Thursday, October 22, 2009

The SIM-based authentication mechanism in Turkey

Turkcell provides advanced crypto authentication on every SIM card that they ship (Read here). The level of technical security provided in this way can not easily be duplicated in any way as the SIM provides a cost-effective way of distributing crypto keys.

As far as my information goes, at least twelve of the largest banks in Turkey makes use of this solution for secure login in order to gain access to Online banking. Amongst others, the solution is also used in e-Government. (For instance to access and lodge Patents, to get access to government information, during the Customs process and various declarations.) The wide roll-out of this solution places Turkey at the forefront of digital signatures.

The solution has been designed in such a way that it is available on any type of handset (expensive or entry-level, old or new), the interface is simple to understand and use, yet powerful in application. The fact that the same security paradigm is used for many different applications ensure better support and a high level of confidence with the subscriber base.

It would be interesting if some-one could provide us with more information on commercials, the take-up and usage and any technical challenges that Turkcell experienced in deploying this solution. Purely from a technical perspective, every mobile operator should consider deploying similar infrastructure at a marginal increase in cost, but offering significant benefits to all of their subscribers.

Turkcell Mobile Signature is Turkey's first and only ISO/ IEC 27001 Information Security certified GSM service. The service infrastructure and processes are audited by globally accredited audit companies and by Turkish Telecommunications Authority.

No comments: