WordPress Websites for Engineers: Elevate Your Brand
2012 Accumulate Mobile Everywhere - Standard Product Description
1. Mobile Everywhere
Standard product description – light version
Accumulate 2011
Copyright 2011 Accumulate AB
ME Standard Product Description
2. !"#$%$&'()$%*&+,(
Date Version Status Description Author
2011-01-31 1.0 Final First Edition
(
-..+&#"/(0,(
Name Role Date
Magnus Westling CTO 2011-02-01
(
(
ME Standard Product Description
3. 1203"(&4(5&'*"'*%
1! Introduction to document 2!
1.1! About Accumulate 2!
1.2! Secure Mobile transactions 2!
1.3! Mobile Banking 3!
1.4! Mobile Payment 3!
1.5! Mobile security 4!
2! Mobile Everywhere 5!
2.1! Overview 5!
2.1.1! PDI and OTT processes 6!
2.1.2! Secure transaction system 6!
2.1.3! Transaction system 7!
2.1.4! Multi-tier system 7!
2.1.5! Ecosystem 7!
2.2! ME Services 7!
2.2.1! Service overview 7!
2.2.2! Mobile banking 7!
2.2.3! Secure credit card 8!
2.2.4! Mobile Payments 9!
2.2.5! Mobile security 11!
2.2.6! E-ID 11!
2.3! ME client 12!
2.4! ME core server 13!
2.5! ME ecosystem server 13!
3! ME system description 14!
3.1! Logical view 14!
3.2! Function description 14!
3.2.1! Enrolment 15!
3.2.2! Mobile banking 16!
3.2.3! Secure credit card 17!
3.2.4! Point of sale 19!
3.2.5! Online 21!
3.2.6! Person-to-person 23!
3.2.7! Man-to-machine 26!
3.2.8! Remittance 28!
3.2.9! Secure login 30!
3.2.10! Secure signature 32!
3.2.11! e-ID 34!
3.2.12! 3 factor authentication 38!
4! Security 40!
4.1! Threat and mitigation 41!
4.2! Mobile client security 41!
5! Scalability 43!
ME Standard Product Description 1(44)
4. 6 7'*+&/85*$&'(*&(/&589"'*(
The purpose of this documentation is to give a complete overview of the company
Accumulate, its solution Mobile Everywhere and the services that can be launched
using Mobile Everywhere as the platform. This documentation begins with a
presentation of the company. Thereafter follows an overview of the different mobile
payment/banking services that exists in the marketplace today and a description of
the services that can be launched using Accumulate’s solution for secure mobile
transactions. The different functions and processes that make Accumulate’s solution
unique will be described in detail. The last chapters of this documentation contain
through descriptions of the architecture, the components and the system of
Accumulate’s solution as a whole.
6:6 -0&8*(-5589832*"(
Accumulate core business is development of online security solutions for mobile
devices. The mission is to be a technology leader in secure mobile authentication
and mobile financial services by using a mobile device. All development within
Accumulate is performed with focus on highest security, ease-of-use, flexibility and
lowest TCO for the customer. Accumulate currently holds 8 patents in securing
mobile transactions.
Milestones
• Start 2004
• First mobile transaction platform (Flexion) commercial launch, 2004
• Consolidated to Accumulate 2005
• First pilot 2005
• Opening of UK office 2005
• Reaches 100 000 unique installations 2006
• Second mobile security platform (ME) commercial launch, 2007
• Reaches 1 000 000 unique installations 2007
• First in the world to go live with a 360 degree mobile payment service (June
2009)
• Reaches 10 000 000 unique installations 2009
• Reaches 20 000 000 unique installations 2010
Accumulate is head quartered in Stockholm, Sweden, from where most of the
operations and business development is run. Furthermore, Accumulate has offices in
London and Beijing.
6:; <"58+"(=&0$3"(*+2'%25*$&'%(
Accumulate’s solution is a multi-factor public key infrastructure (PKI) authentication
platform where a thin smart security client application is installed on a verified client’s
mobile device. The security client application communicates securely over tcp/ip with
ME Standard Product Description 2(44)
5. a transaction server that in turn communicates with external systems through
standard API’s. When a user starts the application a connection to the transaction
server is established and the user’s identity is verified. Once verified, the user can
perform various kinds of secure authentications.
6:> =&0$3"(?2'@$'A(
The term mobile banking is widely interpreted, as there is no universal standard for
what is included within the terminology. However, mobile banking is often
synonymous with informational services (mobile banking 1.0).
Accumulate sees mobile banking as an additional access channel to the traditional
banking services whether they are informational or transactional (mobile banking
2.0).
Accumulate’s solution enables an optimized security allowing the implementation of
transactional services. With Accumulate’s Mobile Banking solution, banks can
provide a more secure, flexible and feature rich communication/transaction channel
and by that providing its customers with offers like:
• Informational services
• Money transfer (inter/intra bank)
• Invoice payment
• Additional services (notifications, branch/ATM locator, etc)
The authentication method and the very high security features of Accumulate’s
solution makes it a perfect companion for people on the move, providing the same
functionalities as the banks Internet channel but without the need of a computer or
hardware token.
6:B =&0$3"(C2,9"'*(
Mobile payment has commonly been known as SMS payments or different person-to-
person solutions generally covering only one payment situation (mobile payment
1.0).
Accumulate’s solution moves mobile payment to a complete 360 degree mobile
payment service, meaning that it covers all payment situations and this using one
platform with the highest security foundation (mobile payment 2.0).
• Contactless mobile payment - using RFID, Accumulate OTT, NFC stickers
or NFC integrated phones
• Person to person money transfers - secure, fast and easy way to perform
money transfers transactions
• Money remittance
• Online payments
• Vending machine payment
ME Standard Product Description 3(44)
6. • Payment information services - get info direct on the mobile, balance,
transaction history and even receipts of purchases
• Other services - mobile ticketing, coupons and mobile loyalty card are
examples of new and future services that can be enabled using Accumulate’s
solution
This illustration specifies the different components that Accumulate can provide to a
mobile payment ecosystem.
6:D =&0$3"(%"58+$*,(
Accumulate’s solution is based on industry security standards PKI. Adding unique
and patented technology and processes and multi-factor authentication in
combination with dual line communication gives Accumulate’s solution unparalleled
security. By using Accumulate’s solution, banks can avoid many of the security
issues in today’s transaction environment such as data integrity online, man-in-the-
middle issues and phishing.
ME Standard Product Description 4(44)
7. ; =&0$3"(E#"+,F)"+"(
;:6 G#"+#$"F(
Mobile Everywhere (hereafter ME) is the name of Accumulate’s solution and is a
complete platform for mobile secure transactions. ME is a multi-tier solution for
multiple services built upon a generic secure transaction and security basics.
The basic concept is a connected mobile client that holds a secure and identified
connection to a transaction server. The client (an application downloaded over the
air, OTA) with its secure channels to the server becomes a Safe Frame in which
secure transactions can be executed. The flexibility of ME makes it possible for the
service provider at the server side to add and revoke services. The client is an
important security entity but regarding services and graphic user interface (GUI), it is
just a thin client displaying server side services and GUI.
Services can be of two generic types: local services or eco system services. Local
services are directly integrated in the ME core and global eco system services are
integrated to an eco system component. ME is composed of a client application, local
server side components and global server side eco system components.
ME has several advantages;
• Security – ME has many security advantages over other solutions such as
dual line communication and the “sign what you see” functionality. ME also
abolish many of the security issues in today’s transaction environment such as
data integrity online, man-in-the-middle issues and phishing of id & password.
• User friendliness – All services are focused on being easy to use and
minimizing the procedure for the end user to execute transactions and other
actions
• Independency – ME works independently of operator, SIM-card, network
type, subscription type or make- and model of handset.
• Cost efficiency – Cost savings in hardware and distribution compared to
current solutions. Furthermore there is no transaction cost (example.
compared with OTP via SMS or scratch card). Using ME, cost associated with
fraud attacks can be decreased.
• Speed – ME qualifies for a transaction environment where speed is of
essence for instance in a point of sales environment.
• Flexibility - Within the ME platform many services in mobile payment, mobile
banking and other mobile security transactions can be enabled.
ME virtually supports all mobile phones released since 2004, the minimum
requirement is Java MIDP2 phones since the application always connect to the
Internet using a socket. The terminal database currently holds more than 4500
ME Standard Product Description 5(44)
8. different mobile phone models and is continuously being updated as new models are
released.
Supported platforms are:
! iPhone
! Android
! BlackBerry
! Symbian
! Windows Mobile
! Java ME
;:6:6 CH7(2'/(G11(.+&5"%%"%(
Accumulate uses two different patented processes for authentication; One-Time-
Ticket (OTT), or a process defined as Predefined Identity (PDI).
The server sends an OTT to the mobile security application. Authentication is
executed by communicating the one time ticket to the authentication party. An
authentication party could be a web service, a point of sales terminal or a login page.
The authentication party is connected back-end to the transaction server, which
matches the OTT from the authentication party with the stock of valid OTT’s at that
time. When the transaction server finds a match, it sends the details of the
transaction to the mobile device for confirmation. An OTT is only valid for a short
period of time.
The other process is the PDI where the authentication is executed by the user
entering a pre-defined identity at the authentication party. The identity is already
predefined at the server. The authentication party is connected back-end to the
transaction server, which matches the PDI with the PDI’s defined at the server. When
a valid PDI is matched, a confirmation request is sent to the users’ mobile device with
the details of the transaction.
;:6:; <"58+"(*+2'%25*$&'(%,%*"9(
ME is specially designed to handle secure transactions; the high security level is
accomplished through the ME client that communicates in a secure way with the ME
Transaction Server. By having a secure and identified enrolment process where the
user is identified and the two-factor authentication (2FA) in the authentication
process, the integrity of the user is kept. Several layers of secure methods help to
retain this integrity and further strengthen that the system ensures that only the
person that is registered to the service and the owner of the mobile device can
access and use the functionality of the service.
ME Standard Product Description 6(44)
9. ;:6:> 1+2'%25*$&'(%,%*"9(
ME is apart from a secure transaction system also a high capacity transaction
system. This is accomplished by having a layered and multi- threaded architecture
with maximum possibilities to scale. The high performance transaction system means
that it is built for large scale expansion and scaling without limitations, but at the
same time withholding the transaction integrity.
;:6:B =83*$I*$"+(%,%*"9(
ME is designed with the allowance of interaction between multiple instances. This
facilitates the creation of an eco-system consisting of different services and service
providers. This means that ME is prepared as a multi-tier system where more
instances can be added. This makes the ME extremely scalable and flexible in its
design.
;:6:D E5&%,%*"9((
The ME solution is prepared with an Inter Transaction Router (ITSR) that can route
transactions between different issuers and acquirers, an Other Service Router (OSR)
that routes transactions to different service providers and an e-ID router to direct
signatures and authentications. This means that all mobile payment services, other
services and the e-ID service can be used both as proprietary services and as
ecosystem services.
;:; =E(<"+#$5"%(
ME Services cover all the different services that can be performed within the ME
platform. Furthermore, ME Services describe the client and different types of servers
along with the security features.
;:;:6 <"+#$5"(&#"+#$"F(
Mobile banking Secure credit card
Point of sale (POS) Person-to-person money transfer
Online payments Man-to-machine
Remittance Other services
Login Signature
e-ID
;:;:; =&0$3"(02'@$'A(
Using ME, banks can provide its customers with a more secure, flexible and feature
ME Standard Product Description 7(44)
10. rich mobile banking service that can be used as a communication/transaction
channel. Due to the security features of the security client application it is possible to
securely provide traditional mobile banking services (informational services) but the
provision of transactional servicers that requires a higher security is also possible.
Accumulate’s mobile banking solution empowers financial institutions to provide all
Internet banking services in the mobile channel.
!"!"!"# $%&'()*+,'%-./(0,1/.-
Informational services is divided into account information which is information
regarding the account holders specific account and general information which is
universal information regarding the bank. All these informational services are today
widely regarded as mobile banking.
!"!"!"#"# $%%&'()*+(,&-./)+&(*
• Balance statement
• Transaction history
• Payment notifications
• Online purchase notifications
• Abroad purchase notifications
• Withdrawals notifications
• Transactions notifications
• Fraud alerts
• Bonus/loyalty points
• Access to loan statements
• Access to card statements
• Real-time stock quotes
• PIN provision, change of PIN
• Blocking of (lost, stolen) card
!"!"!"#"! 01(1-/2*+(,&-./)+&(*
• Offers
• Current bank related news
• ATM locator
• Branch locator
!"!"!"! 2(*%.*1+,'%*3-./(0,1/.-
Transactional services are services that allow the user to execute monetary
transactions within the mobile banking solution. Examples of transactional services
are:
• Inter/intra bank transfers
• Bill payment
• Stock/fund trading
;:;:> <"58+"(5+"/$*(52+/(
The services within Secure Credit Card are aiming to increase the security of online
ME Standard Product Description 8(44)
11. card purchases while simplifying the procedure for the end user.
!"!"4"# 456-./17(/-
Verification of the online purchase in the mobile phone, the 3-D secure service
eliminates the need of a 3-D secure hardware token. Not only does this service
reduce cost in hardware and distribution it also simplifies the purchase procedure for
the end user since the verification device is the mobile phone: a device that is always
available to the user.
!"!"4"! 8%/-+,)/-1(/9,+-1*(9-:82;;<-
The OTCC is a service that generates a one time card number for online purchases.
This service drastically decreases fraud as the card number becomes obsolete after
the purchase. The OTCC number is generated in the mobile application consisting of
the issuer identifying number along with a one-time ticket. When the purchase is
being processed the verification of the purchase is executed in the mobile application
allowing the user only to have the phone as a device for the online purchase.
!"!"4"4 8%/-+,)/-+,1=/+-5-1(/9,+-1*(9-
The OTT service is a service that completely eliminates the need of sensitive
information being entered at the online merchant site. The only information being
given at the online merchant is the one time ticket generated in the application. When
the purchase is being processed the verification of the purchase is also executed in
the application. In order to be able to introduce the OTT service, merchants needs to
complete minor modifications to its checkout page to be able to accept OTT
payments and a credit card or account needs to be linked to the application.
;:;:B =&0$3"(C2,9"'*%(
Using ME as the platform, a 360° mobile payment service can be provided. This
means that all the different payment situations including point of sale purchases,
online payments, person-to-person transfers and man-to-machine payments are
supported. Additionally, ME’s mobile payment solution supports a great variety of
other services ranging from ticketing to purchase codes etc. In other words, ME can
be used to provide three different areas within the scope of mobile payments:
proximity payments, remote payments and other services.
!"!">"# ?('@,),+A-B*A)/%+.-
Proximity payments are transactions being executed in nearness of the payee and
with an interaction between the payer and the payee.
!"!"3"#"# 4&+()*&,*5/21*
A point of sale transaction can be executed either via integrated NFC, NFC sticker1
or via one-time-ticket. Since ME supports the OTT process, it is enabled to serve as
a bridging solution for NFC point of sale purchases until the roll out of NFC handsets
and point of sale terminals has been completed.
1
Integrated NFC and NFC stickers are different forms of predefined identity
authentications. Please see section 2.1.1
ME Standard Product Description 9(44)
12. !"!"3"#"! 6(2+(1*
The online payment service enables the end user to pay at online merchants. This
transaction is based on the OTT process. Today, online purchases are often done by
providing the payment receiver with sensitive credit card information. By using OTT,
this information sharing and the associated risks are eliminated.
!"!"3"#"7 41-5&(8)&891-5&(*)-/(5,1-*
The P2P service enables end users to execute monetary transfers between accounts
only using the telephone number or an OTT as the identifier. The sender as well as
the recipient needs be in active state (initiated payment) in order to execute the
transfer, this in order to eliminate transfers to the wrong recipient.
!"!"3"#"3 :/(8)&8./%;+(1*
The man-to-machine service allows end users to execute payments to different types
of machines i.e. vending machines, parking meters, charging poles etc. The OTT
process is used to complete the payment. The machine only needs to be equipped
with embedded connected software, to be able to receive online transactions.
!"!">"! C/)'+/-?*A)/%+.-
!"!"3"!"# <1.+))/(%1*
The remittance service enables end users the opportunity to send monetary
transfers. The service can be applied for internal as well as cross border remittance.
This service is very similar to the person-to-person service with the difference being
that the sender and the receiver are at different locations and that the receiver does
not need to be in an active state.
!"!">"4 8+D/(-./(0,1/.-
The area other services is composed of non-traditional payment services along with
additional features. Other services eco systems where a service provider (SP) can
enter are presented below.
!"!"3"7"# =+%>1)+(?*
The ticketing service is an in-application2 payment method where the end user buys
and receives the ticket within the application. This does not only simplify the
purchase procedure for the end user but also enhances the validation possibilities for
the seller due to the possible incorporation of barcode and OTT verification.
Examples of tickets can be public transportation, events and more.
!"!"3"7"! @&)+(?*
Voting is an in-application payment method where the end user can purchase votes
for TV shows such as Idol (or other similar shows where voting from the audience
and the viewers is common). The service also has the possible to use dimension
voting, where the voter can grade its vote i.e. on a scale 1-5, which generates more
votes and therefore also revenue streams.
2
In-application is defined as an application that is downloaded to the users phone
with all the functionalities embedded
ME Standard Product Description 10(44)
13. !"!"3"7"7 A&B/2)B*
The loyalty feature is an in-application that the end user can connect their different
loyalty programs to, in order to earn points on purchases. It is also possible to use
points to complete purchases.
!"!"3"7"3 4'-%;/51*%&C15*
The purchase code payment method allows the user to, within an in-application,
purchase merchandise that has been promoted with a certain purchase code in for
example magazines, billboards, TV commercial etc. The end user simply enters the
purchase code in the application and the merchandise will be sent to the registered
address.
!"!"3"7"D E&'9&(5*
The coupon feature enables the user to consume its digital coupons received trough
different loyalty programs or special hand-out offers.
;:;:D =&0$3"(%"58+$*,(
!"!"E"# F/17(/-3'G,%-
The secure login service replaces security solutions, such as security tokens, one-
time pass codes and digital certificates and gives banks a secure and cost efficient
authentication solution. The secure login service enables the end user to use its
mobile phone as the security device: Since the mobile phone is a device that the end
user carries with him/her at all times, using the mobile phone as a security device will
increase the accessibility to the internet bank and also eliminate costs associated
with manufacturing and distribution of hardware. .
!"!"E"! F/17(/-.,G%*+7(/--
The signature service allows the end user to sign different actions taken within the
mobile application. Actions that can be used for signing is different types of
transactions, increasing/decreasing credit limits, loan applications etc. The service
provides a complete “Sign what you see” experience and is compliant with EU
Directive 1999/93/EC of advanced electronic signature giving the end user a
complete overview of the exact data he/she is signing.
;:;:J EI7H(
The e-ID solution basically consists of secure login and secure signature but with the
addition of eco-system components in order to be able to function in a global eco-
system.
ME Standard Product Description 11(44)
14. ;:> =E(53$"'*(
The ME client is a thin application (previously in this documentation defined as a
security client application but from now on defined as the “safe frame”) consisting of
different security features that creates a safe frame which is a connected security
application that is installed on the end users mobile device. The client safe frame is a
thin client with sophisticated security features which connects to the ME core server.
The safe frame enables the user to perform transactions in a secure way.
Key features
• Security application installed over the air
• True PKI secure client
• Thin client
• Advanced security features
• Pin code protected
• Connects to transaction server when started
• Instant provisioning
• GUI controlled from server
• Flexibility in terms of branding
• Supports most handsets
The Safe Frame can also be implemented as a library on to existing mobile banking
applications. By doing so, a security layer on the existing mobile banking solution is
attached, allowing for the execution of transactional services.
ME Standard Product Description 12(44)
15. ;:B =E(5&+"(%"+#"+(
The ME core server manages the integrity of each user and each client safe frame. It
is an integral part of the security and service enabled trough the ME client the core
transaction server is flexible in terms of configurations and new services.
Key features
• Advanced security features
• Flexibility in terms of configuration
• Flexibility in terms of branding
• Instant provisioning of new services
• Scalability
;:D =E("5&%,%*"9(%"+#"+(
The ecosystem server components enable routing of transactions in a multiple
system with several independent service providers in one common ecosystem. There
are several components within the ecosystem server:
• Inter transaction router (ITSR) is the component that enables routing of
authentication transactions in a multiple system and handles integrations to
banks for account integration and enrolment.
• Other service router (OSR) is connecting different service provider as well as
routing components that enables routing other services transaction such as
ticketing and loyalty programs.
• The electronic ID router is a routing component for signatures and
authentications in an electronic ID ecosystem.
ME Standard Product Description 13(44)
16. > =E(%,%*"9(/"%5+$.*$&'(
>:6 K&A$523(#$"F(
The logical view below explains the structure of the services offered within the ME
platform. The services can be of two generic types: local services or eco system
services. Local services are directly integrated in the transaction server and global
eco system services are integrated to an eco system component.
>:; L8'5*$&'(/"%5+$.*$&'(
The functional description defines the user experiences of the different services and
other functionalities like enrolment and 3-factor authentication. All the services do
need integration towards external systems in order to be operational.
ME Standard Product Description 14(44)
17. >:;:6 E'+&39"'*(
This section defines the user experience for enrolment trough a website.
1. The user enrols to the mobile solution 2.The banks site displays an activation
trough the banks website by entering code for the mobile application
his/her MSISDN (mobile telephone
number)
3.The user downloads that application 4.The user enters the activation code and
chooses its PIN
*Note that the enrolment process might differ for different operating systems.
ME Standard Product Description 15(44)
18. >:;:; =&0$3"(02'@$'A(
This section describes the user experience for an informational mobile banking
service
1. The user initiates the application; RSA 2.The user chooses account balance
key and IMEI verification is executed and
the user enter his/her PIN.
3. The application displays the current
account balance
ME Standard Product Description 16(44)
19. >:;:> <"58+"(5+"/$*(52+/(
This section describes the user experience of a 3-d secure purchase.
1. The user initiates the application; RSA 2.The user chooses secure credit card
key and IMEI verification is executed and
the user enter his/her PIN.
3. The card is activated for purchases 4. The user chooses the item to buy and
enters the credit card information at the
merchant site
5. The merchant site requests the user to 6. Information regarding merchant, item
verify the purchase in the mobile and price are displayed in the mobile
application application and the user verifies the
purchase by entering his/her PIN
ME Standard Product Description 17(44)
20. 7.The status of the purchase is displayed 8. The status of the purchase is
in the mobile application displayed at the merchants’ site
ME Standard Product Description 18(44)
21. >:;:B C&$'*(&4(%23"(
This section describes the user experience for a POS purchase.
1. The user initiates the application; RSA 2.The user chooses Payment
key and IMEI verification is executed and
the user enter his/her PIN.
3.The mobile application informs the 4.The user either swipes the phone over
user to either use NFC or the OTT the point of sale terminal or gives the
process in order to initiate the purchase merchant the OTT
ME Standard Product Description 19(44)
22. 5.Information regarding merchant, item 6.The status of the purchase is displayed
and price are displayed in the mobile in the mobile application
application and the user verifies the
purchase by entering his/her PIN
7.The point of sale terminal prints the
receipt of the purchase
ME Standard Product Description 20(44)
23. >:;:D G'3$'"(
This section defines the user experience for an online purchase using an OTT.
1. The user initiates the application; RSA 2. The user chooses Payment
key and IMEI verification is executed and
the user enter his/her PIN.
3.The mobile application displays an 4.The user chooses the item to buy and
OTT valid for the transaction enters the OTT at the merchant site
5.The merchant site requests the user to 6.Information regarding merchant, item
verify the purchase in the mobile and price are displayed in the mobile
application application and the user verifies the
purchase by entering his/her PIN
ME Standard Product Description 21(44)
24. 7.The status of the purchase is displayed 8.The status of the purchase is displayed
in the mobile application at the merchants’ site
(
ME Standard Product Description 22(44)
25. >:;:J C"+%&'I*&I."+%&'(
This section defines the user experience for a person-to-person transfer.
1. The user initiates the application; RSA 2.The sender and the receiver chooses
key and IMEI verification is executed and person-to-person transfer
the user enter his/her PIN.
3.The sender chooses send money 4.The receiver chooses receive money
ME Standard Product Description 23(44)
26. 5.The sender enters amount of the 6.The receiver communicates his/her
transfer MSISDN or the OTT to the sender
7.The sender enters the MSISDN or the 8.The sender mobile application displays
OTT the information regarding the transfer
and asks the sender to verify it with its
PIN
ME Standard Product Description 24(44)
27. 9.The status of the transfer is displayed 10.The status of the transfer is displayed
in the senders’ mobile application in the receivers’ mobile application
ME Standard Product Description 25(44)
28. >:;:M =2'I*&I925)$'"(
This section defines the user experience for a man-to-machine purchase, in this case
a vending machine.
1. The user initiates the application; RSA 2.The user chooses vending machine
key and IMEI verification is executed and purchase
the user enter his/her PIN.
3. The user enters the serial number of 4. The mobile application returns with the
the machine in the mobile application information about the location of the
machine and asking for the amount to
transfer along with the verification with
the PIN
ME Standard Product Description 26(44)
29. 5.The status of the transfer is displayed 6.The user can now, depending on the
in the mobile application service of the machine choose which
product/service to collect
ME Standard Product Description 27(44)
30. >:;:N !"9$**2'5"(
This section defines the user experience for a remittance.
1. The user initiates the application; RSA 2.The user chooses remittance
key and IMEI verification is executed and
the user enter his/her PIN.
3. The sender enters the amount 4. The sender enters the recipients
MSISDN
ME Standard Product Description 28(44)
31. 5.If the receiver isn’t in active state 6.The sender mobile application displays
(initiated application) the sender receives the information regarding the transfer
information about it and asks the sender to verify it with its
PIN
7.The status of the transfer is displayed
in the senders mobile application
ME Standard Product Description 29(44)
32. >:;:O <"58+"(3&A$'(
This section defines the user experience for login.
1. The user initiates the application; RSA 2.The user chooses Login
key and IMEI verification is executed and
the user enter his/her PIN.
3.The mobile application displays an 4. The user enters the OTT at the
OTT valid for the login website
ME Standard Product Description 30(44)
33. 5.The site requests the user to verify the 6.Information regarding which website
login in the mobile application the user attempts to login to is displayed
in the mobile application and the user
verifies the login by entering his/her PIN
7.The mobile application confirms the 8. The user is now logged in at the
login. website
ME Standard Product Description 31(44)
34. >:;:6P <"58+"(%$A'2*8+"(
This section defines the user experience for a secure signature.
1. The user initiates the application; RSA 2. The user chooses signature
key and IMEI verification is executed and
the user enter his/her PIN.
3. Signature mode is activated 4. On the website the user confirms to go
ahead and sign an action
ME Standard Product Description 32(44)
35. 5. The site requests the user to verify the 6. The user receives the information
action in the mobile application regarding the action he/she want to sign,
and is asked to verify it with its PIN
7. The status of the signature is 8. The status of the signature is
displayed in the mobile application displayed at the website
ME Standard Product Description 33(44)
36. >:;:66 "I7H(
4"!"##"# H7+D/%+,1*+,'%-
This section defines the user experience for a login with an e-ID.
1. The user initiates the application; RSA 2.The user chooses Login
key and IMEI verification is executed and
the user enter his/her PIN.
3.The mobile application displays an 4. The user enters the OTT at the
OTT valid for the login website
ME Standard Product Description 34(44)
37. 5.The site requests the user to verify the 6.Information regarding which website
login in the mobile application the user attempts to login to is displayed
in the mobile application and the user
verifies the login by entering his/her PIN
7. The mobile application confirms the 8. The user is now logged in at the
login. website
ME Standard Product Description 35(44)
38. 4"!"##"! F,G%*+7(/-
This section defines the user experience for a signature with an e-ID.
1. The user initiates the application; RSA 2. The user chooses signature
key and IMEI verification is executed and
the user enter his/her PIN.
3. Signature mode is activated 4. On the website the user confirms to go
ahead and sign an action
ME Standard Product Description 36(44)
39. 5. The site requests the user to verify the 6. The user receives the information
action in the mobile application regarding the action he/she want to sign,
and is asked to verify it with its PIN
7. The status of the signature is 8. The status of the signature is
displayed in the mobile application displayed at the website
ME Standard Product Description 37(44)
40. >:;:6; >(425*&+(28*)"'*$52*$&'(
This section defines the user experience of the 3 factor authentication solution that
can be applied for application login, site login or signature.
1. The user initiates the application; RSA 2. The user chooses verify voice
key and IMEI verification is executed and
the user enter his/her PIN.
3. The user presses the start recording 4. The user verifies his/her voice by
button recording the text being displayed in the
mobile application
ME Standard Product Description 38(44)
41. 5.The mobile application displays the
result of the voice verification
*Note that an enrolment of the voice is necessary prior to being able to execute voice
verification
ME Standard Product Description 39(44)
42. B <"58+$*,(
The basic idea behind the ME solution is to use a secure connection to a mobile
phone to authenticate a user. To obtain a high security level it is crucial to first create
a secure and safe origin authentication and then in a very secure manner contain
and reuse that origin authentication. The ME system uses, in its current version, a
2FA (2 Factor Authentication) to obtain the secure link to the origin authentication.
The two factors used are:
• Something you have. In this case the identity of the application installed in a
specific phone, with a specific MSISDN, where a specific set asymmetric keys
is stored. The asymmetric keys are a common RSA key set. The private part
is stored on the mobile device and the public key stored on the server (as of
standard PKI).
• Something you know. A PIN-code/pass phrase with any length and a
possible variation of digits and characters. The PIN/Pass phrase is always
validated on the server side to avoid brute forcing. It is possible to implement
any biz logic and rules for PIN/pass phrase use and reuse.
The ME solution is built with a true secure connection between the server (TS) and
the client. Within that secure channel different services can be offered the user. This
concept is called Safe Frame and is a key basic for the security in ME
The unsymmetrical keys stored in the client are stored in the common memory space
integrated with the client SW. In the ME solution the unique client SW with its
unsymmetrical keys are bound to the mobile phone and the operator and MSISDN.
By doing that it is ensured that the application and the keys cannot be moved or
copied for use in other devices. This ensures that the right device must be used and
prevents mass fraud.
The ME solution is built to be able to use multiple unsymmetrical keys and multiple
certificates. This means that every single service can have its own keys and
certificates.
ME has an advanced security architecture and the security level is achieved both by
its technical design, by the technical components but also by its processes. ME is a
2-factor solution using a private key infrastructure for the communication between the
application and the server. ME stores the private keys in the application. The private
keys are protected by a number of checks that are processed when a client connects
to the server side to ascertain the integrity of the application and the user. Another
important security component is that ME uses two simultaneous communication lines
to execute an authorization. A third factor using biometric properties can be added to
the solution such as voice or face recognition.
ME Standard Product Description 40(44)
43. B:6 1)+"2*(2'/(9$*$A2*$&'(
Threat Possibility Mitigation
Stolen phone + security Possible PIN Control, Revoke
application
Stolen phone + security Unlikely Revoke
application + pin
Stolen security application Very unlikely PIN Control, IMEI, SIM
validation
Stolen security application Very unlikely PIN Control, IMEI, SIM
+ pin validation
Stolen security application Very unlikely PIN Control, IMEI, SIM
+ PIN + IMEI validation
Stolen client application + Very unlikely Prefix OTT
PIN + IMEI + Proxy install
Stolen client application + Very unlikely 3 factor authentication
PIN + IMEI + Proxy install
B:; =&0$3"(53$"'*(%"58+$*,(
Each client application is uniquely distributed and contains a unique identity
combined with a private RSA keys, the size of the keys varies from 512 bit to 2048 bit
depending on the speed of the target handset. The keys in combination with the
identity of the application are used to establish a secure 256-bit AES encrypted
connection with the server.
The server controls which key size to use, depending on the phone model. The
connection with the server is socket based, not HTTP, in order to avoid the risk of
“session hijacking”. The client application can be seen as a tiny browser with built-in
client certificate authentication and locked with a pin code.
The clients are also linked to the phones serial number and implement processes to
verify the SIM to prevent future attacks like Trojans and key loggers on mobile
devices. This makes the software based certificate in the client “hard” preventing use
on another device.
An Accumulate developed TCP server handles the connection with the clients using
only asynchronous IO to allow many connections without using a lot of application
threads. Any number of TCP servers can be deployed (using a load balancer) and
the TCP server is communicating with the core components using EJB.
ME Standard Product Description 41(44)
44. The core components can communicate back with the TCP server to push
confirmation to a user directly on the socket channel.
ME Standard Product Description 42(44)
45. D <52320$3$*,(
ME is, both from an application and an infrastructure point of view, totally scalable. It
is possible to add any number of ME server instances, and each server can have
unlimited number of users connecting. There are no bottlenecks when it comes to
transactions.
Vertical scaling is normally not applicable; the only time where it might be the best
scaling method is when more memory database storage is required but without
actual need of more CPU capacity. In this situation, a simple upgrade of RAM
memory is the most efficient upgrade. Normally, horizontal scaling is used to improve
capacity even though the most common method to improve performance is code or
configuration improvements.
Load balancing is done through Linux Virtual Server using direct routing (DR) and
using keep alive as heartbeat between the master and the slave. This allows addition
of virtually any number of real servers without the load balancer being a bottleneck.
ME Standard Product Description 43(44)