MobAuth Inc.
A Mobile Phone based Authentication and Banking System.
A Business Plan
Mobile Computing Systems and Applications
Carnegie-Mellon University
December 7th, 2004.
Executive Summary
The product and services this business plan aims at providing is authentication
and banking using a mobile phone (or "cell phone" ) The product provided is the modification to
the cell phone to incorporate the services namely authentication and banking. Mobile Phones are
an ideal platform for incorporating these features for the following reasons:




They are already carried by the vast majority of those needing the technology.
They have both long-range (phone) and short-range (Bluetooth) radio frequency
capabilities.
They have number/text entering functionality as well as a display.
They have a battery for normal functionality.
The current market situation is ripe for MobAuth. The number of mobile phones
is growing rapidly and according to some studies, almost two-thirds (62 percent) of American
adults own a cell phone.
There is a sharp rise predicted in the number of people using Internet banking in the
near future. Thus the time is ideal for the introduction of banking via cell phone as these people
will easily adapt to the new technology.
These two primary functions namely computer login authentication and ATM banking
access can be merged into a mobile phone initially. Other functions such as credit card style
payment and password management, which are extensions to the above primary functionality,
can be incorporated at a later stage. Hence this business plan primarily focuses on providing the
authentication and on-line banking features.
This entrepreneurship opportunity provides a service to users subscribed to a particular cell
phone service provider. From the perspective of the cell phone manufacturing company, the cell
phone they provide to their customers only needs to be tweaked a bit (which would essentially be
the product) and then the cell phone service provider should be able to provide the service to
their customers and charge them a monthly fee to increase their revenues. This should not be a
problem because a lot of people upgrade their cell phones regularly and several companies offer
free upgrades as well.
Service Description
We believe that users will desire the advantage of being able to authenticate for
various computer services involving 'login.' Primarily, a user can come to work in the morning and
enter their password on the phone's keypad. Then, the computer can easily verify that the user
remains near the desk throughout the day. If the user temporarily leaves the area, appropriate
action can be taken such as locking the screen. The key advantage in this situation is that the
computer being used never has access to the actual password; it is only available temporarily to
the phone itself.
A mobile phone can also be used to access ATM's for banking while ensuring that
passwords or access mechanisms cannot be extracted or replicated by any adversary. Since the
PIN number or password is entered on the phone, a much longer one-time password is
generated and sent to the ATM for authentication.
Authentication using Mobile Phones
Initial Setup
The user buys a mobile phone from the company and enters his password on the
keyboard of the computer. Using the device detection application built into bluetooth, the user
selects his mobile phone to register it with the computer. The computer and the bluetoothenabled mobile phone establish two secret values namely g (generator) and p (large prime
number). These are unique for every unique device.
Thus each computer and the mobile phone has a list of devices with which it shares this secret.
Authentication
When the user comes to in contact with “his” computer for the first time in a day, he needs to
enter the password on the keypad of his mobile phone. The mobile phone and the computer
calculate a shared session key using the Diffie Hellman Key Exchange Protocol (based on the
initial secret they share which are g and p). This key is then used to encrypt all the messages
between the computer and the mobile phone. The mobile phone checks to see if the password
the user entered is correct and if so authenticates the user and sends an encrypted message to
the computer using random nonces (to eliminate replay attacks) The user can then use the
computer just as he would normally.
The computer and the mobile phone keep exchanging messages at regular intervals (say every
30 seconds) to ensure that the user is in the vicinity of the computer (Note: The user needs to
keep the mobile with him. If he leaves it and goes somewhere, its as unsafe as him leaving the
computer unlocked)
User Movement
When the computer no longer detects the mobile phone in the vicinity, it locks the screen. Once
the computer detects the mobile again, it unlocks the screen.
The shared session key could have a validity ranging from a couple of hours to a day.
Banking with the Mobile Phone
Initial Setup
The user buys a mobile phone from the company and takes it to his bank. The bank
computer detects the phone using the device detection application built into bluetooth and
register it with the bank. The user is asked to enter his PIN number on the computer in the bank.
This ensures that the bank employee does not know the PIN of the user. The computer and the
bluetooth-enabled mobile phone establish secret values for g (generator) and p (large prime
number) if the PIN number is correct. These are unique for every unique device.
Thus the bank computer and the mobile phone now have a list of devices with which it shares this
secret.
Banking
When the user goes to an ATM, he enters his password on the keypad. Since the
mobile and the bank share the secrets g and p, they generate session keys of 1400 bits. All
transaction details are encrypted using this session key. Here the session key is valid per
transaction. The user is logged out after every transaction and must enter his PIN on keypad
everytime he wishes to make a transaction.
Changing the Password
Changing the user’s password is not difficult. All that is required is the old password
and the new password. The password is stored encrypted in the phone’s memory and only
decrypted during comparison ensuring that no attacker can get it. The password is stored
encrypted with a master key which is unique to each phone and even the phone company cannot
get the master key and in turn the user password. However the mobile phone company can reset
the user password to a pre-decided default value in case the user loses his phone or password.
Loss of Phone & Password
Incase the user loses the cell phone, nothing is lost as the person who finds the
phone does not know the user’s password. However if the user loses both the password and the
cell phone, then he must inform the cell phone company so that they can reset the password in
the phone to the user’s default password. Also he must inform the bank so that they can deregister the phone.
Target Audience
This business plan is targeted towards the CDMA technology based mobile phone
service providers as well as manufacturers of such handsets. We hope to convince one of these
large phone manufacturers to help us develop a prototype using their phones.
Market
The current market situation is ripe for MobAuth. The number of mobile phones is growing
rapidly and there are approximately 86 million subscribers to mobile phones in the US (which is
about 32% of the population). The latest study from Scarborough Research, the nation's leader in
local, regional and national consumer information, shows a 29 percent growth rate for cell phone
ownership over the past two years with almost two-thirds (62 percent) of American adults owning
a cell phone.
There is a sharp rise predicted in the number of people using Internet banking in the near
future: in fact, it is predicted that over 40% of transactions will occur on-line by 2008.
Thus the time is ideal for the introduction of banking via cell phone as these people will easily
adapt to the new technology.
Person Power Projection
The team would consist of 4 engineers, 1 Manager and 2 salesmen.
The manager will be responsible to lead the team, ensure milestones are met, find potential
business partners, keep track of the competitive environment and in collaboration with the
salesmen, “market” the idea to the cell phone manufacturer as well as the service provider.
The development team would consist of 4 Engineers with a background in Computer Science,
Network Security and Embedded Systems Programming. They would have previous experience
in creating and modifying the Operating Systems as well as other software required by the cell
phone. These positions require them to be trained in hardware as well. They will be responsible
for developing the prototype and testing it thoroughly.
MobAuth Cost/Resources
Initial setup
To convince a mobile phone company to allow our group of engineers to experiment with their
phones to develop a prototype that would benefit them as they would be the first ones to provide
such a facility after the prototype would be ready.
To develop prototype
The estimated cost to develop the prototype would be
Computer Hardware Cost – 6 Computers
(4 PC’s + 1 build machine + 1 backup)
Software Cost
Stipend to 4 Engineers @ $2000 p.m. for 3 months
Stipend to Manager @ $3000 p.m. for 3 months
Stipend to 2 Salesmen @ $1000 p.m. for 3 months
Misc. Costs
A few phones donated by the cell phone manufacturer
Total
$ 3000
$ 2000
$24000
$ 9000
$ 6000
$ 6000
$50000
Deployment of Prototype
In order to be successful, the business plan will be to initially target one major bank for ATM. No
capital would be required in this case, however the bank should be willing to bear a few expenses
and make the necessary changes to their ATM’s. Basic computer login/authentication
functionality will be provided with the phone.
Post Prototype
We believe that the prototype would be so successful, that there would not be any need to
convince the service providers to offer this service.
The company along with the engineers could provide both the product (addition of the
functionality to the phones) and the service (depending on the agreement with the service
provider) thereafter.
Returns
We believe that with an initial cost of approx. $50000, the returns would be atleast 250 times.
Depending on the negotiations with the cell phone manufacturer, we could either set up a facility
to add the feature to their cell phones or sell them our product for a one time agreed upon sum of
money. The cost to set up the facility would be substantial and is beyond the scope of this
business plan.
We believe that once we are able to convince one mobile phone manufacturer, it would be
possible to easily get the other companies to fund us to develop prototypes for their phones and
technologies.
As regard to the service, we could either handle the server-based infrastructure required to
provide the services on behalf of the service provider (and thus get a share of the service fee they
charge their customers every month) or negotiate for a one-time sum of money.
The revenue model is basically a one time product (phone) and reoccurring service cost which we
suggest could be approx. $6.99 p.m. as this is very competitive with the other products available
in the market today. Depending on the negotiations with the service provider, we could either get
a chunk of money from the service fee every month or get a lump sum amount once and for all.
We would also make our product compatible with some existing infrastructure for
ActivCard/Smart Card/one time pad systems. Working within one of the existing authentication
systems and building an extension to it would be preferable for quick market penetration.
Comparison with Other Products
There are several devices of varying sizes and capabilities available today that can be used to
authenticate users to computers using cryptographic techniques. Some of these devices
authenticate all the way to the user (by requiring user input), while others authenticate to the
physical device and can be used by anyone as long as deactivation has not occurred. Examples
of such devices include ActivCard, Smart Cards, and tokens that display one-time pads. These
devices provide some combination of strong multi-factor authentication, password management,
and trusted digital identities. The devices available at this time generally target at a specific
application and they have numerous disadvantages when it comes to supporting a range of
operations. Both the potential of cell phones and the market scenario suggest that MobAuth is the
next big thing.
Competition
RSA SecurID Solution
An RSA SecurID Authenticator functions like an ATM card. Network and desktop users must
identify themselves with two unique factors—something they know, and something they have—
before they are granted access. It can be used by employees, business partners and customers,
whether local, remote or mobile. RSA SecurID’s two-factor authentication ensures that only
authorized users are allowed entry to your network and protected desktops, whether they require
access to VPN’s, remote access applications, wireless access points, network operating systems,
intranets and extranets or web servers.
Java-Powered iButton Authentication Device
The iButton, along with its accompanying 2-in-1 Fob, is both a physical key for touch-and-go
access to buildings and a computer key for secure network logon and trusted e-signatures for the
Internet. The iButton is designed to keep all credentials both cryptographically and physically
secure, spanning personal, corporate, financial, and government applications. It uses Java
Applets.
ActivCard
The ActivCard Keychain Token Lite provides banks and their customers an easy-to-use device to
combat Internet fraud. Its small size, one-touch, one-time password generation and long life
combine to give banks an affordable authentication solution. When combined with ActivCard
Authentication SDK or ActivCard Authentication Server, banks can deploy a comprehensive, high
performance, highly scalable, two-factor authentication solution for secure on-line banking across
the world.
The main advantage of MobAuth over the competition is the fact that it is
integrated into the cell phone.
Assumptions:
This business plan makes the following assumptions:





The phones being used will be equipped with a short-range wireless communication
functionality (e.g. Bluetooth) so that data can be exchanged bi-directionally. All ATM
machines are equipped with the same technology as well.
The phones have secure storage, which cannot be compromised. Also the phone has
some additional memory for processing.
The phones will be capable of quickly signing (and possibly encrypting) data using
sufficiently long keys (>1400 bits for security through 2010) without drastically affecting
battery life. This can be accomplished by using hashes or MAC’s (Message
Authentication Codes)
Each user has a primary password, which is used to access some of the new features of
the mobile phone.
No accidental charges will be possibly as all transactions will require some (minimal) user
interaction.
Future Enhancements
A mobile phone can also act like set of a user's credit cards prevents them from
having to carry around extra cards. This type of feature is currently being tested by mobile phone
manufacturers and credit card companies.
Also having a secure mechanism on the phone for doing authentication provides you
with an almost 'free' way to store extra-protected information such as password lists are some
enhancements, which could be easily made once the MobAuth system is in place.
Other enhancements could include using the cell phone as Electronic cash, Digital
Certificates for Public key cryptography, loyalty systems (like frequent flyer points), Government
Identification, etc…