MobAuth Inc.
A Mobile Phone based Authentication and Banking System.
A Business Plan
Mobile Computing Systems and Applications
Carnegie-Mellon University
December 7th, 2004.
Executive Summary
The product and services this business plan aims at providing is authentication and banking using a mobile phone (or "cell phone" ) The product provided is the modification to the cell phone to incorporate the services namely authentication and banking. Mobile Phones are an ideal platform for incorporating these features for the following reasons:
· They are already carried by the vast majority of those needing the technology.
· They have both long-range (phone) and short-range (Bluetooth) radio frequency capabilities.
· They have number/text entering functionality as well as a display.
· They have a battery for normal functionality.
The current market situation is ripe for MobAuth. The number of mobile phones is growing rapidly and according to some studies, almost two-thirds (62 percent) of American adults own a cell phone.
There is a sharp rise predicted in the number of people using Internet banking in the near future. Thus the time is ideal for the introduction of banking via cell phone as these people will easily adapt to the new technology.
These two primary functions namely computer login authentication and ATM banking access can be merged into a mobile phone initially. Other functions such as credit card style payment and password management, which are extensions to the above primary functionality, can be incorporated at a later stage. Hence this business plan primarily focuses on providing the authentication and on-line banking features.
This entrepreneurship opportunity provides a service to users subscribed to a particular cell phone service provider. From the perspective of the cell phone manufacturing company, the cell phone they provide to their customers only needs to be tweaked a bit (which would essentially be the product) and then the cell phone service provider should be able to provide the service to their customers and charge them a monthly fee to increase their revenues. This should not be a problem because a lot of people upgrade their cell phones regularly and several companies offer free upgrades as well.
Service Description
We believe that users will desire the advantage of being able to authenticate for various computer services involving 'login.' Primarily, a user can come to work in the morning and enter their password on the phone's keypad. Then, the computer can easily verify that the user remains near the desk throughout the day. If the user temporarily leaves the area, appropriate action can be taken such as locking the screen. The key advantage in this situation is that the computer being used never has access to the actual password; it is only available temporarily to the phone itself.
A mobile phone can also be used to access ATM's for banking while ensuring that passwords or access mechanisms cannot be extracted or replicated by any adversary. Since the PIN number or password is entered on the phone, a much longer one-time password is generated and sent to the ATM for authentication.
Authentication using Mobile Phones
Initial Setup
The user buys a mobile phone from the company and enters his password on the keyboard of the computer. Using the device detection application built into bluetooth, the user selects his mobile phone to register it with the computer. The computer and the bluetooth- enabled mobile phone establish two secret values namely g (generator) and p (large prime number). These are unique for every unique device.
Thus each computer and the mobile phone has a list of devices with which it shares this secret.
Authentication
When the user comes to in contact with “his” computer for the first time in a day, he needs to enter the password on the keypad of his mobile phone. The mobile phone and the computer calculate a shared session key using the Diffie Hellman Key Exchange Protocol (based on the initial secret they share which are g and p). This key is then used to encrypt all the messages between the computer and the mobile phone. The mobile phone checks to see if the password the user entered is correct and if so authenticates the user and sends an encrypted message to the computer using random nonces (to eliminate replay attacks) The user can then use the computer just as he would normally.
The computer and the mobile phone keep exchanging messages at regular intervals (say every 30 seconds) to ensure that the user is in the vicinity of the computer (Note: The user needs to keep the mobile with him. If he leaves it and goes somewhere, its as unsafe as him leaving the computer unlocked)
User Movement
When the computer no longer detects the mobile phone in the vicinity, it locks the screen. Once the computer detects the mobile again, it unlocks the screen.
The shared session key could have a validity ranging from a couple of hours to a day.
Banking with the Mobile Phone
Initial Setup
The user buys a mobile phone from the company and takes it to his bank. The bank computer detects the phone using the device detection application built into bluetooth and register it with the bank. The user is asked to enter his PIN number on the computer in the bank. This ensures that the bank employee does not know the PIN of the user. The computer and the bluetooth-enabled mobile phone establish secret values for g (generator) and p (large prime number) if the PIN number is correct. These are unique for every unique device.
Thus the bank computer and the mobile phone now have a list of devices with which it shares this secret.
Banking
When the user goes to an ATM, he enters his password on the keypad. Since the mobile and the bank share the secrets g and p, they generate session keys of 1400 bits. All transaction details are encrypted using this session key. Here the session key is valid per transaction. The user is logged out after every transaction and must enter his PIN on keypad everytime he wishes to make a transaction.
Changing the Password
Changing the user’s password is not difficult. All that is required is the old password and the new password. The password is stored encrypted in the phone’s memory and only decrypted during comparison ensuring that no attacker can get it. The password is stored encrypted with a master key which is unique to each phone and even the phone company cannot get the master key and in turn the user password. However the mobile phone company can reset the user password to a pre-decided default value in case the user loses his phone or password.
Loss of Phone & Password
Incase the user loses the cell phone, nothing is lost as the person who finds the phone does not know the user’s password. However if the user loses both the password and the cell phone, then he must inform the cell phone company so that they can reset the password in the phone to the user’s default password. Also he must inform the bank so that they can de-register the phone.
Target Audience
This business plan is targeted towards the CDMA technology based mobile phone service providers as well as manufacturers of such handsets. We hope to convince one of these large phone manufacturers to help us develop a prototype using their phones.
Market
The current market situation is ripe for MobAuth. The number of mobile phones is growing rapidly and there are approximately 86 million subscribers to mobile phones in the US (which is about 32% of the population). The latest study from Scarborough Research, the nation's leader in local, regional and national consumer information, shows a 29 percent growth rate for cell phone ownership over the past two years with almost two-thirds (62 percent) of American adults owning a cell phone.
There is a sharp rise predicted in the number of people using Internet banking in the near future: in fact, it is predicted that over 40% of transactions will occur on-line by 2008.
Thus the time is ideal for the introduction of banking via cell phone as these people will easily adapt to the new technology.
Person Power Projection
The team would consist of 4 engineers, 1 Manager and 2 salesmen.
The manager will be responsible to lead the team, ensure milestones are met, find potential business partners, keep track of the competitive environment and in collaboration with the salesmen, “market” the idea to the cell phone manufacturer as well as the service provider.
The development team would consist of 4 Engineers with a background in Computer Science, Network Security and Embedded Systems Programming. They would have previous experience in creating and modifying the Operating Systems as well as other software required by the cell phone. These positions require them to be trained in hardware as well. They will be responsible for developing the prototype and testing it thoroughly.
MobAuth Cost/Resources
Initial setup
To convince a mobile phone company to allow our group of engineers to experiment with their phones to develop a prototype that would benefit them as they would be the first ones to provide such a facility after the prototype would be ready.
To develop prototype
The estimated cost to develop the prototype would be
Computer Hardware Cost – 6 Computers(4 PC’s + 1 build machine + 1 backup) / $ 3000
Software Cost / $ 2000
Stipend to 4 Engineers @ $2000 p.m. for 3 months / $24000
Stipend to Manager @ $3000 p.m. for 3 months / $ 9000
Stipend to 2 Salesmen @ $1000 p.m. for 3 months / $ 6000
Misc. Costs / $ 6000
A few phones donated by the cell phone manufacturer / -
Total / $50000
Deployment of Prototype
In order to be successful, the business plan will be to initially target one major bank for ATM. No capital would be required in this case, however the bank should be willing to bear a few expenses and make the necessary changes to their ATM’s. Basic computer login/authentication functionality will be provided with the phone.
Post Prototype
We believe that the prototype would be so successful, that there would not be any need to convince the service providers to offer this service.
The company along with the engineers could provide both the product (addition of the functionality to the phones) and the service (depending on the agreement with the service provider) thereafter.
Returns
We believe that with an initial cost of approx. $50000, the returns would be atleast 250 times. Depending on the negotiations with the cell phone manufacturer, we could either set up a facility to add the feature to their cell phones or sell them our product for a one time agreed upon sum of money. The cost to set up the facility would be substantial and is beyond the scope of this business plan.
We believe that once we are able to convince one mobile phone manufacturer, it would be possible to easily get the other companies to fund us to develop prototypes for their phones and technologies.
As regard to the service, we could either handle the server-based infrastructure required to provide the services on behalf of the service provider (and thus get a share of the service fee they charge their customers every month) or negotiate for a one-time sum of money.
The revenue model is basically a one time product (phone) and reoccurring service cost which we suggest could be approx. $6.99 p.m. as this is very competitive with the other products available in the market today. Depending on the negotiations with the service provider, we could either get a chunk of money from the service fee every month or get a lump sum amount once and for all.
We would also make our product compatible with some existing infrastructure for ActivCard/Smart Card/one time pad systems. Working within one of the existing authentication systems and building an extension to it would be preferable for quick market penetration.
Comparison with Other Products
There are several devices of varying sizes and capabilities available today that can be used to authenticate users to computers using cryptographic techniques. Some of these devices authenticate all the way to the user (by requiring user input), while others authenticate to the physical device and can be used by anyone as long as deactivation has not occurred. Examples of such devices include ActivCard, Smart Cards, and tokens that display one-time pads. These devices provide some combination of strong multi-factor authentication, password management, and trusted digital identities. The devices available at this time generally target at a specific application and they have numerous disadvantages when it comes to supporting a range of operations. Both the potential of cell phones and the market scenario suggest that MobAuth is the next big thing.
Competition
RSA SecurID Solution
An RSA SecurID Authenticator functions like an ATM card. Network and desktop users must identify themselves with two unique factors—something they know, and something they have—before they are granted access. It can be used by employees, business partners and customers, whether local, remote or mobile. RSA SecurID’s two-factor authentication ensures that only authorized users are allowed entry to your network and protected desktops, whether they require access to VPN’s, remote access applications, wireless access points, network operating systems, intranets and extranets or web servers.
Java-Powered iButton Authentication Device
The iButton, along with its accompanying 2-in-1 Fob, is both a physical key for touch-and-go access to buildings and a computer key for secure network logon and trusted e-signatures for the Internet. The iButton is designed to keep all credentials both cryptographically and physically secure, spanning personal, corporate, financial, and government applications. It uses Java Applets.