Mobile security is a top priority for many businesses that want to offer high-end mobile customer applications. Two-factor security that is convenient and transparent to customers is increasingly seen as the first strategic domino that must fall to conduct mobile business effectively.
Toronto-based Magna Entertainment Corp., a major North American owner and operator of horse racetracks, is a case in point. Mobile betting via cell phone is a huge growth area in Asia, where projected revenues for 2006 are estimated at US $1 billion. But revenues in North America are zero, largely due to the complexity of regulations.
Magna must worry about issues familiar to the banking industry — anti-money laundering and ‘know-your-customer’ regulations that require organizations to identify their customers and track suspicious financial transactions, said Steve Keech, CIO of Magna.
In addition, the firm must address other wagering-specific regulations, such as age verification and geo-fencing regulations, which require that the company know where people are when they bet and what they bet on, so that the right jurisdiction’s rules are applied if the customer is wagering in Nevada or Ontario, Keech said.
To make its foray into the lucrative North American mobile market, Magna must persuade regulators that it has the capability to follow all regulations.
“There are some grey areas there, and we don’t want to be grey,” said Keech. Magna needs strong authentication and a way to support geo-fencing to kick off the process. “We need to make sure regulators understand what we’re doing and are comfortable with the technology,” he said.
Strong security will also allow Magna to enhance the customer’s wagering experience, said Keech. Magna uses Carlsbad, Calif.-based International Lottery and Totalizator Systems (ILTS) terminals, which allow customers betting at the racetrack to do pari-mutuel wagering, meaning “betting among ourselves.”
Instead of betting against the house, as in a casino, this allows customers to place bets on their own choices against those of every other patron.
High-speed Totalizator terminals pool and compute the odds by applying complex mathematical formulae in line with the Racing Commission’s rules, in addition to providing other information such as horses’ past performance and real-time graphs of odds shifts, and allowing the customer to cash a winning ticket.
“The challenge with the Web is that we really don’t know who’s connecting to our system,” said Keech. “Because of that, we don’t open the full functionality of the Totalizator to customers who connect via the Web. What we’re looking to do by being able to authenticate individual devices is to open more of the Totalizator’s functionality so our customers can get all they value they would at the track. “
Magna considered three vendors before settling on Toronto-based Diversinet Corp.’s mobile security wares. The business case was compelling, said Keech: Diversinet offers gadget-free two-factor security based on a one-time password (OTP) that is generated by a program installed on the same device being secured, be it a cell phone, laptop or PDA.
Once initialized, the device and user are uniquely associated, and authenticated at logon. If someone tried to enter the system by stealing a customer’s username and password via shoulder-surfing, explained Keech, it would not allow him to connect: both the customer’s device, which generates the OTP to authenticate the transaction, and his username and password are needed to successfully logon.
Equally attractive is Diversinet’s service bureau model for costing its wares and providing third-party security, said Keech. This allows clients like Magna to purchase OTPs, or soft tokens, on an as-needed basis, instead of sinking a lot of investment into infrastructure build-out and software licenses up-front before even knowing the size and composition of their new markets.
The simplicity of a single framework for all customers also had a strong appeal for Keech.
“There is one authentication method for all customers — in person, laptop, cell phone, whatever — in any country. We don’t have to implement something new every time,” he said.
Wally Kowal, vice-president of marketing at Diversinet, pointed out one major cultural advantage of Diversinet’s approach compared with other two-factor security solutions that require a separate gadget to generate randomized passwords: “If you forget your gadget in the morning, you bug tech support for a temporary password. If you forget your phone, you go back and get it.”
Kowal also pointed out that distributing smart cards and hard tokens typically involves inconvenience to clients and their customers. Customers must present themselves in person to pick up the item, or wait impatiently for a mail-out or some other distribution method.
Not so with Diversinet’s soft tokens. “We provision over the air,” he explained. Clients provide Diversinet with their customers’ phone number, and Diversinet sends an SMS or e-mail with a link that allows customers to click and download the password-generating program to their cell phones.
“We’ve provisioned phones in Turkey from here,” he said.
For Magna’s age verification requirement, Diversinet creates a credential that is sent down when the device is initialized. “We can do what is essentially a credit check that verifies who you say you are and what your age is, and we can access your credit file,” he said. For geo-fencing, the location fix is derived from the device, assuming it is GPS-enabled — and most North American mobile devices will be within two years as older models are replaced with next-generation models.
Minimizing customer inconvenience while boosting customer confidence in banking security is a huge issue in the industry, said Kowal.