Accumulate ME_Standard Product Description_light

ME Standard Product Description

Mobile Everywhere Standard product description – light version Accumulate 2011

Copyright 2011 Accumulate AB

ME Standard Product Description

Revision history

Date Version Status Description Author

2011-01-31 1.0 Final First Edition

Approved by Name Role Date

Magnus Westling CTO 2011-02-01

ME Standard Product Description 1(43)

Table of contents

1 Introduction to document 2 1.1 About Accumulate 2 1.2 Secure Mobile transactions 2 1.3 Mobile Banking 3 1.4 Mobile Payment 3 1.5 Mobile security 4

2 Mobile Everywhere 5 2.1 Overview 5

2.1.1 PDI and OTT processes 6 2.1.2 Secure transaction system 6 2.1.3 Transaction system 7 2.1.4 Multi-tier system 7 2.1.5 Ecosystem 7

2.2 ME Services 7 2.2.1 Service overview 7 2.2.2 Mobile banking 8 2.2.3 Secure credit card 9 2.2.4 Mobile Payments 9 2.2.5 Mobile security 11 2.2.6 E-ID 11

2.3 ME client 12 2.4 ME core server 13 2.5 ME ecosystem server 13

3 ME system description 14 3.1 Logical view 14 3.2 Function description 14

3.2.1 Enrolment 15 3.2.2 Mobile banking 16 3.2.3 Secure credit card 17 3.2.4 Point of sale 19 3.2.5 Online 21 3.2.6 Person-to-person 23 3.2.7 Man-to-machine 26 3.2.8 Remittance 28 3.2.9 Secure login 30 3.2.10 Secure signature 32 3.2.11 e-ID 34 3.2.12 3 factor authentication 38

4 Security 40 4.1 Threat and mitigation 41 4.2 Mobile client security 41

5 Scalability 43


1 Introduction to document The purpose of this documentation is to give a complete overview of the company Accumulate, its solution Mobile Everywhere and the services that can be launched using Mobile Everywhere as the platform. This documentation begins with a presentation of the company. Thereafter follows an overview of the different mobile payment/banking services that exists in the marketplace today and a description of the services that can be launched using Accumulate’s solution for secure mobile transactions. The different functions and processes that make Accumulate’s solution unique will be described in detail. The last chapters of this documentation contain through descriptions of the architecture, the components and the system of Accumulate’s solution as a whole.

1.1 About Accumulate Accumulate core business is development of online security solutions for mobile devices. The mission is to be a technology leader in secure mobile authentication and mobile financial services by using a mobile device. All development within Accumulate is performed with focus on highest security, ease-of-use, flexibility and lowest TCO for the customer. Accumulate currently holds 8 patents in securing mobile transactions.

Milestones

• Start 2004 • First mobile transaction platform (Flexion) commercial launch, 2004 • Consolidated to Accumulate 2005 • First pilot 2005 • Opening of UK office 2005 • Reaches 100 000 unique installations 2006 • Second mobile security platform (ME) commercial launch, 2007 • Reaches 1 000 000 unique installations 2007 • First in the world to go live with a 360 degree mobile payment service (June

2009) • Reaches 10 000 000 unique installations 2009 • Reaches 20 000 000 unique installations 2010

Accumulate is head quartered in Stockholm, Sweden, from where most of the operations and business development is run. Furthermore, Accumulate has offices in London and Beijing.

1.2 Secure Mobile transactions Accumulate’s solution is a multi-factor public key infrastructure (PKI) authentication platform where a thin smart security client application is installed on a verified client’s mobile device. The security client application communicates securely over tcp/ip with


a transaction server that in turn communicates with external systems through standard API’s. When a user starts the application a connection to the transaction server is established and the user’s identity is verified. Once verified, the user can perform various kinds of secure authentications.

1.3 Mobile Banking The term mobile banking is widely interpreted, as there is no universal standard for what is included within the terminology. However, mobile banking is often synonymous with informational services (mobile banking 1.0).

Accumulate sees mobile banking as an additional access channel to the traditional banking services whether they are informational or transactional (mobile banking 2.0).

Accumulate’s solution enables an optimized security allowing the implementation of transactional services. With Accumulate’s Mobile Banking solution, banks can provide a more secure, flexible and feature rich communication/transaction channel and by that providing its customers with offers like:

• Informational services • Money transfer (inter/intra bank) • Invoice payment • Additional services (notifications, branch/ATM locator, etc)

The authentication method and the very high security features of Accumulate’s solution makes it a perfect companion for people on the move, providing the same functionalities as the banks Internet channel but without the need of a computer or hardware token.

1.4 Mobile Payment Mobile payment has commonly been known as SMS payments or different person-to-person solutions generally covering only one payment situation (mobile payment 1.0).

Accumulate’s solution moves mobile payment to a complete 360 degree mobile payment service, meaning that it covers all payment situations and this using one platform with the highest security foundation (mobile payment 2.0).

• Contactless mobile payment - using RFID, Accumulate OTT, NFC stickers or NFC integrated phones

• Person to person money transfers - secure, fast and easy way to perform money transfers transactions

• Money remittance • Online payments • Vending machine payment


• Payment information services - get info direct on the mobile, balance, transaction history and even receipts of purchases

• Other services - mobile ticketing, coupons and mobile loyalty card are examples of new and future services that can be enabled using Accumulate’s solution

This illustration specifies the different components that Accumulate can provide to a mobile payment ecosystem.

1.5 Mobile security Accumulate’s solution is based on industry security standards PKI. Adding unique and patented technology and processes and multi-factor authentication in combination with dual line communication gives Accumulate’s solution unparalleled security. By using Accumulate’s solution, banks can avoid many of the security issues in today’s transaction environment such as data integrity online, man-in-the-middle issues and phishing.


2 Mobile Everywhere

2.1 Overview Mobile Everywhere (hereafter ME) is the name of Accumulate’s solution and is a complete platform for mobile secure transactions. ME is a multi-tier solution for multiple services built upon a generic secure transaction and security basics.

The basic concept is a connected mobile client that holds a secure and identified connection to a transaction server. The client (an application downloaded over the air, OTA) with its secure channels to the server becomes a Safe Frame in which secure transactions can be executed. The flexibility of ME makes it possible for the service provider at the server side to add and revoke services. The client is an important security entity but regarding services and graphic user interface (GUI), it is just a thin client displaying server side services and GUI.

Services can be of two generic types: local services or eco system services. Local services are directly integrated in the ME core and global eco system services are integrated to an eco system component. ME is composed of a client application, local server side components and global server side eco system components.

ME has several advantages;

• Security – ME has many security advantages over other solutions such as dual line communication and the “sign what you see” functionality. ME also abolish many of the security issues in today’s transaction environment such as data integrity online, man-in-the-middle issues and phishing of id & password.

• User friendliness – All services are focused on being easy to use and minimizing the procedure for the end user to execute transactions and other actions

• Independency – ME works independently of operator, SIM-card, network type, subscription type or make- and model of handset.

• Cost efficiency – Cost savings in hardware and distribution compared to current solutions. Furthermore there is no transaction cost (example. compared with OTP via SMS or scratch card). Using ME, cost associated with fraud attacks can be decreased.

• Speed – ME qualifies for a transaction environment where speed is of essence for instance in a point of sales environment.

• Flexibility - Within the ME platform many services in mobile payment, mobile banking and other mobile security transactions can be enabled.

ME virtually supports all mobile phones released since 2004, the minimum requirement is Java MIDP2 phones since the application always connect to the Internet using a socket. The terminal database currently holds more than 4500


different mobile phone models and is continuously being updated as new models are released.

Supported platforms are:

− iPhone

− Android

− BlackBerry

− Symbian

− Windows Mobile

− Java ME

2.1.1 PDI and OTT processes Accumulate uses two different patented processes for authentication; One-Time-Ticket (OTT), or a process defined as Predefined Identity (PDI).

The server sends an OTT to the mobile security application. Authentication is executed by communicating the one time ticket to the authentication party. An authentication party could be a web service, a point of sales terminal or a login page. The authentication party is connected back-end to the transaction server, which matches the OTT from the authentication party with the stock of valid OTT’s at that time. When the transaction server finds a match, it sends the details of the transaction to the mobile device for confirmation. An OTT is only valid for a short period of time.

The other process is the PDI where the authentication is executed by the user entering a pre-defined identity at the authentication party. The identity is already predefined at the server. The authentication party is connected back-end to the transaction server, which matches the PDI with the PDI’s defined at the server. When a valid PDI is matched, a confirmation request is sent to the users’ mobile device with the details of the transaction.

2.1.2 Secure transaction system ME is specially designed to handle secure transactions; the high security level is accomplished through the ME client that communicates in a secure way with the ME Transaction Server. By having a secure and identified enrolment process where the user is identified and the two-factor authentication (2FA) in the authentication process, the integrity of the user is kept. Several layers of secure methods help to retain this integrity and further strengthen that the system ensures that only the person that is registered to the service and the owner of the mobile device can access and use the functionality of the service.


2.1.3 Transaction system ME is apart from a secure transaction system also a high capacity transaction system. This is accomplished by having a layered and multi- threaded architecture with maximum possibilities to scale. The high performance transaction system means that it is built for large scale expansion and scaling without limitations, but at the same time withholding the transaction integrity.

2.1.4 Multi-tier system ME is designed with the allowance of interaction between multiple instances. This facilitates the creation of an eco-system consisting of different services and service providers. This means that ME is prepared as a multi-tier system where more instances can be added. This makes the ME extremely scalable and flexible in its design.

2.1.5 Ecosystem The ME solution is prepared with an Inter Transaction Router (ITSR) that can route transactions between different issuers and acquirers, an Other Service Router (OSR) that routes transactions to different service providers and an e-ID router to direct signatures and authentications. This means that all mobile payment services, other services and the e-ID service can be used both as proprietary services and as ecosystem services.

2.2 ME Services ME Services cover all the different services that can be performed within the ME platform. Furthermore, ME Services describe the client and different types of servers along with the security features.

2.2.1 Service overview Mobile banking Secure credit card

Point of sale (POS) Person-to-person money transfer

Online payments Man-to-machine

Remittance Other services

Login Signature

e-ID


2.2.2 Mobile banking Using ME, banks can provide its customers with a more secure, flexible and feature rich mobile banking service that can be used as a communication/transaction channel. Due to the security features of the security client application it is possible to securely provide traditional mobile banking services (informational services) but the provision of transactional servicers that requires a higher security is also possible. Accumulate’s mobile banking solution empowers financial institutions to provide all Internet banking services in the mobile channel.

2.2.2.1 Information services Informational services is divided into account information which is information regarding the account holders specific account and general information which is universal information regarding the bank. All these informational services are today widely regarded as mobile banking.

2.2.2.1.1 Account information • Balance statement • Transaction history • Payment notifications • Online purchase notifications • Abroad purchase notifications • Withdrawals notifications • Transactions notifications • Fraud alerts • Bonus/loyalty points • Access to loan statements • Access to card statements • Real-time stock quotes • PIN provision, change of PIN • Blocking of (lost, stolen) card

2.2.2.1.2 General information • Offers • Current bank related news • ATM locator • Branch locator

2.2.2.2 Transactional services Transactional services are services that allow the user to execute monetary transactions within the mobile banking solution. Examples of transactional services are:

• Inter/intra bank transfers • Bill payment • Stock/fund trading


2.2.3 Secure credit card The services within Secure Credit Card are aiming to increase the security of online card purchases while simplifying the procedure for the end user.

2.2.3.1 3-D secure Verification of the online purchase in the mobile phone, the 3-D secure service eliminates the need of a 3-D secure hardware token. Not only does this service reduce cost in hardware and distribution it also simplifies the purchase procedure for the end user since the verification device is the mobile phone: a device that is always available to the user.

2.2.3.2 One time credit card (OTCC) The OTCC is a service that generates a one time card number for online purchases. This service drastically decreases fraud as the card number becomes obsolete after the purchase. The OTCC number is generated in the mobile application consisting of the issuer identifying number along with a one-time ticket. When the purchase is being processed the verification of the purchase is executed in the mobile application allowing the user only to have the phone as a device for the online purchase.

2.2.3.3 One time ticket - credit card The OTT service is a service that completely eliminates the need of sensitive information being entered at the online merchant site. The only information being given at the online merchant is the one time ticket generated in the application. When the purchase is being processed the verification of the purchase is also executed in the application. In order to be able to introduce the OTT service, merchants needs to complete minor modifications to its checkout page to be able to accept OTT payments and a credit card or account needs to be linked to the application.

2.2.4 Mobile Payments Using ME as the platform, a 360° mobile payment service can be provided. This means that all the different payment situations including point of sale purchases, online payments, person-to-person transfers and man-to-machine payments are supported. Additionally, ME’s mobile payment solution supports a great variety of other services ranging from ticketing to purchase codes etc. In other words, ME can be used to provide three different areas within the scope of mobile payments: proximity payments, remote payments and other services.

2.2.4.1 Proximity payments Proximity payments are transactions being executed in nearness of the payee and with an interaction between the payer and the payee.

2.2.4.1.1 Point of sale A point of sale transaction can be executed either via integrated NFC, NFC sticker1

1 Integrated NFC and NFC stickers are different forms of predefined identity authentications. Please see section 2.1.1

or via one-time-ticket. Since ME supports the OTT process, it is enabled to serve as a bridging solution for NFC point of sale purchases until the roll out of NFC handsets and point of sale terminals has been completed.


2.2.4.1.2 Online The online payment service enables the end user to pay at online merchants. This transaction is based on the OTT process. Today, online purchases are often done by providing the payment receiver with sensitive credit card information. By using OTT, this information sharing and the associated risks are eliminated.

2.2.4.1.3 Person-to-person transfer The P2P service enables end users to execute monetary transfers between accounts only using the telephone number or an OTT as the identifier. The sender as well as the recipient needs be in active state (initiated payment) in order to execute the transfer, this in order to eliminate transfers to the wrong recipient.

2.2.4.1.4 Man-to-machine The man-to-machine service allows end users to execute payments to different types of machines i.e. vending machines, parking meters, charging poles etc. The OTT process is used to complete the payment. The machine only needs to be equipped with embedded connected software, to be able to receive online transactions.

2.2.4.2 Remote Payments

2.2.4.2.1 Remittance The remittance service enables end users the opportunity to send monetary transfers. The service can be applied for internal as well as cross border remittance. This service is very similar to the person-to-person service with the difference being that the sender and the receiver are at different locations and that the receiver does not need to be in an active state.

2.2.4.3 Other services The area other services is composed of non-traditional payment services along with additional features. Other services eco systems where a service provider (SP) can enter are presented below.

2.2.4.3.1 Ticketing The ticketing service is an in-application2

2.2.4.3.2 Voting

payment method where the end user buys and receives the ticket within the application. This does not only simplify the purchase procedure for the end user but also enhances the validation possibilities for the seller due to the possible incorporation of barcode and OTT verification. Examples of tickets can be public transportation, events and more.

Voting is an in-application payment method where the end user can purchase votes for TV shows such as Idol (or other similar shows where voting from the audience and the viewers is common). The service also has the possible to use dimension voting, where the voter can grade its vote i.e. on a scale 1-5, which generates more votes and therefore also revenue streams.

2 In-application is defined as an application that is downloaded to the users phone with all the functionalities embedded


2.2.4.3.3 Loyalty The loyalty feature is an in-application that the end user can connect their different loyalty programs to, in order to earn points on purchases. It is also possible to use points to complete purchases.

2.2.4.3.4 Purchase codes The purchase code payment method allows the user to, within an in-application, purchase merchandise that has been promoted with a certain purchase code in for example magazines, billboards, TV commercial etc. The end user simply enters the purchase code in the application and the merchandise will be sent to the registered address.

2.2.4.3.5 Coupons The coupon feature enables the user to consume its digital coupons received trough different loyalty programs or special hand-out offers.

2.2.5 Mobile security

2.2.5.1 Secure login The secure login service replaces security solutions, such as security tokens, one-time pass codes and digital certificates and gives banks a secure and cost efficient authentication solution. The secure login service enables the end user to use its mobile phone as the security device: Since the mobile phone is a device that the end user carries with him/her at all times, using the mobile phone as a security device will increase the accessibility to the internet bank and also eliminate costs associated with manufacturing and distribution of hardware. .

2.2.5.2 Secure signature The signature service allows the end user to sign different actions taken within the mobile application. Actions that can be used for signing is different types of transactions, increasing/decreasing credit limits, loan applications etc. The service provides a complete “Sign what you see” experience and is compliant with EU Directive 1999/93/EC of advanced electronic signature giving the end user a complete overview of the exact data he/she is signing.

2.2.6 E-ID The e-ID solution basically consists of secure login and secure signature but with the addition of eco-system components in order to be able to function in a global eco-system.


2.3 ME client The ME client is a thin application (previously in this documentation defined as a security client application but from now on defined as the “safe frame”) consisting of different security features that creates a safe frame which is a connected security application that is installed on the end users mobile device. The client safe frame is a thin client with sophisticated security features which connects to the ME core server. The safe frame enables the user to perform transactions in a secure way.

Key features

• Security application installed over the air • True PKI secure client • Thin client • Advanced security features • Pin code protected • Connects to transaction server when started • Instant provisioning • GUI controlled from server • Flexibility in terms of branding • Supports most handsets

The Safe Frame can also be implemented as a library on to existing mobile banking applications. By doing so, a security layer on the existing mobile banking solution is attached, allowing for the execution of transactional services.


2.4 ME core server The ME core server manages the integrity of each user and each client safe frame. It is an integral part of the security and service enabled trough the ME client the core transaction server is flexible in terms of configurations and new services.

Key features

• Advanced security features • Flexibility in terms of configuration • Flexibility in terms of branding • Instant provisioning of new services • Scalability

2.5 ME ecosystem server The ecosystem server components enable routing of transactions in a multiple system with several independent service providers in one common ecosystem. There are several components within the ecosystem server:

• Inter transaction router (ITSR) is the component that enables routing of authentication transactions in a multiple system and handles integrations to banks for account integration and enrolment.

• Other service router (OSR) is connecting different service provider as well as routing components that enables routing other services transaction such as ticketing and loyalty programs.

• The electronic ID router is a routing component for signatures and authentications in an electronic ID ecosystem.


3 ME system description

3.1 Logical view The logical view below explains the structure of the services offered within the ME platform. The services can be of two generic types: local services or eco system services. Local services are directly integrated in the transaction server and global eco system services are integrated to an eco system component.

3.2 Function description The functional description defines the user experiences of the different services and other functionalities like enrolment and 3-factor authentication. All the services do need integration towards external systems in order to be operational.


3.2.1 Enrolment This section defines the user experience for enrolment trough a website.

1. The user enrols to the mobile solution trough the banks website by entering his/her MSISDN (mobile telephone number)

2.The banks site displays an activation code for the mobile application

3.The user downloads that application

4.The user enters the activation code and chooses its PIN

*Note that the enrolment process might differ for different operating systems.


3.2.2 Mobile banking This section describes the user experience for an informational mobile banking service

1. The user initiates the application; RSA key and IMEI verification is executed and the user enter his/her PIN.

2.The user chooses account balance

3. The application displays the current account balance


3.2.3 Secure credit card This section describes the user experience of a 3-d secure purchase. 1. The user initiates the application; RSA key and IMEI verification is executed and the user enter his/her PIN.

2.The user chooses secure credit card

3. The card is activated for purchases

4. The user chooses the item to buy and enters the credit card information at the merchant site

5. The merchant site requests the user to verify the purchase in the mobile application

6. Information regarding merchant, item and price are displayed in the mobile application and the user verifies the purchase by entering his/her PIN


7.The status of the purchase is displayed in the mobile application

8. The status of the purchase is displayed at the merchants’ site


3.2.4 Point of sale This section describes the user experience for a POS purchase.


2.The user chooses Payment

3.The mobile application informs the user to either use NFC or the OTT process in order to initiate the purchase

4.The user either swipes the phone over the point of sale terminal or gives the merchant the OTT


5.Information regarding merchant, item and price are displayed in the mobile application and the user verifies the purchase by entering his/her PIN


7.The point of sale terminal prints the receipt of the purchase


3.2.5 Online This section defines the user experience for an online purchase using an OTT. 1. The user initiates the application; RSA key and IMEI verification is executed and the user enter his/her PIN.

2. The user chooses Payment

3.The mobile application displays an OTT valid for the transaction

4.The user chooses the item to buy and enters the OTT at the merchant site

5.The merchant site requests the user to verify the purchase in the mobile application

6.Information regarding merchant, item and price are displayed in the mobile application and the user verifies the purchase by entering his/her PIN



8.The status of the purchase is displayed at the merchants’ site


3.2.6 Person-to-person This section defines the user experience for a person-to-person transfer.


2.The sender and the receiver chooses person-to-person transfer

3.The sender chooses send money

4.The receiver chooses receive money


5.The sender enters amount of the transfer

6.The receiver communicates his/her MSISDN or the OTT to the sender

7.The sender enters the MSISDN or the OTT

8.The sender mobile application displays the information regarding the transfer and asks the sender to verify it with its PIN


9.The status of the transfer is displayed in the senders’ mobile application

10.The status of the transfer is displayed in the receivers’ mobile application


3.2.7 Man-to-machine This section defines the user experience for a man-to-machine purchase, in this case a vending machine.


2.The user chooses vending machine purchase

3. The user enters the serial number of the machine in the mobile application

4. The mobile application returns with the information about the location of the machine and asking for the amount to transfer along with the verification with the PIN


5.The status of the transfer is displayed in the mobile application

6.The user can now, depending on the service of the machine choose which product/service to collect


3.2.8 Remittance This section defines the user experience for a remittance.


2.The user chooses remittance

3. The sender enters the amount

4. The sender enters the recipients MSISDN


5.If the receiver isn’t in active state (initiated application) the sender receives information about it

6.The sender mobile application displays the information regarding the transfer and asks the sender to verify it with its PIN

7.The status of the transfer is displayed in the senders mobile application


3.2.9 Secure login This section defines the user experience for login.


2.The user chooses Login

3.The mobile application displays an OTT valid for the login

4. The user enters the OTT at the website


5.The site requests the user to verify the login in the mobile application

6.Information regarding which website the user attempts to login to is displayed in the mobile application and the user verifies the login by entering his/her PIN

7.The mobile application confirms the login.

8. The user is now logged in at the website


3.2.10 Secure signature This section defines the user experience for a secure signature.


2. The user chooses signature

3. Signature mode is activated

4. On the website the user confirms to go ahead and sign an action


5. The site requests the user to verify the action in the mobile application

6. The user receives the information regarding the action he/she want to sign, and is asked to verify it with its PIN

7. The status of the signature is displayed in the mobile application

8. The status of the signature is displayed at the website


3.2.11 e-ID

3.2.11.1 Authentication

This section defines the user experience for a login with an e-ID.


2.The user chooses Login

3.The mobile application displays an OTT valid for the login

4. The user enters the OTT at the website


5.The site requests the user to verify the login in the mobile application

6.Information regarding which website the user attempts to login to is displayed in the mobile application and the user verifies the login by entering his/her PIN

7. The mobile application confirms the login.

8. The user is now logged in at the website


3.2.11.2 Signature This section defines the user experience for a signature with an e-ID.


2. The user chooses signature

3. Signature mode is activated

4. On the website the user confirms to go ahead and sign an action


5. The site requests the user to verify the action in the mobile application

6. The user receives the information regarding the action he/she want to sign, and is asked to verify it with its PIN

7. The status of the signature is displayed in the mobile application

8. The status of the signature is displayed at the website


3.2.12 3 factor authentication This section defines the user experience of the 3 factor authentication solution that can be applied for application login, site login or signature.


2. The user chooses verify voice

3. The user presses the start recording button

4. The user verifies his/her voice by recording the text being displayed in the mobile application


5.The mobile application displays the result of the voice verification

*Note that an enrolment of the voice is necessary prior to being able to execute voice verification


4 Security

The basic idea behind the ME solution is to use a secure connection to a mobile phone to authenticate a user. To obtain a high security level it is crucial to first create a secure and safe origin authentication and then in a very secure manner contain and reuse that origin authentication. The ME system uses, in its current version, a 2FA (2 Factor Authentication) to obtain the secure link to the origin authentication. The two factors used are:

• Something you have. In this case the identity of the application installed in a specific phone, with a specific MSISDN, where a specific set asymmetric keys is stored. The asymmetric keys are a common RSA key set. The private part is stored on the mobile device and the public key stored on the server (as of standard PKI).

• Something you know. A PIN-code/pass phrase with any length and a possible variation of digits and characters. The PIN/Pass phrase is always validated on the server side to avoid brute forcing. It is possible to implement any biz logic and rules for PIN/pass phrase use and reuse.

The ME solution is built with a true secure connection between the server (TS) and the client. Within that secure channel different services can be offered the user. This concept is called Safe Frame and is a key basic for the security in ME

The unsymmetrical keys stored in the client are stored in the common memory space integrated with the client SW. In the ME solution the unique client SW with its unsymmetrical keys are bound to the mobile phone and the operator and MSISDN. By doing that it is ensured that the application and the keys cannot be moved or copied for use in other devices. This ensures that the right device must be used and prevents mass fraud.

The ME solution is built to be able to use multiple unsymmetrical keys and multiple certificates. This means that every single service can have its own keys and certificates.

ME has an advanced security architecture and the security level is achieved both by its technical design, by the technical components but also by its processes. ME is a 2-factor solution using a private key infrastructure for the communication between the application and the server. ME stores the private keys in the application. The private keys are protected by a number of checks that are processed when a client connects to the server side to ascertain the integrity of the application and the user. Another important security component is that ME uses two simultaneous communication lines to execute an authorization. A third factor using biometric properties can be added to the solution such as voice or face recognition.


4.1 Threat and mitigation

Threat Possibility Mitigation

Stolen phone + security application

Possible PIN Control, Revoke

Stolen phone + security application + pin

Unlikely Revoke

Stolen security application Very unlikely PIN Control, IMEI, SIM validation

Stolen security application + pin

Very unlikely PIN Control, IMEI, SIM validation

Stolen security application + PIN + IMEI

Very unlikely PIN Control, IMEI, SIM validation

Stolen client application + PIN + IMEI + Proxy install

Very unlikely Prefix OTT

Stolen client application + PIN + IMEI + Proxy install

Very unlikely 3 factor authentication

4.2 Mobile client security Each client application is uniquely distributed and contains a unique identity combined with a private RSA keys, the size of the keys varies from 512 bit to 2048 bit depending on the speed of the target handset. The keys in combination with the identity of the application are used to establish a secure 256-bit AES encrypted connection with the server.

The server controls which key size to use, depending on the phone model. The connection with the server is socket based, not HTTP, in order to avoid the risk of “session hijacking”. The client application can be seen as a tiny browser with built-in client certificate authentication and locked with a pin code.

The clients are also linked to the phones serial number and implement processes to verify the SIM to prevent future attacks like Trojans and key loggers on mobile devices. This makes the software based certificate in the client “hard” preventing use on another device.

An Accumulate developed TCP server handles the connection with the clients using only asynchronous IO to allow many connections without using a lot of application threads. Any number of TCP servers can be deployed (using a load balancer) and the TCP server is communicating with the core components using EJB.


The core components can communicate back with the TCP server to push confirmation to a user directly on the socket channel.


5 Scalability ME is, both from an application and an infrastructure point of view, totally scalable. It is possible to add any number of ME server instances, and each server can have unlimited number of users connecting. There are no bottlenecks when it comes to transactions.

Vertical scaling is normally not applicable; the only time where it might be the best scaling method is when more memory database storage is required but without actual need of more CPU capacity. In this situation, a simple upgrade of RAM memory is the most efficient upgrade. Normally, horizontal scaling is used to improve capacity even though the most common method to improve performance is code or configuration improvements.

Load balancing is done through Linux Virtual Server using direct routing (DR) and using keep alive as heartbeat between the master and the slave. This allows addition of virtually any number of real servers without the load balancer being a bottleneck.

Accumulate ME_Standard Product Description_light

Documents

Transcript of Accumulate ME_Standard Product Description_light