One-Time Password Service Using Mobile Phone ... - NTT Data

April 18, 2007
One-Time Password Service Using Mobile Phone Applied to Personal
Internet Banking for the First Time in Japan
- Boosts protection against illegal transactions due to spyware, etc. -
NTT DATA Corporation
NTT DATA Corporation will offer from May 2007 a one-time password service, using a
mobile phone application, to customers of its ANSER-WEB (Account Access) ® (Note 1)
personal Internet banking service, as a security measure aimed at enhancing protection
against fraudulent transactions that employ spyware or other means.
Existing personal Internet banking services typically make use of an ID, password,
random numbers or other such information for user authentication. Security can be
improved, however, by employing a one-time password, which changes with every use,
for stronger authentication.
Authentication by one-time password has up to now required equipping users with
dedicated hardware for generating passwords. The newly provided one-time password
service uses mobile phone software developed by NTT DATA to generate the
passwords (Note 2) . Besides eliminating the need for users to carry around dedicated
hardware, this approach saves financial institutions the cost of distributing and
managing specialized hardware, greatly reducing their operating burden.
Already four banks are committed to offering this service when it starts up in May, and
NTT DATA expects to have the service introduced by around thirty financial institutions
over the next three years.
1. Background
As the use of Internet banking services has grown, so have incidents of fraudulent
transactions. The perpetrators make use of tactics such as phishing (Note 3) and
spyware (Note 4) to obtain ID and password information necessary for user
authentication in these services, enabling them to pose as rightful users and withdraw
funds. Financial institutions are faced with the urgent need for protective measures
against such fraud.
The measures currently taken by financial institutions to prevent fraud include use of a
software keyboard for password entry, and employing commercial anti-spyware
programs. In addition to these measures, however, there is a growing need for
authentication methods that are more robust while also being easy to implement.
2. Service Overview

Responding to these needs, NTT DATA starting in May 2007 will provide an
authentication service that makes use of a one-time password in addition to the
conventional ID and password for personal identification. This service is being offered
in conjunction with ANSER-WEB (Account Access) (ANSER-WEB(AA)), an ASP
service for personal Internet banking currently provided by NTT DATA to some 80
financial institutions.
Implementing a one-time password authentication scheme up to now has required that
dedicated hardware for password generation be prepared and sent to each user. This
meant that users have had to wait for arrival of the hardware before using the service,
besides putting up with the inconvenience of always carrying around the hardware.
To overcome these problems, NTT DATA has newly adopted a method that allows use
of a one-time password by downloading special password-generation software to the
user's mobile phone. This approach lets users begin the service immediately, and
without the need to carry round dedicated hardware. For financial institutions, it
eliminates the burden of having to send dedicated hardware to users.
The ANSER-WEB(AA) one-time password authentication service works as follows.
Users download to their mobile phone handset a software program for generating
passwords. When using Internet banking, they perform user authentication by entering a
one-time password displayed by the mobile phone application in addition to their normal
ID and password (see Attachment). The one-time passwords are specific to each user,
and a new password is generated every minute. Even if the password is obtained by a
third party fraudulently or by other means, it cannot be used outside its brief lifetime.
In this way, a high security level is realized by this gtwo-element authentication," in
which users are authenticated by a per-user one-time password in combination with the
ID and password memorized by the user.
3. Benefits of this Service
The service has the following advantages for users and financial institutions.
(1) Benefits for users
By preventing fraud with a combination of an ordinary password and a highly
secure one-time password, the service enables more secure use of Internet
banking.
It eliminates the need to manage dedicated hardware, which was necessary for
conventional one-time password use, bringing the security of a one-time password
to anyone with a mobile phone.
Use of the service can be started quickly, as soon as the procedures for one-time
password use are performed in the Internet banking service.
(2) Benefits for financial institutions
More secure Internet banking service can be provided to users.
So long as the user has a mobile phone, authentication by one-time password can
be provided with much less of a burden than conventionally, since this service
eliminates the trouble of storing and managing dedicated hardware, sending the
hardware to users, or handling cases of hardware loss by the user.
NTT DATA is responsible for the functions for one-time password authentication
and for building and operating the site from which the service software is
downloaded to mobile phones, greatly reducing the development and operating

costs to be borne by financial institutions.
Use of the ASP service provided by NTT DATA makes it possible to start
provision of one-time password service more quickly, taking as little as two months
from the decision to introduce the service to the time it is made available to users.
The enhanced security enables provision of more advanced service, such as
raising the limits on transaction amounts by users.
4. Adoption by Financial Institutions
The banks and other financial institutions that have decided to introduce the one-time
password service or are considering introduction are listed below (in bank code order).
Many other financial institutions are considering adoption of the service in addition to
those listed here.
(1) Banks committed to starting service provision in the first quarter of fiscal 2007:
The Bank of Iwate, Bank of Kyoto, The Kiyo Bank (Internet branch) (Note 5) , Kansai
Urban Banking Corporation, The Kyoto Shinkin Bank
(2) Banks considering the start of service provision during fiscal 2007:
The Shonai Bank, Shizuoka Bank, The Aichi Bank, The Bank of Nagoya, Minato Bank
5. Future Plans
NTT DATA plans to continue working on enhancing security measures in ways that take
advantage of the Internet and mobile banking infrastructure.
Note:
*1 Personal Internet banking service provides individual customers with a range of banking services over
the Internet, allowing them to check their balance, view an itemized list of transactions, transfer funds and
make payments, using a Web browser and email software, or using a mobile phone equipped with a Web
browser. NTT DATA provides the ANSER-WEB (Account Access) ASP service to financial institutions
wishing to implement personal Internet banking services. ANSER-WEB(AA) service is already in use by
around 80 regional banks, shinkin banks, credit cooperatives and other financial institutions.
*2 The service makes use of BizEmotion ® -OTP, a one-time password authentication service implemented
using original technology developed jointly by NTT DATA and RSA Security. Central to the one-time
password authentication service is a mobile phone application geared to consumers. The service is
offered as an ASP authentication service equipped with the application downloading functions,
authentication functions, and management functions necessary for one-time password authentication.
*3 Phishing refers to fraud committed by presenting what pretends to be an official email message or Web
site of a financial institution or the like, in order to deceive the user into entering authentication information
(ID, password, etc.), which can then be used to log onto a service.
*4 Spyware is software that runs on a personal computer for the purpose of secretly monitoring user
actions and gathering personal information. It can be used to detect ID and password information entered
by the user at Internet banking sites and the like, and to send this information to the software creator without
the user's knowledge, for fraudulent purposes.
*5 The function is to be provided not for existing Internet banking service but for a newly established Internet
branch.
*ANSER and ANSER-WEB (Account Access ® ) are registered trademarks of NTT DATA Corporation.
*Other names of products, companies or organizations herein are the trademarks or registered
trademarks of their respective owners.
Attachment : Flow of One-Time Password Authentication

For more information, please contact:
For media inquiries:
Public Relations Office
NTT DATA Corporation
Tel: +81-3-5546-8051
For inquiries about ANSER-WEB (Account Access):
Mr. Motogami, Mr. Kojima
eB Product Planning
eB Business Unit
Payment Solutions Sector
NTT DATA Corporation
Tel: +81-3-5484-4321
For inquiries about the one-time password authentication service:
Mr. Amou, Mr. Endo
Mobile Solutions Planning
Mobile & IC Media Service Unit
Business Solutions Sector
NTT DATA Corporation
Tel: +81-3-5546-8337
News Releases.
The services, prices of products and services, specifications, telephone numbers, etc.
for inquiries and other information included in news releases are the data available on
the day of the release. This information may be changed at any time without notice. In
certain circumstances, due to various risks or unexpected occurrences, actual results
may also be different from the plans or projections in news releases.