One seldom-discussed method involves using SMS messages in a secure environment.
A View From Abroad
Recently, a wireless messaging and content-distribution company known as Mobile Way teamed with MasterCard to develop and market an authentication method to verify cardholders and substantiate mobile transactions for MasterCard's more than 20,000 member banks. For carriers, the authentication system could be a chance to earn additional profits.
MobileWay's system uses 2-way SMS to send messages between subscribers and financial institutions. For instance, if the subscriber buys an airline ticket, the travel agency would notify the credit-issuing bank of the purchase attempt. The bank would then send a message to the cardholder's mobile phone, asking for a PIN code to verify that the cardholder is about to make the purchase.
This method uses what banks refer to as 2-factor authentication, Peyret said. In other words, authentication depends on the combination of something the cardholder owns -- the mobile phone, and something he knows -- the PIN.
Because SMS is not a secure system, MobileWay and MasterCard are developing a security application that will live inside SIM cards of GSM phones. To validate a transaction, MasterCard would encrypt a message and send it through the SMS channel, said Greg Pinter, MobileWay general manager & vice president of the Americas. Once the message reaches the handset, it would be routed automatically to a program in the SIM card that would decrypt the message and ask for user authorization of the transaction and a PIN code. After the PIN has been entered, the message would be re-encrypted and returned to the financial institution.
Currently, Mobile Way is deploying this authentication system exclusively in the GSM world outside of North America. Although Mobile Way has been discussing the system with handset manufacturers and CDMA and TDMA carriers in North America, no agreements have been reached at this time. Pinter doubts that . carriers will use this authentication method any time soon; although, in other parts of the world, roll-outs are scheduled for early next year or sooner.
According to Pinter, consumers abroad are more interested in validation services than . consumers because of liability laws.
"For example, in Germany, if you make a transaction and you dispute it, you are liable up to $25,000. So, it becomes a significant issue to validate that transaction," Pinter said. "Here in the United States, I believe we're liable up to $25."
So, for consumers, there is less incentive; however, according to Pinter, North American financial institutions and credit-card companies are interested because they're liable for fraudulent purchases. Pinter said the banks are telling MobileWay that North American consumers just don't see a need for the authentication services, which means the banks' customers likely would not use the services if they were available.
Nevertheless, North American carriers would benefit from reduced churn if these services were adopted, MobileWay's Peyret said. Also, MobileWay pays carriers to shuttle messages via their data gateways through an agreed upon interface.
"Carriers are paid proportionally to the number of messages transferred," he said. "Payment mechanisms can be based on mobile-terminated traffic or on mobile-originated traffic or both."
Although MobileWay performs the integration with the networks, carriers must tell the company which application programming interfaces, access-control measures and protocols to use to interface with their data gateways.
One Way or Two?
Because SMS has no built-in security, ASP Air2Web combines wireless (.com) voice with SMS in its authentication services. For example, a user would give his phone number at the time of signup, and if that user called into the bank to check his balance, Air2Web's system would begin authentication by capturing data from the user's phone. Then the customer would be asked to enter a PIN or would be authenticated using voicetrend biometrics, which measure voice-wave patterns against a previously saved sample of the user's voice.
In another scenario, the bank could initiate contact with the customer via 1-way SMS; the customer would return the call and be validated on a voice service. According to Fred Tanzella, Air2Web CEO, 2-way SMS typically is used to initiate authentication in Europe. With 2-way SMS, the bank might send the subscriber a message containing an embedded phone number, saying, "Check your balance today. Press talk." Upon pressing "talk," the customer automatically would be connected with the bank and asked to enter a PIN code for authentication.
Air2Web authenticates the SMS transactions by sending the data to Verisign for a real-time check to see whether the digital certificate is valid.
"If you want to get a higher level of authentication, you need to go to public key infrastructure (PKI)," Tanzella said, explaining that PKI only can be used if the handset supports it.
