banking and mobile identity

Vertical Solutions & Mobile Identity

David Andrzejek VP Vertical Solutions, Apigee

©2015 Apigee Corp. All Rights Reserved.

Not all your APIs have equal business impact

2

©2015 Apigee Corp. All Rights Reserved. 3

Accelerate your adoption of high business impact APIs

High business impact APIs

4

Unlock the most

critical data

Deliver high value use cases

Drive ecosystem adoption

Apigee API Accelerators

5

Open Banking Identity Health

Banking and Mobile Identity

Improving fraud detection & multi-factor authentication

David Pollington GSMA

Secure Authentication & Identification services delivered by the Mobile Network Operators

David Pollington, GSMA @ the Open Banking & PSD2 Summit, London, 19th May 2016

Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA.

About the GSMA

The GSMA represents the interests of mobile operators worldwide Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 230 companies in the broader mobile ecosystem.


Online privacy and security is the biggest threat to sustainable digital growth

Personal Data – Mobile Connect 9

The Challenge

Digital services rely on username + password or social login to identify users

However •  Hard to remember for users •  Security and personal data breaches •  Difficult to prove identity digitally Leads to abandoned log-ins and shopping carts and online fraud


Hardware tokens tip the balance too far

1. Costly to deploy

2. Inconvenient for the user

•  Poor user experience (copying the code across from the token)

•  Necessity of carrying a different token per service



Getting the balance right between convenience vs security is of paramount importance


Convenience

Security


Solution: Authenticators intrinsic to the mobile phone & network


Something I Know

Something I Have

Something I Have +

Something I Know

Something I Have +

Something I Am

or or

Locally-verified

+

Adaptive authentication

Something I Have +

Something I Know +

Something I Am


Mobile Connect: convenient alternative to passwords and protects consumers’ privacy


The key which unlocks access to online services

•  Authentication and Identity from a Regulated Industry with strong KYC and privacy rules

•  Backed by verified customer data

•  Decades of experience in the secure management of their networks and their subscribers’ information

•  Convenient and in your customer’s pocket


The global growth of Mobile Connect


Apr May Jun Jul Sep Oct Nov Dec Jan Feb Mar Aug 42m Australia

70m Bangladesh

85m Spain

178m

Peru Turkey Argentina

Mexico

622m

Indonesia Spain

China France

Italy

2Billion

Malaysia Bangladesh

Indonesia

Myanmar

Switzerland

Thailand

Philippines

Finland

China

Morocco

Egypt

Mexico

Pakistan

2.5Billion

Thailand

India

Sri Lanka

26m

Mobile Connect has grown at an exceptionally rapid pace, and is available today to more than

2.5bn mobile users


Mobile Connect enables Operators to support a portfolio of services


Mobile Connect Authenticate

(LoA2)

Higher security authentication

(LoA3) Authorisation Identity Attributes

Authentication: authentication of an individual Authorisation: authorisation of an action Identity: verification of customer identity Attributes: provision of customer information

Provides a solution for PSD2

requirements around Strong Authentication

Mobile Connect Identity & Attribute products support KYC validation

and mitigate fraud


Mitigating account takeover attacks

Problem statement:

•  Verify that a user request to their bank to update MSISDN details is genuine

Solution:

•  API call from Bank to Mobile Operator to verify a number of customer details

•  Operator can also provide contextual information for Bank to use in spotting fraudulent behaviour


Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA. Personal Data – Mobile Connect 17

Mitigating account takeover attacks

Contextual information for use in spotting fraudulent behaviour

Set of signals that can be used by a Bank to catch a multitude of fraud attack vectors thereby mitigating against bank account takeover attacks

•  Stolen/lost phone

•  SIM swap

•  Device change

•  Unconditional call divert set

•  Account activity


Mobile network operators are ideal partners to provide flexible, secure authentication & identity services


•  Regulated Industry: Mobile Operators adhere to strong KYC and privacy rules

•  Possess verified customer data

•  Decades of experience in the secure management of their networks and their subscribers’ information


API documentation & sandbox: https://developer.mobileconnect.io


Copyright © 2016 GSMA. The Mobile Connect logo is a trade mark registered and owned by the GSMA

If you would like more information, please contact GSMA via [email protected] GSMA London Office T +44 (0) 20 7356 0600 www.gsma.com/personaldata Follow the GSMA on Twitter: @GSMA



Decoupled architecture; consistency towards SP (single API); utilisation of open standards (OpenID Connect)


MNO

Tablet/desktop

Serviceaccessrequest

Service Provider

Authenticationrequest

IdentityGW

SIMappletprotocol (CPAS8)

AuthNserver

SIMapplet

Consistent user

experience

Consistent SP experience

SIM applet Smartphone

appSMS+URL USSD

Builds on Web standard OAuth 2.0

ETSITS102204

Thank You

banking and mobile identity

Technology