noll, “Who owns the SIM?”, 5 June 2007
14. Outline
Admittance, service access and payment
Mobile extensions
Introduction of RFID and NFC
Message: “Using the phone for payment and
–
access”
Interfaces and standardisation
–
Phone implementations
–
Activities worldwide
Snapshots, Standardisation
–
“Who owns the SIM?”
My security infrastructure
–
Ownership versus management
–
14
Mobile Payment and Access April 2008, Josef Noll
15. ID, trust and
personalisation provider
Who provides?
Certifica
Remote services ID provider te
–
Where to store?
Network
–
Phone
–
How to store/backup?
long term, short term
–
Proximity services
Josef Noll, “Who owns the SIM?”, 5 June 2007
16. RFID Technology: Principle
RFID-reader sends a
RF signal
TAG receives it
TAG returns
predefined signal
RFID-TAG doesn’t need own power supply
TAG gets power to operate from the RF-pulse of reader
No need for physical sight or contact between reader and TAG
Each product can have own id-number
Source: Eurescom P1346 D2, January 2004
16
Mobile Payment and Access April 2008, Josef Noll
17. Passive RFID: Main frequencies
Toll Roads
Item
Access Control Item
Management
I.C. Cards
Animal ID Management
2.45 GHz
13.56 Mhz
125,133 kHz ~900 MHz
100 MHz
10 kHz 100 kHz 10 MHz
1 Mhz 1000 MHz 2.45 GHz
Frequency division:
Low: 100-500 kHz
–
– Medium: 6-15 MHz
– High: 850-950 MHz and 2.45 GHz
Active responses
– AutoPass 5.8 GHz
Source: Eurescom P1346 D2, January 2004
17
Mobile Payment and Access April 2008, Josef Noll
18. Current Services and Applications
Typical services made using RFID today
Sports Timing
Access Control
Animal Tracking
Asset Management
Baggage Handling
Product Authentication, Security
Supply Chain Management
Transportation, user information
Wireless Commerce, Payments, Toll Collection
Source: Eurescom P1346 D2, January 2004
18
Mobile Payment and Access April 2008, Josef Noll
19. Registration
example: Birkebeiner
Online information to mobile
phone
Could be used for photo, video,
etc
19
Mobile Payment and Access April 2008, Josef Noll
20. Ticketing
Cinema/Concerts
RFID ticketing zone
MobileCommerce
Football/Sport
Terminal
Incl. rfid tag
Ticketing Bus/Subway
terminal with
RFID ticketing
RFID reader
server
Source: Eurescom P1346 D2, January 2004
20
Mobile Payment and Access April 2008, Josef Noll
21. Supply chain
supplier A customer
Prosessing
wholesaler retailer
customer
customer
supplier 2
Presentation
Product Infomration
Database
RFID reader/gate
RFID reader/gate can be placed along manufacturing lines (company internal)
and along the distribution chain (company external/between the actors)
Source: Eurescom P1346 D2, January 2004
21
Mobile Payment and Access April 2008, Josef Noll
22. Visitor Density, two functions
InfoSpot
Example1:
Roller-coaster
Customer ”Wher queue reader
”Where is e
ID:12 was
service my kid?” 31
seen? 23 last
”
”At the
Reader X
roller-
”Roller
-coaste
coaster
r
queue”
System
queue”
Database
Example2: Reader Y
Resort
”What ride has
owner most users?”
services
”Bumber cars; 200
users/day;
Datamining
50cent/ride”
Resort owner services
Source: Eurescom P1346 D2, January 2004
22
Mobile Payment and Access April 2008, Josef Noll
23. Technology: Range
From millimeters to tens of meters
Depends on antennas, power of reader,
characteristics of TAG and operation principle
Range decided when application developed
ISO standards:
proximity cards: 10 cm
–
Vicinity cards: 1,5 m
–
Source: Eurescom P1346 D2, January 2004
23
Mobile Payment and Access April 2008, Josef Noll
24. NFC is ...
Passive operation:
RFID at 13.56 MHz
1) Phone=Reader has static
RF (modem) and protocolls
magnetic field
2) Tag acts as resonator, “takes
energy” ~1/r^6
1
Power decrease of static and electromagnetic field
0,75
0,5
1/r^2
0,25
1/r^6
0 0,8 1,6 2,4 3,2 4 4,8 5,6 6,4 7,2 8 8,8 9,6
24
Mobile Payment and Access April 2008, Josef Noll
25. Technology:
Security considerations
In the past there was no need for security in RFID-systems
– logistic data collection the information has no relevance or
value anywhere else except the originally designed purpose
If TAGs are in consumer goods there is a need for security and
privacy
Security protocols:
Bilateral authentication
–
Key agreement
–
Encrypted communication
–
Secure communications needs computing resources
Personal items
Passport, Payment cards, mobile phone
Source: Eurescom P1346 D2, January 2004
25
Mobile Payment and Access April 2008, Josef Noll
27. NFC technology and use case
ECMA-340, ISO/IEC 18092 &
Based on RFID technology at
ECMA-352, …standards
13.56 MHz
Powered and non-self
Typical operating distance 10 cm
powered devices
Compatible with RFID
Data rate today up to 424 kbit/s
Philips, Sony and Nokia
27
Mobile Payment and Access April 2008, Josef Noll
28. NFC use cases
Payment and access
include Master-/Visacard in the phone
–
have small amount money electronically
–
admittance to work
–
Service Discovery
easy access to mobile services:
–
Web page, SMS, call, ...
local information and proximity services (get
–
a game)
Ticketing
Mobile tickets for plain, train, bus:
–
Parents can order and distribute, ...
Source: Nokia 6131 NFC Technical Product Description
28
Mobile Payment and Access April 2008, Josef Noll
29. NFC standardisation
ECMA-340
Specifies the RF signal
•
interface
Initialisation, anti-
•
collision and protocols
Communication mode
•
ECMA 352 (v1, Dec 2003)
selection mechanism
Selects communication
•
modes: NFC, PCD, and
VCD
Enables communication in
•
that mode
Josef Noll, 26.4.2005 RFID - NFC tutorial 29
30. NFCIP-2 Interface and protocol
(ISO/IEC 21481)
Interface
Standards
ISO/IEC 14443 ISO/IEC 15693
PCD mode VCD mode
ECMA-340
(MIFARE, FeliCa) (facility access)
30
Mobile Payment and Access April 2008, Josef Noll
31. NFCIP-2 Interface and protocol
(ISO/IEC 21481)
Proximity Card Vicinity Card
NFC device
Reader Reader
YES
340 okay
Interface
Standards
NFC ECMA-340
ECMA-340 ISO/IEC 14443 ISO/IEC 15693
PCD mode VCD mode
(MIFARE, FeliCa) (facility access)
31
Mobile Payment and Access April 2008, Josef Noll
32. NFCIP-2 Interface and protocol
(ISO/IEC 21481)
Proximity Card Vicinity Card
NFC device
Reader Reader
NO
15693 okay
Interface
Standards
NFC ECMA-340
ECMA-340 ISO/IEC 14443 ISO/IEC 15693
PCD mode VCD mode
(MIFARE, FeliCa) (facility access)
32
Mobile Payment and Access April 2008, Josef Noll
33. Nokia 6131 Firmware
ISO
14443
Source: Nokia 6131 NFC Technical Product Description
33
Mobile Payment and Access April 2008, Josef Noll
34. NFC phone status (April 2008)
Nokia 3320, 5340, 6131, xx
Philips/Samsung X700
LG
Sagem
BenQ T80
Missing specifications
Motorola
HTC
34
Mobile Payment and Access April 2008, Josef Noll
35. Time to market
based on phone evolution
DnB Nor and Telenor to form mobile payments unit
Posted April 21, 2008
Norwegian banking group DnB Nor and local telco Telenor have revealed plans to establish a new mobile payments program.
The new mobile payments system, called Trusted Service Manager (TSM) Nordic, will be a subsidiary of Doorstep.
Orange delays NFC launch
Posted April 16, 2008
Mobile operator Orange is postponing its commercial NFC launch by several months, according to CardLine Global.
Operators to Launch NFC-Based Mobile Payment Services
13th November 2007, Macau: 12 mobile operators will run trials of contactless mobile payment services in Australia,
France, Ireland, Korea, Malaysia, Norway, The Philippines, Singapore, Taiwan, Turkey and the U.S. as a precursor to
commercial launches.
Near Field Communications News and Insight
BBC names NFC a top technology for 2008
Posted January 16, 2008
Survey shows that US consumers want simple payment
features for NFC phones
Posted January 10, 2008
Report: Majority of phones will support NFC once standards are finalized
Posted January 03, 2008
Source: NFCnews.com
35
Mobile Payment and Access April 2008, Josef Noll
36. UNIK work
Key-exchange for admittance and content protection
Analysis and implementation of Easy Pairing
Easy Pairing
Use NFC to establish Bluetooth contact with Media
–
Center
analyse phones: Nokia 3320, Nokia 6131
–
Experiences from Implementations
Phones and NFC tags
–
Linux pairing
–
Windows pairing
–
36
Mobile Payment and Access April 2008, Josef Noll
37. Prototype:
SMS key access
Service Centre
2) Send info
1) Send SMS to recipient
Application
3) Send service
to phone
4) Enters house
NFC
with NFC access
communication
unit
NFC2SI
M
SIM
Smartcard interfaces
ISO/IEC 7816
37
Mobile Payment and Access April 2008, Josef Noll
38. Implementation
(3) Receive info message
(1) Register the user
(4) Saving the NFC key
(2) Send mobile key (mKey) to user
38
Mobile Payment and Access April 2008, Josef Noll
39. ITEA WellCom:
Interworking Set-top box and mobile
1) Easy device set-up 2) Authentication and
and communication Service Access
Source: AlcatelLucent, WellCom Meeting
Mobile Payment and Access April 2008, Josef Noll
40. Easy Pairing Scenario
Using NFC for reading
connectivity data of phone
Set-top box initiates process
NFC phones can pair through
vicinity
– phone in range
– start Bluetooth scanning 1. search for Bluetooth device
– request for pairing 2. identity phone (tag info)
3. service discovery on phone
No NFC phone
4. pairing
– use tag with Bluetooth
information
Comment: Similar procedure for Wifi
pairing
– security in handling
activities
40
Mobile Payment and Access April 2008, Josef Noll
41. Example EnCap
Easy authentication
Challenge: Find your BankID to sign in for
Internet banking
– Could be triggered through login:
www.encap.mobi/demobank
– Using NFC for starting secure
authentication
Tag starts application on phone
– One time password created
Application areas
all kinds of authentication
–
local payment
–
BankID (while waiting for secure SIM)
–
41
Mobile Payment and Access April 2008, Josef Noll
42. Interworking between NFC components
Easy programming through Java MIDlet
software development environment available
Interface to Java Card and Mifare environment
Tricky:
Interworking Java
-
Card, Mifare and Java
Ongoing
secure element = SIM
-
Source: Nokia 6131 NFC Technical Product Description
42
Mobile Payment and Access April 2008, Josef Noll
43. Ongoing technical work
Interaction SIM-Mifare-Mobile Phone = “Single-wire
protocoll”
Interaction Phone - Devices
Power-on/power-off
–
Roadmap for secure authentication
43
Mobile Payment and Access April 2008, Josef Noll
44. New visions GlobalPlatform
From current SIM to Future SIM Real Estate 3.r
ionsfor mobile / UICC GlobalPlatform’s Party sec. dom
vision
Real Estate 3.rd
To comply with 3G networking requirements
UICC Party sec. domains
(USIM)
vision
Security features (algorithms and protocols),
–
longer key lengths
GSM uses EAP SIM: client authentication
–
UMTS uses EAP AKA: Mutual authentication
–
3rd party identities
ISIM application (IMS)
–
Current Telenor private user identity
On-board On-board –
WEB server ! WEB server !
SIM (UICC) card one or more public user
–
(from 2001) identities
Multi-
Multi-
Thread
Plus ETSI SCP– Long term secret
Thread
Plus ETSI
3 new phys IFs:
3 new phy
12 Mb/s USB
SUN
2009?
12 Mb/s
SUN
(Java) NFC (SWP)
2009?
Source: Judith Rossebø, Telenor
(Java) NFC (S
44
Mobile Payment and Access April 2008, Josef Noll
45. New UICC Architecture / SIM advances
UICC architecture
UICC – elements
New
eHealth Payment Multimedia
DRM ?
EMV
PKI / eID Ticketing
(DRM !)
SIM
USIM Electronic
ID= IMSI Purse
ID= IMSI
& MSISDN & MSISDN
Common
Storage
Phonebook
SIM Application Toolkit ! CAT
UICC
ID = ICCID
GSM Allocated
NFC (or other) IF
12 Mb/s USB (2G/3G) IFs
(1 connector) (5 connectors)
Full speed IF
Source: Judith Rossebø, Telenor
45
Mobile Payment and Access April 2008, Josef Noll
46. UICC for multiple ID providers
Compartmentalisation of the UICC
3.rd party on-board applications featuring
• Internal and segregated Security domains
• Private entrances for SP to applications
(own keys and key management)
• Use of NFC, USB IF or other common
resources
-MNO as house-keeper (Real Estate Manager)
Source: Judith Rossebø, Telenor
46
Mobile Payment and Access April 2008, Josef Noll
47. Third party business model
• Media,
• Banks, Service providers
Content
provider
• Telecom, Corporate, Home
Service Payment
aggregator
• Service aggregator
provider
• Convenient interfaces
• Ease of use
Identity and
personalisation
• Identity and personalisation
provider
provider
Customer
Authentication
care
and Access • Convenience
provider
• Trust
47
Josef Noll, “Who owns the SIM?”, 5 June 2007
48. The secure element:
SIM card
Identity and
personalisation Service
Authentication
provider aggregator
and Access
provider
Send key and Send info to
• SIM is secure credentials recipient
element NFC
communication
Send service to
unit
• controlled environment phone
NFC2SIM
• over-the-air update
• open for applications
SIM
Smartcard interfaces
ISO/IEC 7816
• SIM will be owned
by user
• managed by trusted
third party
Josef Noll, “Who owns the SIM?”, 5 June 2007
49. Challenges and Benefits
200 Convenience
How insecure is the
of usage
Internet?
Will the phone be the only
150 secure element?
100 Visa and Mastercard
enable convenient small amount
purchases
Are Google, facebook
and flickr more trusted than telecom
50 operators?
Dynamic service environment?
On-the-fly creation of services?
0
2006 2008 2010
Telco favourite Third party favourite 49
Josef Noll, “Who owns the SIM?”, 5 June 2007
50. Conclusions
on Near Field Communications
Standardisation well-under-way
NFC with three modes
–
SIM interworking
–
power on (payment) versus power off (ticket)
–
Commercial kick-off visible
Pre-commercial trials “everywhere”
–
Critical hand-set status (only low-range phones)
–
Unclear business models
variety of application areas
–
co-operation and revenue sharing
–
“Sufficient Security”?
Teaching the customer
easy to use
–
“always available”
–
Mobile Payment and Access April 2008, Josef Noll