The challenges of this influx go beyond tracking the millions of individual chip-embedded inserts that were once used simply to identify and authenticate users. They are going to be expensive to implement, and their growing sophistication means that myriad services will have to be accurately assigned to each of those cards.
And though much-heralded as a secure way for users to manage financial transactions, fraud experts have discovered that SIM cards can be easily breached by hackers.
The cards have long been present in the world's 646.5 million GSM subscribers devices, but as American carriers such as AT&T move to GSM networks, and others move to implement SIM cards in CDMA phones, it behooves operators here to understand the pitfalls that may mean the difference between success and a lot of angry customers.
Like Miniature PCs
The first important point is that SIM cards no longer just authenticate users or operate phone books. The cards increasingly resemble miniature PCs, complete with operating systems and the ability to download Java applets. They let users transfer money from bank accounts to pay wireless bills in a postpaid environment, or order more minutes in a prepaid environment. They perform location-based tasks such as finding friends who are traveling in parts unknown (see "Growing Sophistication for SIM Cards").
"Now, many of the cards have as much as 15 KB to 32 KB [of memory]," says Richard Findlay director of product development at Convergys. "That gives operators the possibility to store applications and communicate with end users with secure short messages. When the next-generation card comes out with 64 KB, you can imagine the potential."
New Databases Required
Implementing SIM cards in CDMA networks is going to be expensive. "There are some initial startup costs," says Ed Jacobsen, vice president of mobile communications solutions for North America at SchlumbergerSema. But in the long run, the cards save money. "The SIM card offers opportunities of call savings in customer support and network operational costs, but there is also going to be great difficulty in keeping track of all those SIM cards," he says.
Imagine a SIM subscriber base of 10 million users, roaming, churning, seeking new services or calling customer service to complain about the SIM card's performance or to upgrade to a newer card. Operators are going to have to create new databases to track SIM card ownership, or improve existing customer databases to match the SIM card to the end user, including unique identifiers that work with digital signatures for financial or other business transactions.
Managing All Those Cards
Though most of the provisioning of services in the SIM cards can occur at the manufacturer's site, the operator has a big job in matching each of the authentication numbers within the SIM cards to a database of customers. Roaming capabilities, both national and international, have to be matched with roaming partner systems. The operator must have an accurate view of its SIM card stock-which are in service within phones, which are in storage-and other considerations.
"One challenge is managing the inventory aspects," says Findlay. "You have to order the right SIM cards, manage the creation of the SIM card to the day they're ordered. You have to track the stock of SIM cards, keep up with the replenishment of the cards. … All this stuff is a big logistical challenge." Though an operator's IT department most likely would handle the inventory, it is the billing and back-office people who will hear about defective cards and failure to provision the right services, and the CSRs will hear from frustrated end users who can't access accounts.
"While maintaining the card inventory levels, someone has to process more orders back to the manufacturer, and keep track of which support prepaid, which support postpaid, which need to be used for financial transactions," he says. Each SIM card also has a manufacturer identity number that has to be tracked and logged so inventory practices are accurate.
Roaming and Billing Capabilities
SIM cards also track roaming customers and match them with an operator's roaming agreements. "When I go to Europe, I have a GSM phone; you just put the SIM card in and it helps me use my North American account and other functions such as a phone book," says Findlay says."They [SIM manufacturers] can load onto the chip access to the networks with which they have roaming agreements." When roaming in Britain, for instance, the SIM lets the subscriber register on BT's network, which then sets up communication via SS7 from BT to the home network in the United States.
For billing for services, TAP is still the standard format for call records, which BT creates and transfers to the U.S. carrier, which then bills its roaming customer. This is an example of migrating a traditional billing model (roaming agreements) and employing the SIM card to help in capturing and moving the data along. SIM cards also perform other traditional service requirements, such as activating call waiting and call forwarding, and preventing the user from accessing unauthorized data stored in the phone. "It employs a PIN-blocking code; if you log on unsuccessfully, and you get the PIN wrong, you get blocked out," Findlay says.
Operators and the Authentication Systems
American operators will also have to handle more sophisticated functions and the system requirements they will impose. For instance, operators will have to enable the back-office system to handle the use of digital signatures on handsets while a customer performs complicated financial transactions.
Jean-Louis Carrara, director of self-support in North America for Gemplus, explains how services are programmed into the SIM. "We now have virtual machines and operating systems on board. The card is typically pre-provisioned when we provide it to the operators. We provide the unique identifier, and the operator loads the same information into the authentication system on their home location register, where all the subscriptions are stored," he says. "In most of the world, this is the International Mobile Subscriber Identifier (IMSI). Attached to that is an authentication key, which is registered at an authentication center. A client application in the SIM card drives the phone menu and interacts with the end user. It prevents cloning of the subscription."
Manufacturers such as SmartTrust, Gemplus, SchlumbergerSema and a few others provide most of the world's SIM cards. Companies like Telemac, which develops billing software for prepaid and postpaid customers, sign agreements with manufacturers for software that lets subscribers recharge minutes or access accounts via SIM cards. Telemac and Gemplus announced a deal in April that will integrate Telemac's CostControl software to support roaming, adjust spending limits and perform personal account verification via function keys on the wireless device.
Handling Business Agreements
A Gemplus customer based in the Dominican Republic uses SIM cards for banking and other transactions. The operator lets customers access credit card accounts and bank balances and make transactions over the headsets. The SIM provides access and authentication, but it's up to the operator and the bank to handle the agreement.
"The security aspects are managed by the encryption algorithm on the card, but the business agreements between the operator and the banks are difficult. American consumers and businesses aren't sold on the idea of working with operators and convinced of what they'll earn; the benefit is not yet quantifiable," Carrara says. "They also worry about security, especially when they think of wireless application protocol [WAP]. One of the main issues there is they can't authenticate the user. The gateway and the browser aren't ready to do it."
How Secure?
Opinions vary as to the level of security these systems provide. For instance, SIM architecture has strong encryption, but an IBM report states that SIM cards can be breached.
"The SIM card provides the most secure place to keep digital signatures," says SchlumbergerSema's Jacobsen. "It employs strong authentication, and it is far, far more secure than an open architecture. The card is manufactured to be secure from attacks; they have cryptographic microprocessors. Today you want to use PKI to give access to service-that's where you want the digital certificate to reside, in the phone's SIM card. From a billing point of view, you get strong authentication of the end user in a secure environment that moves with the end user."
But IBM announced in May that it had discovered a weakness in SIM card security. Hackers that can learn the keys in a cell phone can "become you and make phone calls and do business transactions on your behalf," the report says. "Scientists have known for some time that by looking at the side channels such as power consumption and the EM [electromagnetic] emanations from a computing device, one can derive some information about its internal workings. SIM cards deployed in many GSM networks use the COMP128 cryptographic algorithms or its derivatives for user identification and for achieving communications and transaction security. The IBM research team discovered a new way to quickly extract the COMP128 algorithms using side channels in spite of existing protections."
According to IBM, SIM cards can leak a lot of sensitive information into the side channels. The attack can be accomplished by making the card perform the algorithm just seven times with the unknown key. "A hacker who has possession of a SIM card for a minute can easily extract the full 128-bit key," the report states.
Intricacies With Enterprise Customers
There's a new SIM card on the block that end users can remove from one wireless device and insert into another, such as a PDA. "With the recent introduction of Removable Subscriber Module Java cards for the North American CDMA market, SIM-based services will reach an even greater portion of the North American subscriber base," Jacobsen says.
But what happens with enterprise customers whose employees may carry cell phones and handheld organizers and want to access email and other electronic messages and bill the employer for it? Perhaps they want to interchange their personal SIM card with the company's SIM card to keep personal charges separate? That adds to the complexity of handling billing accounts.
"When you think of the new type of SIM cards for preauthorizing, for instance, you have to be able to handle the enterprise customer that wants 500 of these cards for its employees," Findlay says. "The IT department can control who in the company can get on the network; determine who can access the VPN for emails and things like that. With the future of the PDA and more phones around, you're going to see more and more of that stuff in the future. The universal SIM [USIM] card is going to be a big part of UMTS services."
With USIM, the operator may have to carry two profiles of the same customer. For instance, the subscriber may carry around a SIM card that he uses on two phones. The profile may depend on what he has set up, when he pops one into the handset and one into the PDA.
Other operators see SIM cards as a great place to store data for affinity or loyalty programs.
How well wireless operators can move to a SIM architecture is anyone's guess. Approaching the new architecture will take a lot of thought. The health of the data on customer databases, the ability to integrate new customer identity information and handling security algorithms and the like won't be easy. But it's working on other continents, and American carriers may want to look closely at how their foreign counterparts are accomplishing it.
| Growing Sophistication for SIM Cards Wireless providers are looking for Subscriber Identification Module (SIM) cards to boost services. Among the functions: • WAP-enabled SMS: Cellular operators discovered that SMS over WAP was not the killer application it was supposed to be. The connection was slow, configuration cumbersome and expensive. By making the SIM card inside the cell phone more powerful, SMS was much easier to achieve without relying on WAP. • SIM cards could enable cell phones to act as debit cards. If carriers offer mobile banking services, for instance, end users could buy an item, then “sign” the transaction by sending an alpha-numeric digital signature from the phone. The amount would be automatically deducted from the cash value stored on the phone’s e-wallet, located on the SIM card. • Jacking up prepaid accounts: Information stored on the SIM card can be used to let subscribers recharge available airtime by transferring money from a user’s bank to the operator. When time grows short on the phone card, it can simply be recharged on the phone, which saves the operator the cost of producing, distributing and selling the calling cards. • Finding another caller through SIM location technology: You know your colleague or friend is in the same city you’re in. If the operator offers location-based services, the handset will give that person’s location through network measurement results and cell data. The function is meaningless, however, if you can simply call your colleague’s cell phone and ask him where he is. The application, however, would have value if it can locate the person when their cell phone is off. • Banking: By making agreements with banks and credit card companies, wireless operators can let users access credit card and bank balances, pay phone bills, or move money from one account to another. One hurdle here is that many people, including bank officials, don’t trust the security of cell phones. |
