From E-Transactions to M-Transactions: Enabling mobile transactions with information assurance
-
Upload
drctan -
Category
Technology
-
view
1.571 -
download
8
description
Transcript of From E-Transactions to M-Transactions: Enabling mobile transactions with information assurance
Return to Message Application Products1Copyright Bond Wireless 2010
From E-Transactions to M-Transactions: Enabling mobile transactions with information
assurance
Clarence N W Tan, PhD, FACS, F Fin
Founder and CEOBond Wireless
Entrepreneur in Residence Fellow, Bond University/Gold Coast Innovation Centre
Adjunct Professor, Bond University/Griffith University
Return to Message Application Products2Copyright Bond Wireless 2010
About Bond Wireless
• Founded in 2002 with a business presence in Australia, Singapore,
Malaysia, Thailand, Kenya, UAE and USA.
• Developer of Patented IP and award winning innovative SMS
application solutions
• Winner of the Asia Pacific ICT Awards 2002 in Best
Communication Applications Award.
• Listed in Top 30 ICT companies in Australia 2003/2004 and in the
Q400 2005, 2007, 2008 and 2009 – Top 400 Companies in
Queensland
• Finalist in AIIA 2006 Communications Applications Award
• Winner Gold Coast Business Excellence Award 2006 in IT.
Return to Message Application Products3Copyright Bond Wireless 2010
Our Business
• Enable enterprises of all sizes to communicate via SMS and
VoIP easily, instantly, cost-effectively and confidently with
authentication and verification.
• Provide innovative software solutions.
• Operate our own global text messaging infrastructure and
wholesale international connectivity and access to major
VoIP network.
• Provide messaging and VoIP gateways for system
integrators, application developers, and multinationals.
Return to Message Application Products4Copyright Bond Wireless 2010
Application Specific SMS Products
• Marketing– SMS Auction, Trivia & Competition – VoIP and SMS Loyalty Portal– Campaign Messenger Professional with VOIP– Greetings2fone
• Messaging– Campaign Messenger - demo– Web Messenger– SMS Print (pat. pend.) - demo– SMS to Web
• Email Integration - demo–SMS to Email–Email to SMS–SMS to SMS
• SMS Information Messenger
• SMS Callback for VoIP
• Text to Speech VoIP
• Authorization - demo– SMS AV (pat. pend.)
• Transaction/Payment systems• SMS Banking/Ticketing• M-Prescription• Verification/Authentication
• SMS Workforce– SMS Job Dispatch– SMS Appointment Book– SMS Alerts
• Profile Matching• Remote monitoring of web sites/servers• SMS Stock Alerts
• SMS Transit– Trans-Messenger
• Developer‟s SDK
• Case Studies
Return to Message Application Products
M-Transactions
• Mobile applications on handsets utilizing internet
connection
– Java Apps, iPhone Apps, Android Apps
– SimTool Kit
– WAP Apps
• Problem:
– not ubiquitous
– require internet connection, minimum of GPRS, WiFi
– security issue when accessing via public WiFi networks
– requires Smartphones
5Copyright Bond Wireless 2010
Return to Message Application Products
M-Transactions Market
• The value of digital and physical goods that people buy with
their mobiles will reach $200 billion globally by 2012,
compared to just less than $100 billion this year.
(Juniper Research 2010)
• Majority of mobile handsets sold globally are sub-$50
phones that only carry voice and SMS e.g. China has over
850 million mobile subscribers but is projected to have only
7%-10% 3G subscribers at the end of 2012. (Source:
Ministry of Industry and Information Technology, the
operators‟ website)
• Many global digital brands have tried and failed in China, e
– Facebook: <5% share, blocked in 2009, no access in China
– Yahoo: entered 1999, site 3721 acquired in 2003 (40%
market share), now 0.5% share
6Copyright Bond Wireless 2010
Return to Message Application Products7Copyright Bond Wireless 2010
Why SMS?
• SMS is a stable platform has been around for over 17 years
• Extending the capabilities of mobile messaging to the
enterprise market by overcoming the limitations of
traditional SMS.
– Input
– No end-user proof of receipt or information assurance to
support high value applications
• Global SMS Market Trend
– Peer-Peer to Business-Peer
– US Telcos opening up to SMS
– SMS is the most cost effective method to reach large numbers
of customers in most markets
– Bridging the Digital Divide e.g. in Asia, where SMS is much
more accessible than the email
Return to Message Application Products
Bond Wireless solves non-repudiation of mobile consumers
Bond Wireless has developed a patent for verifying and authenticating consumers using SMS and its associated technologies text2speech.
Problems solved:
1. Has the correct person received the information?2. Has the correct person read the information?
Successfully being deployed by mobile operators and application developers across the Asia-Pacific region.
Copyright Bond Wireless 2010
Return to Message Application Products
SMS Authenticate & Verify (SAV)
• Authenticated and Verifiable SMS Messages
• Server-based patented technology that permits
certified SMS transmission that is encrypted
• SIM card independent solution
• Ensures only intended recipients can read
message
• Solves non-repudiation problem by confirming
recipient has successfully retrieved message
Copyright Bond Wireless 2010
Return to Message Application Products
Benefits of the Bond Wireless approach to non-repudiation and verification of message reception
• The *patented SMS Authenticate and Verify (SAV) technology used in our SecureTransTM product is designed for enterprise applications providing additional business process security with SMS messages, without expensive modifications to SIM cards, customized phones, or phone-based applications.
• The SecureTransTM process ensures the identity of the message recipient before any sensitive data is delivered. In addition to ensuring only the intended recipient reads the message, the sender is also given proof that the recipient received the message.
* SMS AV (SMS Authenticate and Verify) has been granted a patent in the following territories: China - ZL 03810299.4, Hong Kong - HK1078708, USA - US 2006/0098678 A1, Australia -2003225327 and Europe - 03720017.7
Copyright Bond Wireless 2010
Return to Message Application Products
The SecureTransTM Platform
• No need for SIM Toolkit development and the issuing of
application specific toolkits.
• Will work across multiple Mobile technology platforms
(GSM, CDMA, and 3G)
• Operates with MMS as well as SMS
• Guarantees that the correct recipient is receiving the
information being broadcast
• Value added mobile service
• Privacy/Duty of care/Security
• Enables operators to establish a cost effective user
validation process
• Customers are able to self-activate and auto activate users
Copyright Bond Wireless 2010
Return to Message Application Products
SMS SecureTransTM Information flows
Copyright Bond Wireless 2010
Return to Message Application Products
How it works
Verification Module
• Enables senders of SMS to verify the correct user is in control of
the receiving device.
• The verification module uses the CLI and a shared password as
the validation criteria.
• The application enables a sender to manage the length of the
maximum response time.
• The verification process can be used to commence or complete a
transaction, and can be initiated from the network or the mobile
device.
Copyright Bond Wireless 2010
Return to Message Application Products
Securing the handshake
Authentication Module
• Using 128 bit encryption, sensitive data is sent encrypted with the request for verification.
• The message is only decrypted upon receipt of correct password/ verification keys.
• When in use, no content of the outgoing SMS message is stored on the encryption server, the whole message is sent with the request for validation.
• Allows future migration of a Java-based mobile application or SIM Toolkit solution to provide seamless encryption/decryption at the phone.
Copyright Bond Wireless 2010
Return to Message Application Products
The SMS SecureTransTM
Benefit for Security
Enables organisations with confidential or sensitive information to use the distribution capabilities and coverage of SMS.
Ensures only the intended recipient can read message
Permit sensitive information to be sent via SMS
Enable mobile/e-commerce in a secure fashion
Solve problems of non-repudiation
Copyright Bond Wireless 2010
Return to Message Application Products
Applications of SMS AV in Security and
Government
• Ubiquitous private communication via SMS from mobile to mobile or PC to mobile with authentication and verification of sender and recipient globally.
– Government or security personnel can utilize any existing mobile handsets with the service as long as they have registered their existing mobile numbers and pass-code with the system.
• Verification of permission or order via SMS with an audit trail and proof of receipt that recipient has retrieved the message.
• As a digital signature to verify recipient has approved an order or a transaction.
Copyright Bond Wireless 2010
Return to Message Application Products
Example of SMS AV usage
• Permits sensitive information to be sent to recipient with
confirmation of information being sent to recipient thus
providing an audit trail.
• Enables transactions to be conducted using a mobile phone
without modification of SIM cards.
• No sensitive information that is encrypted is stored on
third-party servers.
• Ensures only intended recipient can read message
• Applications include SMS Banking, SMS Transact, SMS
Billing, SMS Payments/Ticketing
Copyright Bond Wireless 2010
Return to Message Application Products
SMS Banking Applications
• Alerts/notifications, CRM
• Marketing, advertising & promotion
• Account admin (balance enquiry, cheque book
request, etc.)
• Funds management (fund transfers)
• M-commerce (mobile payments)
Copyright Bond Wireless 2010
Return to Message Application Products
SMS mobile banking business model
Revenue models
Reduce cost of servicing customers
Increase revenue stream with SMS Banking
as a value-add service to customers
Create a mobile commerce platform
Independence from carriers and networks
Potential mobile payment solution with global
footprint
Copyright Bond Wireless 2010
Return to Message Application Products
Current Implementations
Implemented with a Telco in SE Asia who are using it
in the consumer market
Implemented in the Health Industry providing test
results to patients, see interview with Queensland
Health Director of Sexual Health Clinic:
http://www.youtube.com/watch?v=P8uOLkJFjlc
Implemented in the Education Industry providing
government exam results to students
Copyright Bond Wireless 2010
Return to Message Application Products
SecureTrans Application delivered for a Telco
Copyright Bond Wireless 2010
Return to Message Application Products
Case Study: Sexual Health Clinic
• Doctors have to show duty of care in contacting patients with communicable diseases.
• 90% of medical test results are negative.
• Currently using certified/registered mail as proof of duty of care. Cost is about US$2 per patient, with ineffective results due to the mobility of patients.
• Trialing SMS AV to have non-repudiated proof of patient‟s receiving their results via SMS.
• Faster response time, reduces cost of delivery, more effective results in managing patients.
Copyright Bond Wireless 2010
Return to Message Application Products
State Health Example
• Reminder sent to patient encrypted.
• Patient enters agreed Passcode.
• Result sent back to patients mobile phone
decrypted and able to be read.
• Notification sent and to doctor/sender that
message has been decrypted successfully.
• Log made of outcome for later audit.
Copyright Bond Wireless 2010
Return to Message Application Products24Copyright Bond Wireless 2010
CaraData working with Bond Wireless
CaraData introducing SHIP 7 the Sexual Health Information Program developed in Australia with the help of professionals working with HIV and STDs.
CaraData has been working with Bond Wireless to provide secure SMS text messaging to patients
The solution checks patient records and automatically sends secure SMS text messages directly to mobile phones regarding
– test results
– appointment times
– reminders to take medication
Return to Message Application Products25Copyright Bond Wireless 2010
Case Study: Using Bond Wireless SMS SecureTrans to notify
patients of medical results in a Sexual Health Clinic
Doctors have to show duty of care in contacting
patients with communicable diseases in Australia.
90% of medical test results are negative.
Currently using certified/registered mail as proof of
duty of care. Cost is about US$2 per patient, with
ineffective results due to the mobility of patients.
Australian hospital currently using Bond Wireless
SMS SecureTrans to obtain non-repudiated proof
of patients‟ receiving their results via SMS and
ensuring confidentiality of results.
End result for Hospital: Faster response time,
reduced cost of delivery, more effective results in
managing patients with less patients phoning in to
inquire about their medical results.
Return to Message Application Products26Copyright Bond Wireless 2010
Send Message
Message stored on Clinic Server
encryption an option
Message sent to Bond WirelessMessage passed to Client
Receive message
Client sends PIN to Bond Wireless Server
Encrypted message unencrypted
Message sent to ClientMessage status sent to Clinic Server
Notify Staff No message kept on
Bond Wireless Server
SMS message
Secure SMS
message
Fig. 1 Schematic SMS Pathways
Return to Message Application Products27Copyright Bond Wireless 2010
Consent to SMS by age and sex
Return to Message Application Products28Copyright Bond Wireless 2010
Conclusion: Advantages of SMS for GCSHC
• Software compatible with and can be delivered through SHIP
• 90% of the negative results resolved via SMS
• Phone traffic for result giving has been significantly reduced
• Staff time & effort targeted more cost–effectively on +ve results
• Appointment waiting time are reduced, meeting public health needs
• Secure SAVSMS provides non-repudiated proof of duty of care
• Cost saving on postage
• Future clinical applications through SMS: – Drug trials reminders audit process
– Reminders for medication and appointments
– VoIP/SMS marketing for disease awareness programs targeting ethnic and younger demographic population.
SMS Mobility „Verisign‟ model
Return to Message Application Products
Existing Problems in M-Commerce
• Require SIM Tool Kit (STK) Solution or Smartphones to run
applications for mobile commerce thus limiting number of
users for m-commerce services.
• Inability to distinguish if the Caller ID of the sender of a
text message has been spoofed.
• No proof of receipt or acknowledgment of wilful attempt to
retrieve a message by the recipient for a sender to have
confidence that a message sent has indeed been retrieved
by the correct recipient.
• Issues of prepaid mobile subscribers not registered or not
having to go through a stringent identity check makes
conducting m-transactions difficult.
30Copyright Bond Wireless 2010
Return to Message Application Products
Proposal of a „Verisign Mobile‟ Model
• A „trusted‟ entity uses Bond Wireless SAV methodology in
sending and receiving of all SMS (text messages) as an
intermediary.
• The entity is responsible for registering and checking that
all users of the SAV are properly identified.
• Any messages sent from the entity unique reply number
can be trusted by the user. There is little risk of Caller ID
spoofing of the entity as the entity will always only send an
encrypted message that requires a passcode to be sent
back with the message to the entity from the user‟s phone.
• The entity will be used to send messages for m-
transactions, medical results, exam results, any critical
information that requires proof of receipt e.g. approvals,
notarization, etc.
31Copyright Bond Wireless 2010
Return to Message Application Products
Benefits of the „Verisign Mobile‟ Model
• Enables information assurance for mobile subscribers to
conduct mobile transactions.
• Entity is able to monitor and see all transactions going
through the system.
• Entity can provide this service globally as long as
international mobile subscribers can reply to the unique
entity‟s mobile number.
32Copyright Bond Wireless 2010
SMS SecureTransTM
SMS Banking with Verification via IVR
Return to Message Application Products34Copyright Bond Wireless 2010
1. User sends an SMS shortcut to initiate
transactions with username (optional).
Example: LI CUST1.
The SMS is sent to a dedicated Mobile
Number.
2. Server verifies user using
CLI and username. A menu is
sent back to User via
SMS.Example:
1. BI - Balance
2. FT - Fund Transfer
1
2
3. User chooses transaction and sends the
appropriate shortcut. EXAMPLE: BI
4. Server verifies user using CLI and sends the
response to the shortcut. Example: Balance
Inquiry for which Account:
1. Savings Account No 888
2. Checking Account No. 999
45. User chooses response for transaction.
Example: 1
Balance Inquiry
6. Server verifies user using CLI.
An automated call is generated to the user,
announcing the transaction initiated and
requesting user to enter his/her her Mobile PIN
in order to retrieve a dynamic Approval
Password..
3
5
6 & 77. User receives an automated telephone
call from the bank requesting user to key
in his/her password. User enters his/her
Mobile PIN, listens for the Approval
Password, and hangs up.
89. Server verifies user using CLI, decrypts the
message using the Password. Once verified, the
requested transaction is sent via SMS. Example:
You have <Balance Amount> in <Account No.>9 SMS
SMS
SMS
SMS
SMS
SMS
Voice/IVR
IVR8. User receives an encrypted
message requesting the Approval
Password. User sends Approval
Password. Example: <Approval
Password.>
Return to Message Application Products35Copyright Bond Wireless 2010
1. User sends an SMS shortcut to initiate
transactions with username (optional).
Example:LI. The SMS is sent to a
dedicated SIM.
2. Server verifies user using
CLI and username. A menu
is sent back to User via
SMS.Example:
1. BI - Balance
2. FT - Fund Transfer
1
2
3. User chooses transaction and sends the
appropriate shortcut. EXAMPLE: FT 4. Server verifies user using CLI and sends the
response to the shortcut. Example: Fund
Transfer to be done on on which Accounts:
1. Savings Account
2. Checking Account No. 99945. User chooses response for transaction
by choosing the accounts to transfer from
and account to transfer to with the word
‘to’ as a separator .
Example: 1 to 2 <Amount>
Fund Transfer
6. Server verifies user using CLI.
An automated call is generated to the user
announcing the transaction initiated if
transaction request is confirmed, requesting user
to enter his/her Mobile PIN in order to retrieve a
dynamic Approval Password.
3
5
6 & 77. User receives an automated telephone
call from the bank requesting user to key
in his/her password. User enters Mobile
PIN, listens for the Approval Password,
and hangs up.
8 9. Server verifies user using CLI, and Password.
Once verified, confirmation of the requested
transaction is sent. Example: You have
transferred <Amount> from <Account No 1> to
<Account No. 2>9
SMS
SMS
SMS
SMS
SMS
SMS
Voice/IVR
SMS8. User receives an encrypted
message requesting the Approval
Password. User sends Approval
Password. Example: <Approval
Password.>
Return to Message Application Products36Copyright Bond Wireless 2010
Notes on SMS Banking with IVR Verification
• Once a request for transaction request is initiated, as security measure, there
will be an automatic timed logout if user does not respond within a set time.
• The entire process can be shortened by the user by using the appropriate
shortcuts and correct fields without the server prompting after Log in. For
example:
BI 1 <Password>
FT <A/C to txf from> to <A/C to txf to> <Password>
• Steps 6, 7 and 8 can be reduced to just IVR verification. However, the security
and audit trail requirements may require the additional steps as voice calls can
be forwarded without knowledge of the caller while SMS can never be forwarded
with original sender‟s CLI from a handset.
• In addition, the encrypted SMS sent back to the bank provides the customer
with a „copy‟ of the transaction done, thus providing an audit trail or receipt of
the transaction while IVR alone will not provide a journal of the transaction from
the customer‟s perspective.
Return to Message Application Products37Copyright Bond Wireless 2010
Why Bond Wireless SMS Banking Solution?
• Patented proprietary technology
• Secure (possible for bank to self-host security server)
• Scalable (RDBMS, encryption engines, etc.)
• Extensible (e.g., add IVR, text-to-speech capabilities, etc.)
• Telco/handset independence
• Cost effective (hard-/software platform agnostic, integrates to
legacy systems readily)
• Cost effective administration (low admin overhead & end user
support cost)
• Possible deployment as micro-transactions platform
• Excellent solution for micro-financing environment
Return to Message Application Products38Copyright Bond Wireless 2010
Stockbrokerage example:
a. Client instructs stockbroker over phone call to “Sell X lots of Y”.
b. Stockbroker (Content Server) desires formal order verification & authentication of client (Receiver) before taking action.
c. Stockbroker sends client encrypted SMS “Confirm sell X lots of Y” using software package running on a PC (Security Server).
d. SMS arrives at client‟s phone with PIN prompt.
SMS applications - Stockbroking
Return to Message Application Products39Copyright Bond Wireless 2010
Stockbrokerage example (cont‟d):
e. Client replies also using SMS & enters PIN.
f. Software on PC receives reply & authenticates client using CLI & PIN.
g. On success, software sends client decrypted SMS “Confirm sell X lots of Y”.
h. Client can follow up if this instruction is in error.
i. Stockbroker executes order if client has been properly authenticated.
SMS applications
Return to Message Application Products40Copyright Bond Wireless 2010
Other Business Process Applications
Sign-off of company purchase orders by remote or
mobile staff
Sign-off of letter or advertising copy by remote or
mobile staff
Alerting senior managers of organisations of KPI metrics
Enabling organisations with remote workforces to
dispatch, track and record appointment details
Interacting with Customers and Suppliers to confirm
receipt, shipment and status of orders
Simple reporting tool for remote staff who may not have
ready access to an internet connection
Return to Message Application Products41Copyright Bond Wireless 2010
Selected References
1. Tan, C, Teo, T. W., and Goldschmied, J., “An Authenticated SMS (Short MessageService) System for M-Commerce Transactions: Practical Issues and LegalPerspectives”, Hong Kong Mobility Roundtable Conference 2005, Hong Kong, June1-3 2005.
2. Clarence N.W. Tan, Bond University, Australia; Tiok-Woo Teo, Bond University,Australia, “Mobile Telecommunications and M-Commerce Applications”, Encyclopediaof Information Science and Technology I-V (Mobile Technologies), January 2005,Idea Group Inc., USA, ISBN 1-59140-553-X.
3. C. N. W. Tan and T. W. Teo, “An Authenticated Short Message Service (SMS)-BasedTransactions System Without SIM Modification”, Proceeding of the 2003 InternationalConference on Wireless Networks, 23–26 June, 2003, Las Vegas, Nevada, USA.
4. C. N. W. Tan and T. W. Teo, “A Short Message Service (SMS) Enabled Job DispatchSystem”, Proceeding of the 2002 International Conference on Wireless Networks,24–27 June, 2002, Las Vegas, Nevada, USA, ISBN 1-892512-30-0.
5. Tan C & Teo T-W, From e-commerce to m-commerce: The Power of the MobileInternet”, chapter in Internet Management Issues: A Global Perspective by J Haynes(Editor), Idea Group Publishing, Chapter 2 pp. 27-53, ISBN: 1930708211, USA,2002.
Return to Message Application Products42Copyright Bond Wireless 2010
Questions?
Contact details: