The development of electronic signature in mobile devices is an essential issue for the advance and expansion of the mobile electronic commerce since it provides security and trust in the system. E-signatures provide security for the transactions with authenticity and integrity characteristics that make non-repudiation of the transactions possible. In many countries, such as Estonia, Germany, Singapore and Hong Kong, it has become a key element of e-government through its “utilization of wireless and mobile technology, services, applications and devices for improving benefits to citizens, businesses and government units .Driven by the growing surge for mobile interactions, mobile commerce and online digital purchasing, carriers worldwide are investing in mobile identity infrastructure as an economically efficient solution fraud detection/prevention and identity theft issues.
Many different technologies and infrastructures have been developed with the aim of implementing mobile signature processes. Some are based on the SIM card. Others work over the middleware of the mobile device and cryptographic providers. Finally, there are already some frameworks which are independent of specific mobile device technologies and make mobile signatures available to application providers.Mobile signature solutions can only work on compatible SIM cards, that match the WPKI specifications in terms of security and capacity, and contain a SIM Toolkit application capable of performing signatures. The PKI system associates the public key counterpart of the secret key held at the secure device with a set of attributes contained in a structure called digital certificate. The choice of the registration procedure details during the definition of the attributes included in this digital certificate can be used to produce different levels of identity assurance.
A solution must also be implemented on the operator side to manage signature requests. If the access control secret was entered correctly, the device is approved with access to secret data containing for example RSA private key.Security is guaranteed by cryptographic systems (e.g. SHA1) and on-board key generation. The service is only made available on EAL4+ certified SIM cards which provide a high level of security. Legal compliance is ensured by a country specific Electronic Signature Law that gives electronic signatures the same authentication level as wet signature as long as they rely on a “qualified certificate”. Qualified certificates are defined by the ETSI Standards4 and a directive by the EU Commissions as certificates that are issued by an authorised Certificate Authority following face-to-face verification of both the user and government issued photographic identification.
According to GSMA , Turkey and Turkcell was the global first in launching a mobile signature service. The idea behind Turkcell MobilImza was to offer a remote way to complete transactions equivalent to an “original” signature on a hard copy – making it possible to sign documents and authenticate oneself via a mobile phone,in a way that is legally approved, secure, easy and convenient.Their Mobile signature services are easy to use, since they don’t require any software installation. The certificate is activated Over-The-Air once the user has subscribed to the service. Signature requests then automatically pop-up on the user’s phone each time he requests access to secure services. Once the user has entered his PIN, the signature is sent to the service provider, who checks its validity and grants access to the service.
Turkcell Mobile Signature can be used in all transactions, except for the ones that require a ceremony and the witnessing of a third party such as marriage or buying a deed, that require a signature such as private affairs, public affairs, and banking affairs. For example, EFTs can be carried out over internet banking with mobile signatures. Turkcell has imported e-signature technology to the mobile realm and it contributes to the e-Turkey transformation by carrying all transactions that require signature to the virtual realm where you will not need new readers or smart cards.
It is often the case that service providers are reticent about adopting mobile signature solutions if there is not a large installed base of users, and users are not enthusiastic about services that are not backed by multiple service providers. This leads to a stand-off that can often threaten the commercial success of mobile signature services. Initially, Turkcell’s project was supported by the five main Turkish banks, which together pushed for the government to adapt the electronic signature law. This collaboration helped drive adoption since banks offered customers pre-registration at their branches, and then sent the forms to Turkcell.The banks also promoted the use of mobile signature through marketing campaigns.
The initial business model for Turkcell MobilImza was a pay-per-use model. The service was free to subscribe to, and users had to pay a fee each time they used the signature service. The idea was that the cost of the certificate would be covered after a certain number of transactions, and then profit would be generated by extra usage. But this model relied on consistent levels of usage from subscribers. However a significant proportion of non-active users made this model unsustainable. Therefore this business model was replaced by two complementary
■ Monthly subscription: subscribers pay 5 Turkish Liras for an unlimited number of signatures
■ Price per signature: service providers pay a small fee per transaction. Public enterprises and educational institutions are not required to pay this fee, because of their public service orientation. It is anticipated that service providers who actively promote mobile digital signature will also enjoy a waiver of this fee.
In Europe the Mobile ID program in Moldova is a government-led project that is being deployed in partnership with mobile network operators. It is designed to offer citizens the speed, privacy, convenience and transparency of digital access to numerous government services and information for citizens, including online applications and copies of official documents. Their selected UICC-based solution is compatible with all types of mobile telephones, whether feature phones or smart phones. The application allows citizens to confirm their identity and sign documents directly from their mobile phone, by entering a unique user-selectable PIN code. A Mobile ID solution is responsible for the entire life cycle management, from user registration to verification of mobile digital signatures, and connection to the Certificate Authority body and e-government portals.
Lattelecom offers the Mobile ID service platform to Latvian service providers and mobile operators. The Mobile ID users are able to securely sign in to online services and sign documents and transactions, simply by using their mobile phone. As mobile phones are typically always at hand, a legally binding digital signature can be done regardless of time or place.Lattelecom launched the service with nine service providers, including Latvijas Krājbanka bank, Riga city council, Lattelecom’s and Latvijas Mobilais Telefons’ (LMT) online customer service, along with local enterprises and universities. Lattelecom handles user and transaction validation, making it easier for other service providers to join in. Lattelecom offers the Mobile ID service to third-party service providers in a variety of industries, including other Latvian mobile operators.
The ability to leverage network assets, such as the Subscriber Database Management (SDM) system, and the potential for incremental revenue from third-parties such as credit bureaus, banks, and credit card companies, makes mobile identity a high priority service for carriers worldwide. Mind commerce thus expects that mobile identity infrastructure market will grow at a CAGR of nearly 17% over the next five years eventually accounting for nearly USD 12 Billion in revenues by the end of 2019.
Sadiq Malik ( Telco Strategist )