Loading ...
Sorry, an error occurred while loading the content.
 

Authorization/Authentication in Mobile Portals

Expand Messages
  • Tito Ocampos
    Hi guys, I m working in a project in which we need to integrate a third-party Content Download Store (music, videos, wallpapers, etc) with the Payment
    Message 1 of 4 , Jun 6, 2010
      Hi guys,

      I'm working in a project in which we need to integrate a third-party Content Download Store (music, videos, wallpapers, etc) with the "Payment"  Platform owned from the Operator. The flow designed for a "purchase" will have a workflow like below:

      1- End User will browse in the WAP Portal from a content provider
      2- End User will select a content and check the details for the content
      3- End User will click on "Buy" button in the Content Provider WAP portal (HTTPS - SSL Class 3 based))
      4- The Content provider will "Redirect" the user to a WAP Page from the "Payment" Platform (or provide a link, for not using automatic "redirect" mechanism)
      5- The Payment Platform will receive information about the Content the user wants to buy
      6- The Payment Platform will authenticate the end-user authenticity based on information provided from Wap Gateway HTTP Headers and IP (IP based - AAA integration)
      7- The Payment Platform will show end user a page with details on the content and price and ask the user to confirm
      8- The User will click on "confirm" button
      9- The Payment Platform will confirm the purchase and redirect to the WAP Portal content Provider.
      10- The WAP portal from content provider will display a page confirming successfull operation.


      Notice that:
      - The flow only will be allowed when the user is navigating using operator network.
      - The operator considers the third-party WAP Portal as "non-trusted" therefore confirmation  from the user is needed before proceed to charging (in some way, similar to when buying with Credit Card on the internet)
      - For some steps, specially in the redirection process - from third-party portal to payment platform and vice-versa, some aditional mechanism of authorization are being considered like: using TOKEN exchange, RSA encription, MD5 signature based on secret key-phrases.

      My question are:
      1- What can be done in order to enhance security of the whole process without impacting so much in usability aspects?

      Examples:
                  - OAUTH Based mechanism can be considered, but at least it should be adapted to mobile scenery.
                  - In this flow, in step 6 or 7 a password/pin authentication can be added, but is it really necessary?
                  - There's a risk of "man-in-the-middle" attacks in step 9 to 10.  (some malicious user can retrieve the information when being redirected to third party WAP Portal and login/access unauthorized information).

      2- Is there any standard in mobile word for these kinds of operations?


      Any comment is greatly preciated

      Regards,

      Tito Ocampos



    • Fanis Hatzidakis
      Hi, inline ... Something similar that I did included tokens passed on from the payment platform to the content provider after the user s action, who would then
      Message 2 of 4 , Jun 7, 2010
        Hi, inline

        On Mon, Jun 7, 2010 at 06:13, Tito Ocampos <tito.ocampos@...> wrote:
        >
        >
        > Hi guys,
        >
        > I'm working in a project in which we need to integrate a third-party Content Download Store (music, videos, wallpapers, etc) with the "Payment"  Platform owned from the Operator. The flow designed for a "purchase" will have a workflow like below:
        >
        > 1- End User will browse in the WAP Portal from a content provider
        > 2- End User will select a content and check the details for the content
        > 3- End User will click on "Buy" button in the Content Provider WAP portal (HTTPS - SSL Class 3 based))
        > 4- The Content provider will "Redirect" the user to a WAP Page from the "Payment" Platform (or provide a link, for not using automatic "redirect" mechanism)
        > 5- The Payment Platform will receive information about the Content the user wants to buy
        > 6- The Payment Platform will authenticate the end-user authenticity based on information provided from Wap Gateway HTTP Headers and IP (IP based - AAA integration)
        > 7- The Payment Platform will show end user a page with details on the content and price and ask the user to confirm
        > 8- The User will click on "confirm" button
        > 9- The Payment Platform will confirm the purchase and redirect to the WAP Portal content Provider.
        > 10- The WAP portal from content provider will display a page confirming successfull operation.
        >
        >
        > Notice that:
        > - The flow only will be allowed when the user is navigating using operator network.
        > - The operator considers the third-party WAP Portal as "non-trusted" therefore confirmation  from the user is needed before proceed to charging (in some way, similar to when buying with Credit Card on the internet)
        > - For some steps, specially in the redirection process - from third-party portal to payment platform and vice-versa, some aditional mechanism of authorization are being considered like: using TOKEN exchange, RSA encription, MD5 signature based on secret key-phrases.
        >
        > My question are:
        > 1- What can be done in order to enhance security of the whole process without impacting so much in usability aspects?
        >
        > Examples:
        >             - OAUTH Based mechanism can be considered, but at least it should be adapted to mobile scenery.
        >             - In this flow, in step 6 or 7 a password/pin authentication can be added, but is it really necessary?
        >             - There's a risk of "man-in-the-middle" attacks in step 9 to 10.  (some malicious user can retrieve the information when being redirected to third party WAP Portal and login/access unauthorized information).
        >

        Something similar that I did included tokens passed on from the
        payment platform to the content provider after the user's action, who
        would then verify those over ssl with the payment platform.

        The payment platform provided a unique user id for each user so that
        the content provider could customize the experience and avoid any sort
        of user input for authentication, which is the biggest annoyance for
        mobile users on tiny multitap or full keyboards.

        To avoid MITM I would pass along with every communication between
        content provider and payment platform an HMAC or similar of the data
        in the request, to verify it, using some pre-shared key.

        >
        > 2- Is there any standard in mobile word for these kinds of operations?
        >
        >
        > Any comment is greatly preciated
        >
        > Regards,
        >
        > Tito Ocampos
        >
        >
        >
        >
        >

        Cheers,
        Fanis
      • Tito Ocampos
        Thanks for the feedback Fanis. Ok, and what do you think about redirect method in order to transfer between both portal sites? In the current state-of-the-art
        Message 3 of 4 , Jun 8, 2010
          Thanks for the feedback Fanis.

          Ok, and what do you think about redirect method in order to transfer between both portal sites? In the current state-of-the-art technology, is it safe to make use of URL redirect or HTTP redirect in mobile world?

          Another question,  does anyone have experience with Mobile Open ID or any other similar?

          Regards,

          Tito Ocampos

          2010/6/7 Fanis Hatzidakis <wurfl@...>
           

          Hi, inline



          On Mon, Jun 7, 2010 at 06:13, Tito Ocampos <tito.ocampos@...> wrote:
          >
          >
          > Hi guys,
          >
          > I'm working in a project in which we need to integrate a third-party Content Download Store (music, videos, wallpapers, etc) with the "Payment"  Platform owned from the Operator. The flow designed for a "purchase" will have a workflow like below:
          >
          > 1- End User will browse in the WAP Portal from a content provider
          > 2- End User will select a content and check the details for the content
          > 3- End User will click on "Buy" button in the Content Provider WAP portal (HTTPS - SSL Class 3 based))
          > 4- The Content provider will "Redirect" the user to a WAP Page from the "Payment" Platform (or provide a link, for not using automatic "redirect" mechanism)
          > 5- The Payment Platform will receive information about the Content the user wants to buy
          > 6- The Payment Platform will authenticate the end-user authenticity based on information provided from Wap Gateway HTTP Headers and IP (IP based - AAA integration)
          > 7- The Payment Platform will show end user a page with details on the content and price and ask the user to confirm
          > 8- The User will click on "confirm" button
          > 9- The Payment Platform will confirm the purchase and redirect to the WAP Portal content Provider.
          > 10- The WAP portal from content provider will display a page confirming successfull operation.
          >
          >
          > Notice that:
          > - The flow only will be allowed when the user is navigating using operator network.
          > - The operator considers the third-party WAP Portal as "non-trusted" therefore confirmation  from the user is needed before proceed to charging (in some way, similar to when buying with Credit Card on the internet)
          > - For some steps, specially in the redirection process - from third-party portal to payment platform and vice-versa, some aditional mechanism of authorization are being considered like: using TOKEN exchange, RSA encription, MD5 signature based on secret key-phrases.
          >
          > My question are:
          > 1- What can be done in order to enhance security of the whole process without impacting so much in usability aspects?
          >
          > Examples:
          >             - OAUTH Based mechanism can be considered, but at least it should be adapted to mobile scenery.
          >             - In this flow, in step 6 or 7 a password/pin authentication can be added, but is it really necessary?
          >             - There's a risk of "man-in-the-middle" attacks in step 9 to 10.  (some malicious user can retrieve the information when being redirected to third party WAP Portal and login/access unauthorized information).
          >

          Something similar that I did included tokens passed on from the
          payment platform to the content provider after the user's action, who
          would then verify those over ssl with the payment platform.

          The payment platform provided a unique user id for each user so that
          the content provider could customize the experience and avoid any sort
          of user input for authentication, which is the biggest annoyance for
          mobile users on tiny multitap or full keyboards.

          To avoid MITM I would pass along with every communication between
          content provider and payment platform an HMAC or similar of the data
          in the request, to verify it, using some pre-shared key.


          >
          > 2- Is there any standard in mobile word for these kinds of operations?
          >
          >
          > Any comment is greatly preciated
          >
          > Regards,
          >
          > Tito Ocampos
          >
          >
          >
          >
          >

          Cheers,
          Fanis

        • Fanis Hatzidakis
          I don t see why not, regarding redirects, as long as they re coupled with tokens passed around and verified properly. Fanis
          Message 4 of 4 , Jun 9, 2010
            I don't see why not, regarding redirects, as long as they're coupled
            with tokens passed around and verified properly.

            Fanis


            On Wed, Jun 9, 2010 at 06:15, Tito Ocampos <tito.ocampos@...> wrote:
            >
            >
            > Thanks for the feedback Fanis.
            >
            > Ok, and what do you think about redirect method in order to transfer between both portal sites? In the current state-of-the-art technology, is it safe to make use of URL redirect or HTTP redirect in mobile world?
            >
            > Another question,  does anyone have experience with Mobile Open ID or any other similar?
            >
            > Regards,
            >
            > Tito Ocampos
            >
            > 2010/6/7 Fanis Hatzidakis <wurfl@...>
            >>
            >>
            >>
            >> Hi, inline
            >>
            >> On Mon, Jun 7, 2010 at 06:13, Tito Ocampos <tito.ocampos@...> wrote:
            >> >
            >> >
            >> > Hi guys,
            >> >
            >> > I'm working in a project in which we need to integrate a third-party Content Download Store (music, videos, wallpapers, etc) with the "Payment"  Platform owned from the Operator. The flow designed for a "purchase" will have a workflow like below:
            >> >
            >> > 1- End User will browse in the WAP Portal from a content provider
            >> > 2- End User will select a content and check the details for the content
            >> > 3- End User will click on "Buy" button in the Content Provider WAP portal (HTTPS - SSL Class 3 based))
            >> > 4- The Content provider will "Redirect" the user to a WAP Page from the "Payment" Platform (or provide a link, for not using automatic "redirect" mechanism)
            >> > 5- The Payment Platform will receive information about the Content the user wants to buy
            >> > 6- The Payment Platform will authenticate the end-user authenticity based on information provided from Wap Gateway HTTP Headers and IP (IP based - AAA integration)
            >> > 7- The Payment Platform will show end user a page with details on the content and price and ask the user to confirm
            >> > 8- The User will click on "confirm" button
            >> > 9- The Payment Platform will confirm the purchase and redirect to the WAP Portal content Provider.
            >> > 10- The WAP portal from content provider will display a page confirming successfull operation.
            >> >
            >> >
            >> > Notice that:
            >> > - The flow only will be allowed when the user is navigating using operator network.
            >> > - The operator considers the third-party WAP Portal as "non-trusted" therefore confirmation  from the user is needed before proceed to charging (in some way, similar to when buying with Credit Card on the internet)
            >> > - For some steps, specially in the redirection process - from third-party portal to payment platform and vice-versa, some aditional mechanism of authorization are being considered like: using TOKEN exchange, RSA encription, MD5 signature based on secret key-phrases.
            >> >
            >> > My question are:
            >> > 1- What can be done in order to enhance security of the whole process without impacting so much in usability aspects?
            >> >
            >> > Examples:
            >> >             - OAUTH Based mechanism can be considered, but at least it should be adapted to mobile scenery.
            >> >             - In this flow, in step 6 or 7 a password/pin authentication can be added, but is it really necessary?
            >> >             - There's a risk of "man-in-the-middle" attacks in step 9 to 10.  (some malicious user can retrieve the information when being redirected to third party WAP Portal and login/access unauthorized information).
            >> >
            >>
            >> Something similar that I did included tokens passed on from the
            >> payment platform to the content provider after the user's action, who
            >> would then verify those over ssl with the payment platform.
            >>
            >> The payment platform provided a unique user id for each user so that
            >> the content provider could customize the experience and avoid any sort
            >> of user input for authentication, which is the biggest annoyance for
            >> mobile users on tiny multitap or full keyboards.
            >>
            >> To avoid MITM I would pass along with every communication between
            >> content provider and payment platform an HMAC or similar of the data
            >> in the request, to verify it, using some pre-shared key.
            >>
            >> >
            >> > 2- Is there any standard in mobile word for these kinds of operations?
            >> >
            >> >
            >> > Any comment is greatly preciated
            >> >
            >> > Regards,
            >> >
            >> > Tito Ocampos
            >> >
            >> >
            >> >
            >> >
            >> >
            >>
            >> Cheers,
            >> Fanis
            >
            >
            >
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.