Emergence of internet has brought dynamism in to various activities. Equally telcos are engaging on R&D continuously to satisfy consumers growing appetite. While doing, security of consumers’ data is primary to the telcos. In this interview, the General Manager, Products & Innovation, MTN Nigeria, A’isha Umar-Mumuni explains the telco’s Token service offer designed to provide better security than a physical token would do.
What informed the introduction of the new MTN Token service?
In line with our vision to deliver a bold new digital world to our customers, we have been looking at solutions that will help our customers’ transition from accessing and using services physically to doing this digitally. Accessing services digitally saves money, promotes convenience and enhances efficiency. However, the major challenge with accessing and using services digitally is the issue of identity theft and data compromise. People generally believe that any information on the Internet is not safe from hackers. We have therefore introduced our MTN Token service as an alternative authentication solution. MTN Token enables customers authenticate all their transactions from their mobile phones, provides better security than a physical token and will not compromise our customers’ identity since it does not expose their information to the Internet.
What is the technology behind this innovation?
The technology behind this innovation is a secure applet that has been built on to MTN SIMs. The applet stores our customers’ PINs securely on their SIMs. This applet is connected to the service providers’ servers via an authentication server and validates customers’ PIN whenever they try to access the service providers’ services. MTN Token is actually the first implementation in the world of the Mobile Connect standard as developed by the GSMA, the global body responsible for supporting the standardisation and promotion of GSM mobile telephony. GSMA has invested tremendously in Mobile Connect and it will eventually be deployed and run by mobile network operators across the globe.
It is understood that MTN Token will not allow any vital data of the customer pass through the Internet protocol, how is that possible?
With MTN Token, validation of the PIN is done on the SIM applet, so personal data are not transmitted during transaction validation. For instance, if a customer wants to access his or her Facebook account, the customer can select the option to log-in using MTN Token and enters his/her mobile number. The Facebook server will request authentication from the customer’s SIM. The customer will enter her PIN on a pop-up message that will appear on her phone and if the PIN the customer entered is correct, the SIM will send an encrypted or coded validation message to the Facebook server. Since the SIM is sending a validation message and not the actual PIN to the server, no system or hacker can intercept the customer’s PIN and gain access to her details.
But some financial institutions already have a token service in place, what is unique about MTN Token?
MTN Token is unique for many reasons. Firstly, MTN Token can be used as a single password (sign-on) to authenticate the customer identity on multiple service providers’ mobile and digital platform. For instance, a customer can use the same password to authenticate all his/her Internet banking, mobile banking, social networking and ecommerce accounts so there will be no need to remember multiple log-in details. Secondly, MTN Token does not require the customer to transmit any details over the air (Internet, SMS, USSD, etc.), hence eliminating man-in-the-middle fraud. Thirdly, the customer does not need to use any additional device or software for authentication. All that the customer needs is her mobile phone.
At the heart of MTN’s innovation is enterprise solutions particularly for the SMEs, how will the MTN Token service contribute to this arm of the business?
MTN serving as the aggregator to conveniently and safely authenticate man-to-machine/service interactions will create many enterprise use-cases. Some of these use cases will include banking authentication, email authentication, secure login authentication, ATM authentication, e-Commerce, enterprise data authentication, etc
How does the innovation of the MTN Token fit into the Internet of Things (IoT) platform?
MTN Token was made for IoT because the main challenge to using IoT is guaranteeing secure access to connected devices by their rightful owners. In July, General Motors recalled 1.4 million connected Chrysler cars in America when hackers revealed that they could access the cars remotely. With MTN Token, it is easy to connect any IoT service or server to our platform to manage authentication for IoT services, be it connected cars, connected homes, connected devices etc. and I have already mentioned how secure our service is.
SIM Authentication and customers’ digital identity seem very critical to the viability of this service. Can you expatiate more on what this means?
By using SIM authentication, I mean that authentication happens on the SIM. MTN Token stores customers’ PINs on their SIM cards and nowhere else. When an authentication request comes from a service provider, the SIM validates the PIN that the customer enters on the SIM. The SIM then sends an encrypted/coded authentication message to the service provider. The PIN is not transmitted. So authentication actually starts and ends on the SIM. This way, only the customers know their PINs and this will serve as their digital identity for all manner of digital services.
Despite the claim of stringent security protocol on this service, do you not think there will be an exposure through the Internet at some point due to ever growing dimensions in digital technology?
MTN Token actually reduces the exposure to the Internet compared to other authentication methods. MTN Token does not require any of the customer’s personal information during the authentication process. None of the customer’s personal information is transmitted on the Internet for a third party to intercept.
This service is particular about confidential data management across board. Does that speak to MTN’s fancy for the cloud computing technology?
MTN understands the importance of data security and continuously researches technology to limit the amount of end-customer data that is exposed in the cloud. By using MTN Token, our customers will not have any fear that their authentication details are stored somewhere in the cloud that may become susceptible to hacking. Even if the customers visit a phishing site in error, the customers will not be able to complete any transaction on the site because the phishing site server will not be connected to the MTN Token servers.
Statistics show that electronic fraud cost the Nigerian economy over N40 billion in 2014; by what percentage do you think adopting the MTN Token service by customers can reduce this figure?
The main share of the electronic fraud comes from phishing, stolen credit card details and relationship fraud. With these types of fraud, customers are usually defrauded before they are aware. By using MTN Token, even if your details have been stolen you will still receive a validation request to your mobile phone when the third party is initiating the fraud. This way, you have the opportunity to terminate a fraudulent activity before it is executed. By combining the lack of personal data transmission on the Internet and the express opportunity to be alerted for PIN validation before every transaction, this will grossly reduce the potential fraud in the economy by at least 50% depending on the adoption of MTN Token.
What options are available to customers who lose the phones with which they registered for this service?
When customers lose their phones, they will not be compromised because no one can access their accounts without knowing their PIN which is stored on their SIM. As an extra measure, such customers can make a request to MTN customer care to block the line.
