Paying With Your Fingertips
e-Business Siemens Developments in the Field of Electronic Money
How can cell phones be used to pay bills in a fast and simple way? What features will determine the success or failure of the SmartCard? Will we be using fingerprint ID systems in the future to authorize payments? What's the best way to encrypt an electronic signature? Siemens and Infineon are working on the answers to these questions and many more.
Infineon's FingerTIP sensors are the only microchips designed to be touchedafter all, they're there to check your fingerprint
In the future, we will be able to do many things with our cell phones. But whether downloading a song from the Internet, calling up stock market information, looking at a city map, or just playing a hand of blackjack onlinethe success of mobile services will greatly depend on how secure, convenient and affordable the method to payment is. Today, the problem is a shortage of fast, economical and secure payment procedures for online transactions. Siemens Information and Communication Mobile (ICM) has therefore joined forces with Stuttgart-based Brokat to develop a system that debit amounts ranging from thousands of Euros to just a few cents. Known as Pay@Once, the new system works as follows: A payment service providera cell phone operator, bank or other financial services company, for examplecreates a special account for the user, who can administer and replenish it at any time using the Internet or a cell phone. Users can make online purchases via cell phone, play lotto or even transfer a sum of money to another cell phone. In each case, the transaction is set in motion by the simple push of a button. For reasons of convenience, small amounts can be transferred without a security check, whereas larger sumsthe user stipulates the thresholdrequire a PIN code. A lack of standardization and common interfaces has thus far hindered the development of inexpensive billing procedures that can function among the various systems at different companies.
team under the direction of Hans-Hermann Wolf, head of Business Development Cooperations at ICM, has therefore been working on API, a software interface for payment procedures. Siemens has also launched an initial cooperative venture with Hewlett-Packard, that offers a special platform for the development of new electronic services and marketplaces that is freely accessible to all programmers. With Hewlett-Packard's E-Speak application, different types of online services can be linked. This means, for example, that a company providing online games would be able to send a free game voucher in a short text message to the cell phones of loyal customers. The interface to E-Speak is, however, only the beginning. Siemens and Hewlett-Packard have also set up a consortium known as the Payment Group, which will develop a standard interface for mobile payment transactions. "We're holding talks with all the big names in this sector," says Wolf.
Fingerprint identification. SmartCards are still too thick to fit into ATMs, but thinner ones are on the way
But it's not enough to develop mobile applications and payment procedures compatible with various systems. Crucial, too, is to ensure that they are accepted by customers. That's why Rainer Jaschhof and Dr. Axel Findling from Voice Data Integration Projects at ICM are working on a range of scenarios for making Pay@Once as simple and convenient as possible. In the "electronic" world, where an online customer might download, say, an MP3 song, the easiest way to handle identification and payment is on the basis of the customer's cell phone number. In the "real" world, transponders might also be used. Each of these tiny microchips has a globally unique code that can be transmitted to a receiver via radio. They thus provide a simple means of identification for initiating a payment transaction. The devices can be integrated into a chip card, key-ring, wristwatch or cell phone.
Anyone wishing to purchase an item from a vending machine, for example, would simply hold his or her transponder near the machine's reader unit. The amount of the purchase would then be automatically debited from a prepaid account. Of course, the vending machine would have to be connected to Pay@Once via a mobile radio operator. Such a scenario can be varied at will. Moviegoers, for example, could use the system to reserve and pay for tickets in advance. At the entrance to the movie theater, customers would simply point their transponder at the reader unit, and a seat number would be displayed and a ticket automatically printed.
B2B: Checking Customer Credit Ratings Online
While many private purchases on the Internet are paid for by credit card, payment in the business-to-business (B2B) segment generally still occurs offline. As a rule, bills are printed out on paper and delivered to purchasers. "In Europe, we still don't have uniform e-business procedures in the area of company finances," says Martin Breuer, head of Marketing & Sales at Siemens Financial Services (SFS). Capaxx, a new service and software package developed by SFS, will change all that. It consists of three main components: online credit rating, confirmation of financing, and inexpensive processing. Capaxx checks out the purchaser's creditworthiness just seconds after an online order is made via an electronic marketplace. Here, SFS employs its own database, which uses information on around 300,000 Siemens customers worldwide and receives all the latest online updates from credit inquiry agencies. "The system first decides upon the creditworthiness of the purchaser," Breuer explains, "then, if there are no problems, it issues the seller confirmation that the order will be financedup to a total of 1.5 mill." Capaxx, the world's first fully automatic online credit-rating system, is now being tested at an electronic marketplace known as "Vertacross." Meanwhile, Breuer is busy developing additional applications. In the future, for example, customers will themselves be able to stipulate the terms of the financing deal and the grace period. Capaxx may also have a future in the areas of leasing and mobile payments. Here, cell phone operators could use the system to check customers' creditworthiness and manage outstanding debts.
As an alternative to the cell phone, chip cards could also be used to make electronic payments. Known as SmartCards, these minicomputers come with a processor, RAM and up to 128 Mbyte of permanent memory. They are so powerful that they will soon be able to support several applications, so that one and the same card might serve as an ATM card, credit card, driver's license, and electronic wallet. "Although the Euro will give us a unified currency throughout much of Europe, the problem is that the various platforms in individual countries remain different," explains Marina Mutapcic, who is in charge of payment systems and e-business applications at the Chipcard ICs business unit at Infineon Technologies AG.
Imagine traveling by train from Munich to Paris with an electronic ticket loaded onto your chip card. To be able to read the card on both sides of the border, rail operators would need to use standardized infrastructure and operating systems. That's why Infineon has joined forces with other industry leaders to support a range of open standards, such as Multos (Multi-Application Operating System for SmartCards) and JavaCard, a kind of Linux for chip cards. A European-wide standard still also has to be established for the Geldkarte (cash card) before it can be used throughout the continent. Crucial to all such standards are the issues of data security and encryption procedures. All confidential data stored on chip cardsincluding those that function without any contactmust be perfectly secure against forgery, theft etc.
There are a number of pilot projects now under way for testing non-contact chip cardsas electronic tickets in local public transport systems, for example (see NewWorld article "All Aboard!"). There are also plans to use the same contactless technology for cash cards. "Reloading such a card with more money would then take only a fraction of a second," says Mutapcic. Ultimately, chip cards will develop into genuine "systems on a card," capable of independently processing operations such as authentication, identification, and information display. Indeed, there are already initial prototypes capable of displaying the current balance on a Geldkarte. "The next step might be to integrate a scroll button onto a card," says Mutapcic. This could provide access to a record of previous transactions conducted with the card. Somewhere further down the line is the idea of integrating a special sensor that would enable cardholders to voice-activate different functions. Then, for example, the spoken command "Bank" would eliminate the need to scroll down through the card display to the corresponding application.
At the same key length, data-encryption using elliptical curves offers a much higher level of security than the conventional RSA method, which is based on resolving the product of two large prime numbers into its constituent factors. Equivalent protection can thus be achieved with a much shorter key, which means more efficient encryption and faster data transmission
E: y² = x³ + ax + b mod p witha = 2b = 98041560852373919804497702945164778239981033357p = 1461501637330902700854603783655214859383685196123consisting of 10146150163733090270085460620150685408864185482153 points
At the same key length, data-encryption using elliptical curves offers a much higher level of security than the conventional RSA method, which is based on resolving the product of two large prime numbers into its constituent factors. Equivalent protection can thus be achieved with a much shorter key, which means more efficient encryption and faster data transmission
Very much a reality, on the other hand, is a biometric sensor known as FingerTIP, which Infineon already produces. The sensor is used to authorize access to a computer mouse, for example, and the company also plans to integrate it into a chip card. FingerTIP, as the name suggests, is able to identify a person on the basis of his or her fingerprint. All that's needed is for users to place their fingertips on a special chip consisting of 65,000 tiny capacitive sensors. These can measure the exact distance between the surface of the chip and the skin. This information is used to determine the precise pattern of the grooves on the fingertip; the resulting data is compared with reference data encrypted on the card. "We're now working on a project to put a FingerTIP sensor that's 30 µm thick onto a standard-format chip card," Mutapcic explains. The problem with current cards featuring the FingerTIP sensor is that they are still too thick to fit into the slot of a normal card reader.
When fitted in a cell phone, the FingerTIP sensor can also be combined with another biometric technologyvoice recognition. According to Dr. Bernhard Kämmerer, head of the Center for Human-Machine Interaction at Siemens Corporate Technology in Munich, the use of "multiple biometry" will not only boost security but also make mobile terminals more user-friendly. With the help of the FingerTIP sensor, for example, authorization to use a cell phone could be regulated quickly and conveniently by means of a fingerprint check. Access to an electronic wallet could also be controlled through an additional method, thereby offering even greater security. "One possibility here would be to have users identify themselves through their voice by repeating numbers generated at random," says Kämmerer. This would protect the system against fraud through tape recordings. Verification would then proceed on the basis of the pattern of sounds produced, with the reference data encrypted on a chip integrated into the cell phone.
Siemens' Virtual Touchscreen is able to recognize the contours of hands and fingers. As such, it offers a new way of authorizing access to public terminals
For ATMs or vending machines in public places, however, such a method is prone to disturbance from background noise. An alternative would be biometric recognition using the contours of the palm and fingers. Kämmerer's method here is based on Siemens' Virtual Touchscreena computer fitted with a tiny camera that enables it to recognize hand gestures. This means the user's hand can be positioned at will on the screen. And to ensure that the system can't be outwitted by a wax imprint, users are also required to open and close their hands. "We thus have a groundbreaking approach in the field of dynamic hand-contour recognition technology," says Kämmerer. "But it does demand a lot of processing power, as the system also has to take account of variations in the position of the fingers." To work properly, the ATM would have to be equipped with a computer powerful enough to undertake such an analysis and then compare the result with reference data stored on the user's SmartCard.
Encryption is not only relevant for personal information on SmartCards or biometric data for authorization. To ensure that a payment orderwhether by cell phone or SmartCardis properly and securely processed, an electronic signature must be appended to the data involved. Here, Dr. Heribert Peuckert, head of the Center for Security at Siemens Corporate Technology, has more to offer than the protection provided by the conventional RSA method, which most encryption keys are still based on. Some 20 years old, the RSA method requires the resolution of the product of two very large prime numbers into its constituent factors. "We're working on second generation asymmetrical cryptographic methods," says Peuckert. Such procedures are based on elliptical curves, which offer a much higher level of security at a shorter key length than RSA methods. "We're in a permanent battle with hackers," Peuckert says. "At present, RSA encryption with a 1,024-bit key is regarded as secure, but our method can achieve the same level of protection with just 160 bits." On the Internet, a 512-bit RSA key was recently cracked with the help of parallel-computers, and experts are predicting that even 1,024-bit RSA keys will cease to offer sufficient protection in a few years. At that point, 2,048-bit technology will be required.
ePayments: Welcome to the Virtual In-House Bank
Developed by Siemens Financial Services (SFS), ePayments is a virtual bank that enables medium-sized, internationally operating companies to process all their payments via the Internet using standards that are uniform worldwide. The system utilizes the UN/EDIFACT data format that is well known to experts. Users don't have to worry about either interfaces or complicated converters. Customers can generate payment orders directly in their Web browsers, append an electronic signature and dispatch it, via a secure data link, to the virtual bank. "The great thing about the system is that with internal company payments, the entire processfrom drawing up the payment order to recording that the payment has been processedis fully automatic, and that's e-business par excellence!" says Willibald Schmeiser, head of Cash Management Solutions at SFS. Siemens has been using the system with great success for a number of years and has likely achieved a unique level of automation in this field. Today, Siemens companies worldwide process internal payments exclusively with the ePayments systeman annual volume in excess of 60 billion a year. One major benefit is that the company can avoid expensive foreign transfers. Instead of having to use correspondent banks to make cross-border payments, it can use its own accounts at the virtual bank. Actual processing of the payment occurs in the country where the recipient is baseda procedure that translates into substantial savings. In addition, ePayments also serves as a global liquidity management and payment authorization system as well as an account management system able to calculate accrued interest. Account holders worldwide have access to account information via the intranet or the Internet, where full functionality will be achieved by the end of this year. At that point, Schmeiser would like to market the ePayments system to external customers. Acting as an application service provider, Siemens would then be able to offer medium-sized companies a range of services such as cash management, management of internal and external payments, and management of internal bank accounts. What's more, such services would be provided with a level of simplicity and functionality that is as yet unavailable on the market.
"Unlike RSA keys, the level of security offered by elliptical curves increases exponentially with bit-length," says Dr. Erwin Hess, an encryption expert on Peuckert's team. For example, an elliptical key 200 bits in length will provide the same security as a 2,048-bit RSA key. Similarly, elliptical keys 256 and 512 bits long would offer the equivalent of a 3,000 or 15,000-bit RSA key. Substantially shorter as they are, such elliptical keys not only require less memory but also lead to much faster ways of encrypting or electronically signing messages. In addition, the size of the electronic signature always corresponds to the bit-length of the key with which it was generated. The result is that transmission of a digital signature based on elliptical curves involves a smaller volume of data. As with the recent technological advances in cell phones, SmartCards and biometric technology, the development of such security procedures indicates that digital money could be in for a bright futuredespite today's teething troubles.
Michael Lang