One-Time Password Service Using Mobile Phone ... - NTT Data
One-Time Password Service Using Mobile Phone ... - NTT Data
One-Time Password Service Using Mobile Phone ... - NTT Data
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
April 18, 2007<br />
<strong>One</strong>-<strong>Time</strong> <strong>Password</strong> <strong>Service</strong> <strong>Using</strong> <strong>Mobile</strong> <strong>Phone</strong> Applied to Personal<br />
Internet Banking for the First <strong>Time</strong> in Japan<br />
- Boosts protection against illegal transactions due to spyware, etc. -<br />
<strong>NTT</strong> DATA Corporation<br />
<strong>NTT</strong> DATA Corporation will offer from May 2007 a one-time password service, using a<br />
mobile phone application, to customers of its ANSER-WEB (Account Access) ® (Note 1)<br />
personal Internet banking service, as a security measure aimed at enhancing protection<br />
against fraudulent transactions that employ spyware or other means.<br />
Existing personal Internet banking services typically make use of an ID, password,<br />
random numbers or other such information for user authentication. Security can be<br />
improved, however, by employing a one-time password, which changes with every use,<br />
for stronger authentication.<br />
Authentication by one-time password has up to now required equipping users with<br />
dedicated hardware for generating passwords. The newly provided one-time password<br />
service uses mobile phone software developed by <strong>NTT</strong> DATA to generate the<br />
passwords (Note 2) . Besides eliminating the need for users to carry around dedicated<br />
hardware, this approach saves financial institutions the cost of distributing and<br />
managing specialized hardware, greatly reducing their operating burden.<br />
Already four banks are committed to offering this service when it starts up in May, and<br />
<strong>NTT</strong> DATA expects to have the service introduced by around thirty financial institutions<br />
over the next three years.<br />
1. Background<br />
As the use of Internet banking services has grown, so have incidents of fraudulent<br />
transactions. The perpetrators make use of tactics such as phishing (Note 3) and<br />
spyware (Note 4) to obtain ID and password information necessary for user<br />
authentication in these services, enabling them to pose as rightful users and withdraw<br />
funds. Financial institutions are faced with the urgent need for protective measures<br />
against such fraud.<br />
The measures currently taken by financial institutions to prevent fraud include use of a<br />
software keyboard for password entry, and employing commercial anti-spyware<br />
programs. In addition to these measures, however, there is a growing need for<br />
authentication methods that are more robust while also being easy to implement.<br />
2. <strong>Service</strong> Overview
Responding to these needs, <strong>NTT</strong> DATA starting in May 2007 will provide an<br />
authentication service that makes use of a one-time password in addition to the<br />
conventional ID and password for personal identification. This service is being offered<br />
in conjunction with ANSER-WEB (Account Access) (ANSER-WEB(AA)), an ASP<br />
service for personal Internet banking currently provided by <strong>NTT</strong> DATA to some 80<br />
financial institutions.<br />
Implementing a one-time password authentication scheme up to now has required that<br />
dedicated hardware for password generation be prepared and sent to each user. This<br />
meant that users have had to wait for arrival of the hardware before using the service,<br />
besides putting up with the inconvenience of always carrying around the hardware.<br />
To overcome these problems, <strong>NTT</strong> DATA has newly adopted a method that allows use<br />
of a one-time password by downloading special password-generation software to the<br />
user's mobile phone. This approach lets users begin the service immediately, and<br />
without the need to carry round dedicated hardware. For financial institutions, it<br />
eliminates the burden of having to send dedicated hardware to users.<br />
The ANSER-WEB(AA) one-time password authentication service works as follows.<br />
Users download to their mobile phone handset a software program for generating<br />
passwords. When using Internet banking, they perform user authentication by entering a<br />
one-time password displayed by the mobile phone application in addition to their normal<br />
ID and password (see Attachment). The one-time passwords are specific to each user,<br />
and a new password is generated every minute. Even if the password is obtained by a<br />
third party fraudulently or by other means, it cannot be used outside its brief lifetime.<br />
In this way, a high security level is realized by this gtwo-element authentication," in<br />
which users are authenticated by a per-user one-time password in combination with the<br />
ID and password memorized by the user.<br />
3. Benefits of this <strong>Service</strong><br />
The service has the following advantages for users and financial institutions.<br />
(1) Benefits for users<br />
By preventing fraud with a combination of an ordinary password and a highly<br />
secure one-time password, the service enables more secure use of Internet<br />
banking.<br />
It eliminates the need to manage dedicated hardware, which was necessary for<br />
conventional one-time password use, bringing the security of a one-time password<br />
to anyone with a mobile phone.<br />
Use of the service can be started quickly, as soon as the procedures for one-time<br />
password use are performed in the Internet banking service.<br />
(2) Benefits for financial institutions<br />
More secure Internet banking service can be provided to users.<br />
So long as the user has a mobile phone, authentication by one-time password can<br />
be provided with much less of a burden than conventionally, since this service<br />
eliminates the trouble of storing and managing dedicated hardware, sending the<br />
hardware to users, or handling cases of hardware loss by the user.<br />
<strong>NTT</strong> DATA is responsible for the functions for one-time password authentication<br />
and for building and operating the site from which the service software is<br />
downloaded to mobile phones, greatly reducing the development and operating
costs to be borne by financial institutions.<br />
Use of the ASP service provided by <strong>NTT</strong> DATA makes it possible to start<br />
provision of one-time password service more quickly, taking as little as two months<br />
from the decision to introduce the service to the time it is made available to users.<br />
The enhanced security enables provision of more advanced service, such as<br />
raising the limits on transaction amounts by users.<br />
4. Adoption by Financial Institutions<br />
The banks and other financial institutions that have decided to introduce the one-time<br />
password service or are considering introduction are listed below (in bank code order).<br />
Many other financial institutions are considering adoption of the service in addition to<br />
those listed here.<br />
(1) Banks committed to starting service provision in the first quarter of fiscal 2007:<br />
The Bank of Iwate, Bank of Kyoto, The Kiyo Bank (Internet branch) (Note 5) , Kansai<br />
Urban Banking Corporation, The Kyoto Shinkin Bank<br />
(2) Banks considering the start of service provision during fiscal 2007:<br />
The Shonai Bank, Shizuoka Bank, The Aichi Bank, The Bank of Nagoya, Minato Bank<br />
5. Future Plans<br />
<strong>NTT</strong> DATA plans to continue working on enhancing security measures in ways that take<br />
advantage of the Internet and mobile banking infrastructure.<br />
Note:<br />
*1 Personal Internet banking service provides individual customers with a range of banking services over<br />
the Internet, allowing them to check their balance, view an itemized list of transactions, transfer funds and<br />
make payments, using a Web browser and email software, or using a mobile phone equipped with a Web<br />
browser. <strong>NTT</strong> DATA provides the ANSER-WEB (Account Access) ASP service to financial institutions<br />
wishing to implement personal Internet banking services. ANSER-WEB(AA) service is already in use by<br />
around 80 regional banks, shinkin banks, credit cooperatives and other financial institutions.<br />
*2 The service makes use of BizEmotion ® -OTP, a one-time password authentication service implemented<br />
using original technology developed jointly by <strong>NTT</strong> DATA and RSA Security. Central to the one-time<br />
password authentication service is a mobile phone application geared to consumers. The service is<br />
offered as an ASP authentication service equipped with the application downloading functions,<br />
authentication functions, and management functions necessary for one-time password authentication.<br />
*3 Phishing refers to fraud committed by presenting what pretends to be an official email message or Web<br />
site of a financial institution or the like, in order to deceive the user into entering authentication information<br />
(ID, password, etc.), which can then be used to log onto a service.<br />
*4 Spyware is software that runs on a personal computer for the purpose of secretly monitoring user<br />
actions and gathering personal information. It can be used to detect ID and password information entered<br />
by the user at Internet banking sites and the like, and to send this information to the software creator without<br />
the user's knowledge, for fraudulent purposes.<br />
*5 The function is to be provided not for existing Internet banking service but for a newly established Internet<br />
branch.<br />
*ANSER and ANSER-WEB (Account Access ® ) are registered trademarks of <strong>NTT</strong> DATA Corporation.<br />
*Other names of products, companies or organizations herein are the trademarks or registered<br />
trademarks of their respective owners.<br />
Attachment : Flow of <strong>One</strong>-<strong>Time</strong> <strong>Password</strong> Authentication
For more information, please contact:<br />
For media inquiries:<br />
Public Relations Office<br />
<strong>NTT</strong> DATA Corporation<br />
Tel: +81-3-5546-8051<br />
For inquiries about ANSER-WEB (Account Access):<br />
Mr. Motogami, Mr. Kojima<br />
eB Product Planning<br />
eB Business Unit<br />
Payment Solutions Sector<br />
<strong>NTT</strong> DATA Corporation<br />
Tel: +81-3-5484-4321<br />
For inquiries about the one-time password authentication service:<br />
Mr. Amou, Mr. Endo<br />
<strong>Mobile</strong> Solutions Planning<br />
<strong>Mobile</strong> & IC Media <strong>Service</strong> Unit<br />
Business Solutions Sector<br />
<strong>NTT</strong> DATA Corporation<br />
Tel: +81-3-5546-8337<br />
News Releases.<br />
The services, prices of products and services, specifications, telephone numbers, etc.<br />
for inquiries and other information included in news releases are the data available on<br />
the day of the release. This information may be changed at any time without notice. In<br />
certain circumstances, due to various risks or unexpected occurrences, actual results<br />
may also be different from the plans or projections in news releases.