210 likes | 790 Vues
Key Issues and Possible Solutions for Creating a Feasible TSM infrastructure . Riekus Hatzmann. Monaco Grimaldi Forum, WIMA-NFC Conference, April 29 th 2008. Introduction. Role of TSM. Security and Risk Issues. Conclusions. Atos Origin.
E N D
Key Issues and Possible Solutions for Creating a Feasible TSM infrastructure Riekus Hatzmann Monaco Grimaldi Forum, WIMA-NFC Conference, April 29th 2008
Introduction Role of TSM Security and Risk Issues Conclusions
Atos Origin A client centric company with global operations…powered by people
Outsourcing Change capability Enabling business goals & Achieving business value Operational excellence Adaptable systems Exploit new technologies Package integration Our Vision and Mission in Electronic Payments “To be the preferred technology partner in retail electronic payments through best-in-class processing, solution development and information management” Through • Best-in-class processes • Next generation technology • Cost Excellence It is Atos Origin’s ambition to become one of the 3 to 5 large payment providers in Europe
Introduction Role of TSM Security and Risk Issues Conclusions
mWeb 1.0 (WAP 1.0, 2000) mWeb 2.0 (WAP 2.0, 2002-now) mWeb 3.0 (WICD 1.0, 2008-future) • Simple devices • Limited mobile bandwidth (1G) • Walled-garden • Applications based on Wap 1.0 • Primitive menu structure • Smart devices • Moderate mobile bandwidth (2G) • Open mobile internet • Applications based on Wap 2.0 • Comprehensive menu structure • Smarter devices • High-speed mobile networking (3G) • Applications based on WICD • Interactive mobile internet • Rich media mobile applications Mobile Banking - SMS-based banking services. - Financial information based on SMS-push Mobile Banking - WAP-based - Financial information services - Combination of mobile device + plastic card + secure identifier Convergence of Mobile Banking and Mobile Payment • Single mobile banking and mobile payment environment on mobile device • Secure and Trusted by both financial institutions and consumers • Flexible and adjustable risk management tailored down to each financial transaction Mobile Payment - SMS-based payments (e.g. MobiPay, mobile PayPal) Mobile Payment - SMS-based payments (STK) - Initial NFC mobile payments Mobile Finance Trends
Mastering Technical Complexities and Compliancy Challenges bank driven telco driven
Transport Providers Banks MNO’s Government Retailers TSM Positioning: overview Forming Entities TSM Governance Compliancy rules Audit Certification TSM Operations Service Provider Customer
We concur with these roles Key-management Application life cycle management Asset management However, following issues should be considered: Distinctive situation with respect to UICC based or embedded SE Inter-operability of multiple TSMs Customer satisfaction Level-playing-field Memory management of SE Security, Trust and Regulations (e.g. compliancy authorities) Provide the single point of contact for the service providers to access their customer base through the MNOs Execute the Security Policy of the Trust Authority: creating the derived keys and certificates for the SE Manage the secure download and life-cycle management of the mobile NFC application on behalf of the service provider Atos Origin’s View on TSM Roles NXP@MobeyForum Jan. 2008 • To approve new applications for allowance of the application in the NFC Ecosystem • To specify requirements which application builders should comply to for introduction in NFC Ecosystem • To maintain an application repository LogicaCMG@MobeyForum Jan. 2008 …trust provisioning & security are essential regardless of SE positioning
TSM PositioningUICC as Secure Element: assignment of security domains UICC SIM (MNO) TSM Issuer Security Domain (SP) TSM Service Provider Security Domain 1 Application Application Application Service Provider Service Provider Security Domain n
SIM Vendor 1 TSM PositioningInteroperability? • Possible distinction between MNO- TSM and Service Provider-TSM • MNOs control the assignment of service provider security domains • Root keys originated from various SE vendors/owners can be distributed over many TSM’s • Service Providers must have {n} contracts with n x TSM Issues: • More interfaces between partners in the chain of trust • Are TSM’s still independent? • Is there still an open and level playing field? Embedded SE Vendor (n) / OEM (n) Embedded SE Vendor 1 (MNO) TSM 1 (Service Provider) TSM {…} Not OK Service Provider n Service Provider n Not OK UICC1 / SE1 SEn UICC1 / SE1 SEn Optional chapter number (Arial 10 plain)
SIM Vendor 1 TSM PositioningCreating Interoperability Embedded SE Vendor (n) / OEM (n) Embedded SE Vendor 1 • Decrease business complexity • Ensure interoperability • TSMs can concentrate on their core business -> providing service to Service Providers • Service providers need only one contract with a preferred TSM • Root keys managed by an independent and trusted party: Certification Authority. • The Authority can be governed by an independent consortium of different parties in the NFC-ecosystem. Certification Authority (MNO) TSM 1 (Service Provider) TSM {…} Service Provider n Service Provider n UICC1 / SE1 UICC1 / SE1 SEn Optional chapter number (Arial 10 plain)
Introduction Role of TSM Security and Risk Issues Conclusions
Key Security Aspects of Mobile Financial Services • OTA Commissioning Security • End-to-end secure channel • Security domain management • Device Element Security Management • Secure Element Security (e.g. prevention of copying information from the SE) • Security management of applications (e.g. prevention of the access to secure application using a PIN code) • TSM Server Security • Physical security of the server (IFRS compliant data center, 3rd party verification & audit, SOX / BASEL 2) • Proximity Security Management • Security management of information exchange between a mobile device and a terminal (e.g. EMV compliant)
Mobile Financial Services: Risks and Opportunities Risks? Opportunity!
Atos Origin Role of TSM Security and Risk Issues Conclusions
Conclusions (1/2) Regarding TSM • The TSM concept is feasible and required: security, trust and compliancy have to be dealt with • The TSM roles should cover not only the functionalities related the secure element, but also the functionalities related to other application levels (e.g Midlet) • The role of Certification Authority helps to create a level-playing field and should be positioned in a Trust Center
Conclusions (2/2) Regarding Mobile Financial Services • Flexible security solutions are required to support the dynamics of mobile financial services • Creative security solutions require an open mind of service providers toward novel security concepts • Some security solutions supporting high-value online payments might be difficult to implement but these solutions are available
For more information please contact:Riekus Hatzmannm +31 (0)6 51304145riekus.hatzmann@atosorigin.comAtos Origin B.V.3528 BJ, Utrecht, the Netherlandswww.atosorigin.com