Вопрос 17-3/2: Ход деятельности в области электронного правительства и определение областей применения электронного правительства в интересах развивающихся стран

Case study in the Russian Federation

Размер8.3 Mb.
1   ...   38   39   40   41   42   43   44   45   46

11 Case study in the Russian Federation

Various mobile payment systems have become very popular in the Russian Federation. Some of them, while having minimum functionality limited to top-up the balance of previously registered mobile phone, do not require security and, respectively, do not provide it, the others (for example, mobile payment systems "Easy payment" and "MasterCard Mobile"), have wide functionality and meet the highest security level requirements, set forward by ITU standards to secure systems. Thus, and this is very important, security means do not invoke any additional inconveniences for users. All the diversity of means presented by modern mobile communication standards is used as transport environment. SMS and USSD have become quite wide spread, however, due to wide circulation of smartphones and development of standards for mobile telecommunication systems, increased the use of GPRS, UMTS, WiMax and LTE.

It is interesting to note, that in the market under equal conditions are present both applications with “sensitive information” stored on tamper resistance devices, and applications with the data stored in the phone’s memory. Nevertheless, the latter have become more popular, yet they are potentially less secure. Obviously, the consumer benefit of the latter is that he does not need to change his SIM/UICC card. Yet, risk of reading the confidential data from phone’s memory is a shortcoming. With respect thereto, it is interesting to compare these two types of applications from the point of security.

According to statistics, fraud usually takes place not when applications on stolen phones are hacked, but either because of the “human factor”, or virus programs penetrated into clients’ phones. And this is the least protected system elements that require further increase of security of mobile applications only in case of very high risks of being hacked, for example, for the official digital signature recognized by state entities. Unlike it, risks of payment systems can be limited by the maximum amount of financial transaction per transaction and/or a time period. Therefore, the most important role in secure usage of devices working in open networks consists of training clients to use these devices, and to use anti-virus programs. Thus, certainly, the service provider should take all measures to protect confidential information, defined by ISO 27001 and other similar standards. In particular, it is necessary to minimize amount of employees operating the system, who have access to “sensitive data”, to assign different access levels to the system, and to provide mandatory authentication and login registration.

In Russia, as well as in other countries, all three MPS models, described in Section 4.3 above, have become popular and all sources of payment described in Section 4.4 are used, namely: clients bank accounts, international and local payment cards, personal accounts of subscribers of cellular communication, and e-money.

Use of mobile devices for providing legally recognized digital signature in Russia is aggravated by Russian requirements to its cryptographic protection and is not introduced yet; however, Rostelecom has been dealing with this issue for a long time and intends to implement it in nearest time.

12 Findings

As shown in implementation cases described in chapters 6-9 above, development and usage of mobile devices for m-Government, m-Health, m-Payment, m-Learning and so on are at different levels in various countries, however, in today's global world the penetration of technology innovations increases drastically, that leads to step-by-step convergence of technological development levels and reduces digital gap between developed and developing countries. Today the developed countries already have fully functional electronic payment systems and mobile government, and in some developing countries even simple use of SMS to transfer the data between medical offices brings real results, reducing delays in receiving early infant diagnosis (EID) DBS HIV test results as it was described in the Project MWANA implemented in the Republic of Zambiya17. This proves that very soon this technological gap will be decreased. The most advanced today's systems which are based on mobile devices offer the whole range of services which is continuously extended. So, beside mobile payments and mobile banking services, wide application was received by services based on geo-location. Besides, it is stated at White Parer Mobile Payments18, issued by European Payments Council in 2012, the mobile terminal should represent a “digital wallet” which will provide authentication and digital signature to replace multiple passwords, IDs and loyalty cards of merchants (Figure 21).

Figure 21: The wallet shall be digital, not leather

c:\documents and settings\bondarenko\мои документы\мои рисунки\кошелек\20130617_172102.jpg

As a normal wallet, the "digital" wallet, in effect, contains identification data of the owner, data on means of payment available to the owner, and in certain cases - personal data of the owner (images, documents, etc.). It may include ID information, digital signatures and certificates, login information, addresses for drawing of scores and transmission, and also information on means of payment. Besides, it can also include other applications, for example bonus points, tickets or travel documents. After having passed authentication in Unified Centre, one may enter personal merchant accounts or social networks, such as Facebook, LinkedIn, etc., which is very convenient and relieves from the need to remember or to store securely numerous passwords of multiple accounts. In the short term, one can expect active distribution of mobile devices as terminals for e-government and healthcare. Recent initiatives in the use of mobile devices, launched at Telecom-2012 by the ITU and WHO, are to prove this statement.

So rapid development of systems based on mobile devices is due to security measures applied to services. Security is a common task for e-government, financial services and e-health (Figure 20) and is provided with observance of ITU-T recommendations for security.

Figure 22: Security – touchstone for all e-services

e- government




Due to these recommendations, cryptography has been implemented to use for authentication and encoding of transferred data instead of one-time passwords used in previous systems, that considerably increased security of mobile devices and at the same time increased convenience of their use and, as a result, led to growth of popularity of services based on mobile devices.

13 Recommendations

– Since mobile phones have achieved full market penetration and high service levels, they are the ideal payment terminals and secure communication instruments.

– It is important to provide easy-to-use mobile phone interfaces with consistent user experience across all supported mobile phone implementations, even if the most advanced smart phones boast “great” colour displays and touch-based interfaces. The user experience remains strongly challenged by necessarily small form factor. For example, the mobile phone form factor effectively limits the amount of information that can be displayed at any given time and the ability of the user to enter complex text.

– Mobile device is a “digital wallet”, to store identification information on the wallet holder, on payment instruments – accessible to the wallet holder and optional personal information items belonging to the holder (e.g., pictures, documents, etc.). This may include information related to ID cards, digital signatures and certificates, logon information, billing and delivery addresses as well as payment instrument related information. Furthermore, it may also include other applications such as loyalty, transport or ticketing.

– It is advised that the Customers should not be bound to a specific MNO or Bank, and should retain their current ability to choose service providers.

– Parties of electronic dialog should be authorised with the use of at least two-factor authentication, and data transfer should be executed in secure mode using cryptography means.

– It is advised to use Security Lelel 4 or 3 according to Y.2740 ITU-T Recommendation.

– Customers should be aware of the Security Level of the System, which should be stipulated in the participants’ agreement. User authentication may be performed by the Unified centre of authentication.

– To ensure the security, the mobile device must have a special Mobile Application, which provides authentication and encryption.

– The most realistic vision is one of a market where multiple Mobile Applications co-exist, combining services on a single mobile device.19

– The registration and provisioning of a Mobile Application needs to be executed in secure environment. Access to a Mobile Application would be easier for customers, if they could use existing trusted relationship between them and their service providers.

– To reach the highest security level, Mobile Application should be located on the hardware Security Element.

– The choice of Security Element has a major impact on the service model and roles of various stakeholders. There are three types of SEs used until now: UICC, embedded SE and removable SE, such as micro SD card.

– Service Enabler provides the technology support and integration of various access means, interoperability with service providers and authentication centre.

– It is recommended to use Mobile Applications with several independent blocks with different sets of keys.

– The Client may have multiple customer mobile identities – mIDs, bounded to the Client’s MSISDN. Unified rules to issue mIDs, registered within the System Central Directory, should be introduced to ensure proper routing of messages to Clients.

– All identification and authentication centres must comply with the same allocation rules and regulations for mobile identifiers of mobile clients (mID), registered in a central System Directory to ensure message delivery to customers.

– Mobile systems should, as much as possible, use technologies and infrastructure which have been already widely deployed.

14 Terms and abbreviations

ADS Active Discovery Services

CA Certification Authority

CPU Central Processor Unit

CSD Circuit Switched Data

DNS Domain Name System

DTMF Dual-Tone Multi-Frequency

EDGE Enhanced Data for GSM Evolution

EU European Union

G2B Government-to-Business

G2C Government-to-Citizens

G2E Government-to-Employees

G2G Government-to-Government

GLONASS Global Navigation Satellite System

GPRS General Packet Radio Service

GPS Global Positioning System

ICT Information and Communication Technology

IDM Identity Management

IP Internet Protocol

ITU International Telecommunication Union

LTE Long Term Evolution

mID mobile Identificator

MNO Mobile Network Operator

MPS Mobile Payment System

MSISDN Mobile Subscriber Integrated Services Digital Number

MSSP Mobile Signature Service Provider

NCD Non-communicable disease

NFC Near Field Communications

NGN Next Generation Networks

NIST National Institute of Standards and Technology (USA)

NSTIC National Strategy for Trusted Identities in Cyberspace (USA)

OTA Over-The-Air

OTP One Time Password

OTT One Time Ticket

PIN Personal Identification Number

PKI Public Key Infrastructure

PN Payment Network

PSP Payment Service Provider

QoS Quality of Service

RA Registration Authority

ROI Return On Investment

RSA an algorithm for public-key encryption

SIM Subscriber Identification Module

SMS Short Message Service

TEE Trusted Execution Environment

UICC Universal Integrated Circuit Card

UNO United Nations Organisations

USA United States of America

USSD Unstructured Supplementary Service Data

VPN Virtual Private Network

WHO World Health Organisation

WiMAX Worldwide Interoperability for Microwave Access

WPKI Wireless Public Key Infrastructure

15 List of References

1. ITU-T Recommendation Y.2740 (page 3)

2. Joint ITU-WHO initiative on NCD(page 6)

3. eEurope "Blueprint" Smartcard Initiative (page 7)

4. NIST Special Publication 800-57 (page 7)

5. ITU-T Recommendation Y.2741 (page 8)

6. Security in telecommunications and information technologies (page 12)

7. ITU-T Recommendation X.805 "Security Architecture for Systems Providing End-to-End Communications (page 12)

8. ITU-T Recommendation X.800 "Security architecture for Open Systems Interconnection for CCITT applications (page 12)

9. ITU Recommendation X.1122 (page 14)

10. Mobile Signatures Whitepaper: Best Practices (page 18)

11. ETCI TR 102 203 "Mobile Commerce (M-COMM); Mobile Signature; Business & Functional Requirements" (page 19)

12. ETCI TS 102 204 "Mobile Commerce (M-COMM); Mobile Signature; Web Service Interface" (page 19)

13. ETCI TR 102 206 "Mobile Commerce (M-COMM); Mobile Signature Service; Security Framework" (page 19)

14. ETCI TS 102 207 "Mobile Commerce (M-COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services" (page 19)

15. Ministry of Internal Affairs and Communications (2012) “Information and communications in Japan, White Paper 2012,” p333 (page 23)

16. Ministry of Internal Affairs and Communications (2012) “Final Report from ‘Study Group on Information Security Issues of Smartphone and Cloud Computing,’” June 29,2012 http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/120629_03.html (page 23)

17. Project MWANA, Zambia D10-SG02-C-0215

18. “White paper. Mobile payments”, 2012. http://www.europeanpaymentscouncil.eu/knowledge_bank_detail.cfm?documents_id=564

19. A Series of White Papers on Mobile Wallets

20. http://vanha.mobeyforum.org/Knowledge-Center/Mobey-White-Papers

21 PKO Project brief

22. PKO Bank Polski mobile payment use case


23. http://www.accumulate.se


0 Доступ к сетям подвижной связи обеспечивается для 90% населения мира и для 80% населения, проживающего в сельской местности, а в странах ОЭСР темпы совокупного ежегодного роста абонентов широкополосной подвижной связи составили за период с 2007 по 2009 годы 20%. (ОЭСР и МСЭ, 2011 г.).

0 Из документа БРЭ.

0 Представлено 14 сентября 2010 года на 1-м собрании ИК2.

0 Представлено 11 сентября 2011 года на 2-м собрании ИК2.

0 Представлено 11 сентября 2011 года на 2-м собрании ИК2.

0 Представлено 11 сентября 2011 года на 2-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Представлено 17 сентября 2012 года на 3-м собрании ИК2.

0 Эта часть представляет собой краткое изложение вклада компании Intervale, который полностью приведен в Дополнении.

0 See document: 2/INF/89-E.

0 See document: 2/INF/91.

0 ITU-T Recommendation X.800 "Security architecture for Open Systems Interconnection for CCITT applications (page 12).

0 ETCI TR 102 203 "Mobile Commerce (M-COMM); Mobile Signature; Business & Functional Requirements" (page 19).

0 ETCI TS 102 204 "Mobile Commerce (M-COMM); Mobile Signature; Web Service Interface" (page 19).

0 ETCI TR 102 206 "Mobile Commerce (M-COMM); Mobile Signature Service; Security Framework" (page 19).

0 ETCI TS 102 207 "Mobile Commerce (M-COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services" (page 19).

Поделитесь с Вашими друзьями:
1   ...   38   39   40   41   42   43   44   45   46

База данных защищена авторским правом ©nethash.ru 2019
обратиться к администрации

войти | регистрация
    Главная страница

загрузить материал