Executive Roundtable: Mobile signatures

FST. From a financial risk perspective, how would you summarise the threat of fraud in connection with online banking? How does it affect consumer trust in banks and ecommerce in general?

TV. Online fraud is a clear problem, even among high-profile banks already investing in multi-factor authentication for online banking. According to our customers and partners, providing secure, user-friendly services gives a strong competitive advantage. Consumers are simply more likely
to choose financial services that they can trust.

Recent research by Forrester found [Online Banking Holdouts still want security guarantees, June 2007] that 73 percent of consumers in large European countries are not using online banking and that online fraud protection and security guarantees have the strongest appeal in persuading people to use online banking.

Banks reap enormous benefits from improving security. First, they reduce costs directly related to online fraud. Costs from phishing attacks in the past year alone have soared into the billions. Beyond that, greater security inspires greater consumer confidence in the safety of online banking; moving financial services away from physical branches reduces operational costs.

LK. The threat of fraud has increased dramatically during the past three years. It might give perspective for the level of challenge, if you look at the Nordea numbers from this area: over 80 percent of bill payments happen in the electronic channel. There are over 22 million transactions in the netbank every single month. There are around five million active netbank users in the Nordea bank.

DF. Yes, we see that attacks are more organised from criminal groups. We see the risks involved and are thus changing our mindset how to safeguard our fi nancial transactions. For the moment the trust is not affected and we are committed to do what is necessary to keep it like that. This is absolutely a key priority.

EG. I don’t think that online banking services are very exposed to the threat of fraud. The online banking systems of Latvian banks are well-protected and safe. The banks are continuously improving their security systems and fraud detection procedures. Fraud attacks tend to be targeted to customer PCs in order to obtain ID data needed for the authorisation and authentication of payments.

FST. What are the problems and limitations of current technologies used to secure online banking and e-commerce?

DF. Well, the biggest problem today is probably that there is no 100 percent safe mechanism to prevent clients being misled by criminals into giving away critical information. The illusion that standard technology can offer clients a ‘safe haven’ to operate on the net has then proven wrong. This has led us to take special actions to safeguard the transactions themselves, and not just focus on our clients’ interactions with us.

LK. Static mechanisms such as passwords are weak – if the password becomes vulnerable, the door is open. The next level is to have the password generated per time. This requires hardware support and can take place in format of symmetric (shared secret) or asymmetric keys (PKI). The main challenge for all of these mechanisms is that if the authentication is used only to open the session, the man in the middle can come into the already opened session. Thus the transaction confirmation is of essential importance in addition to the proper customer authentication at sign-in phase, preferably on another channel.

TV. One-time password generators, card readers and password lists all suffer, to varying degrees, from insufficient security, accessibility and user friendliness. They have limited use in online banking as none can be used for signing and are only intended to be used for accessing account services at one bank.

All of these methods require something extra to be sent to the end user, resulting in more costs for distribution and maintenance. Additionally, none of these technologies work in the mobile environment, at physical point-of-sale or for contactless payments. They also fail to generate undeniable evidence for audit trails and receipts. Besides addressing these flaws, an ideal solution would enable seamless integration between online banking, contactless payments, transaction archiving, user authentication and transaction signing.

FST. How valuable would it be to have legally binding signatures for transactions that are now being processed without a signature (for example online banking transactions)?

LK. For online banking transactions it would increase the security level, help fight phishing and retain consumer trust in the bank. For e-commerce transactions, online and telephone payments, it would not only impact the overall security level, but also the liability rules. Currently these transactions are happening under the card not present (MOTO) rules, which mean that merchant carries the responsibility of fraudulent card use. If the security level of these transactions can be improved in format of legally binding signatures or equivalent sufficient authentication level, it might be possible for credit card organisations to change the rules to accept these transactions for the lower charge-level of card present transactions.

EG. Legally binding e-signatures are the next step in security solutions to protect remote banking from unauthorised transactions. A convenient and easy authorisation procedure is an important precondition for e-signature’s wider acceptance. Looking forward to the SEPA project or even more, to so called enhanced-SEPA project, banks have to consider the interoperability of esignatures within the EU.

DF. From a risk perspective it doesn’t add much extra value as there are many other ways also to safeguard transactions, but we believe that such solutions can improve and simplify the user experience and give stakeholders more predictability.

TV. Legally binding digital signatures combat fraud by providing indisputable evidence that a correctly identified signer has executed a transaction. In this case, liability is shifted from banks to end users who are accepting responsibility for specific, understood content. This improves the efficiency of online banking and opens the door to tremendous new services for customers, such as remote signing of loan applications. Card-not-present transactions, like online and telephone payments, would have a qualified signature, reducing chargebacks. Compliance with new electronic invoicing requirements can also be satisfied.

FST. One exciting solution is to use your mobile phones to set up a secure digital identity with a mobile signature service provider (MSSP). To authorise a transaction a signature request is sent to the end-user’s mobile phone via the MSSP, and the end-user enters a code to create a legally binding digital signature. Is this a feasible solution, and what benefits could it bring?

DF. Yes it is. And we are already bringing it alive in Norway at the moment. Using the mobile as as a signature device that is channel independent, and that allows us to split the signing process from the service session. The benefi ts for all are imminent.

LK. It depends on who the players are – it cannot be assumed that many banks would outsource this function to an external player. Thus if this MSSP is owned by the bank, this might be feasible. Another factor to consider here is the price tag per transaction – if it is high, it is hard to sell such a solution to a leading online bank. If these business challenges are solved, as a solution I believe it would provide great customer convenience and added value for our clients.

EG. The payment industry is usually characterised by network effect – this means that the benefit to an individual participant increases with the increase of the total number of participants using the service. Nearly everybody is a mobile phone user, therefore this population group could effectively serve as the distribution channel for m-signature solutions, and MSSP is a good example.

TV. When you leave home in the morning, you always carry your keys, your wallet and your mobile phone. Mobile signatures meet the standards of an ideal solution by offering the same user-friendly confirmation technology for multiple service channels, without requiring any extra devices. No new software needs to be installed – only a mobile signature-enabled SIM card is required, which is cheap and easy to obtain.

Mobile signatures are suitable for any mobile phone. By empowering end users with the capability to sign with a mobile phone, they can confidently control and extend their identity anytime, anywhere. Through a separate signing channel, the security and flexibility of mobile signatures allows for risk-free, high-value transactions that can be signed by multiple parties. Remote management of financial services and transactions is achieved with a secure SIM card equipped with your own secret key – no PINs or passwords are exposed.
The PIN required to generate a mobile signature cannot be intercepted because it remains inside a sealed security element – the SIM card. Phishing is no longer possible because mobile signatures, which cannot be reused, are sent via a second channel. So, for criminals to successfully commit fraud, they now need to physically steal potential victims’ mobile phones and know their personal signing PINs.

FST. Mobile phones have already been tested as devices for strong authentication and for contactless payments in several European countries. How do you feel about banks and mobile network operators co-operating to provide such services?

DF. I believe it’s the only way to go. In my mind banks should have hardware-based security in the mobile and the SIM-card is the only solution we see today with the potential to address mass-market needs. Being the chair of EPC Standards Support Group, I am personally involved in initiating a cross industry dialogue to see how we together can give governance to further work defining models and standards in the arena of contactless payments and mobile banking. What we need now is cross-industry agreements on models and standards to make it happen in an efficient and secure way.

TV. Valimo’s experience from current markets is that there is no problem with co-operation between banks and mobile network operators. Right now, Turkcell – Turkey’s largest mobile operator – is working together with nine major banks, including HSBC Turkey, to offer mobile signature services to 80 percent of the local fi nancial market.

There are no conflicting business interests either. With a security element in the mobile phone and security keys being granted by the financial sector, there are no overlapping roles. Sharing one unified infrastructure for security in the mobile channel benefits both parties by increasing the potential for new users and new services, as well as new marketing partnerships. An aligned message from these two key players strengthens consumer confidence.

EG. The co-operation is already in place also in Latvia. Mobile phone, in parallel with PC and payment cards, is one of the access devices to payment services. Mobile phones are used for pre- and post payment services, for example individuals can initiate standardised payment instructions using mobile phones and can receive payment advices.

LK. The co-operation climate is constantly developing, enabling real co-operation based on strengths of each industry. It is important to note, that the security solutions need to be controlled by banks. If operators can offer hardware storage for banks’ security solution, it might enable fruitful co-operation across sectors resulting in consumer benefi ts and commercial profi ts on both stakeholders’ sides.

FST. Could you give examples of banking related, real-life applications for mobile signatures? How about using mobile signatures to improve your own internal processes and approvals?

EG. The current authentication and authorisation methods for mobile banking are close to an m-signature solution – like online banking security systems are close to e-signature. The main difference is that e-signature is an authentication instrument for an ample range of applications, therefore the scope of possible services will increase dramatically.

DF. Based on the mobile Bank ID solution Norwegian banks will soon enable more services such as payments from account. First we will roll it out to our clients enabling new sevices, but it will also enable internal cost -savings for DnB NOR by making our internal processes more efficient.

LK. I can see many application areas that would benefi tfrom such a solution, both on the service offering and internal processes side.

TV. Applications for mobile signatures are limitless – common examples include secure online bank authentication, transaction signing, document signing, loan application signing, secure multi-channel payments and third party signing. A supervisor can easily sign (or deny) transactions initiated by an employee, without being in the same place or even in front of a computer. Mobile signatures also provide a sale and easy way to access corporate resources, such as VPN.Simply, anything can be securely signed with any mobile phone.

Tapio Vailahti is CEO of Valimo Wireless and a security application veteran with over 20 years of experience. Starting at Nokia in 1986, Tapio joined Setec, the premier Nordic card vendor in 1990. Tapio became Gemalto’s VP of Identity Product and Solution Management before joining Valimo.

Valimo’s mobile signature solution, which drastically minimises the likelihood of fraud, is already being used in several European and Middle Eastern countries, such as Finland, Turkey, Slovenia, Italy and Spain.

Liisa Kanniainen is the Executive Director of the Mobey Forum and a Vice President at Nordea. At Nordea she is in charge of mobile fi nancial
services at a corporate level, while she is responsible for all activities and daily management of the Mobey Forum.

Egons Gailitis is Head of Payment Systems Department at Latvijas Banka. He is responsible for coordinating and monitoring payment systems including policy, oversight and system stability. He is a member of Payment and Settlement Systems Committee of European System of Central Banks.

Dag-Inge Flatraaker is General Manager and Head of Interbank Infrastructure and Payment System Strategy at DnB NOR. He is an office holder of the European Payments Council and Chair of the EPC Standards Support Group.