Secure Wireless Aggregation Across PDAs and Web-enabled …



Secure Wireless Aggregation

, Inc.

3600 Bridge Parkway, Suite 200

Redwood Shores, CA 94065

Abstract

In this paper, we describe the concept of a highly secure wireless aggregation service. A wireless aggregation service is a service that allows a user to view all of his or her personal information (bank balances, credit card balances, brokerage account balances, travel reservations, and email) from any mobile device without requiring the user to “browse.” This personal information is gathered and kept up to date from all the web sites that a user already uses, including online banking, credit card, and brokerage web sites, such as Citibank Direct Access, American Express Cards Online, and Merrill Lynch Direct. Yodlee’s wireless aggregation service gathers information from over 1,400 such web sites today, securely stores all a user’s login names, passwords, and personal data in one place, and allows the user to securely access this information from a variety of mobile devices including PDAs and web-enabled phones through wireless access and synchronization.

Introduction

The convergence of wireless data technology and the Internet, in its existing form, leaves the user with much to be desired in the way of content and services. The lack of content and services in the wireless environment stems from the need for content and service providers to re-develop existing web applications to suit the wireless environment. Often, this results in browsing-based applications that do not answer a user’s needs conveniently. This presents a new business opportunity for services that aggregate information and package it in a way that is able to meet a user’s needs.

A wireless aggregation service allows one to access all the personal information that one is used to being able to access on the web on a mobile or wireless device. No effort is required by the web sites from which the personal information is aggregated. Such a service brings together the most important pieces of a user’s online life into one place. The typical types of personal information that a wireless aggregation service brings together are bank balances, credit card balances, travel reservations, brokerage account balances, bills, shopping order status, and email. To provide this capability, a wireless aggregation service allows a user to pre-enter all of his or her usernames and passwords via a highly secure web site, and choose a single, master user name and password that can be used to access the wireless aggregation service on a mobile device.

Security is of core importance to a wireless aggregation service, and is the single most critical factor to the success of the service. The service must be technologically secure, and must also communicate the perception of security to the user if she is to provide the service with her user names and passwords. The service needs to be an “information vault” that can securely house user names, passwords, and personal information (including sensitive, personal financial data) for a large number of users, just as banks are vaults for many people’s money. In this paper, we will 1) explain the need of wireless aggregation services, and 2) describe the specific set of security technologies that must be brought together to provide a secure wireless aggregation service.

In exchange for providing a wireless aggregation service with the necessary user names and passwords, the service provides the following benefits for a user:

1) Access to personal data. Access to general personalized data (news, weather, etc.) isn't enough. Access to a user's own personal data-- your bank balances, your travel reservations, your stock portfolio balances, etc. from all the web services that you usually use (Citibank, Travelocity, Merrill Lynch, etc.) on whatever mobile device you happen to have with you is a killer application for mobile devices.

2) Integrated Experience. Users take advantage of many existing applications on mobile devices such as date books, memo pads, address books, travel management applications, etc. A wireless aggregation service should be able to integrate with these applications such that if a user views travel reservations as web clippings, the user should be given the ability to click a button to automatically insert his or her travel plans into the date book on the device.

3) Ease-of-use. Data entry and the number of clicks that a user needs to go through to carry out any particular task should be minimized whenever possible. The need to enter user names and passwords for each of the services that a user wants to access on a mobile device is eliminated by a wireless aggregation service.

4) Transaction Capability. Users may conduct online transactions on the Internet, and expect to be able to carry out transactions on their wireless devices. A wireless aggregation service provides the hub from which a user can launch a wireless transaction.

5) Extensibility. As new online services become available on the web, these services should also become available on wireless devices. A wireless aggregation service provides the capability to scale and extend itself to aggregate data from an unlimited number of sources.

The Need for Wireless Aggregation

There are several impediments that make existing wireless services hard to use. In the following, we will detail the specific issues that highlight the need for a secure wireless aggregation service:

1) Availability of highly personal information. Wireless web users would like to be able to access the same information that they can access on the wire-line Internet. Unfortunately, content providers need to create WAP/WML, HDML, or web clipping versions of their sites, and, as a result, there are many fewer wireless services available than web services. In addition, in many wireless environments it is difficult for users to access those services that do exist unless the content provider has a relationship in place with a carrier or has an “in-the-box” relationship with a device manufacturer.

2) Access to the most “important” personal information. In bringing wireless services to market, many content providers have attempted to replicate the web desktop experience on wireless devices, which requires users to “browse.” However, in a mobile environment, users typically have specific questions they want answered, such as “what flight am I on?” and “when are my bills due?” Today, these pieces of personal information are scattered among many sites on the Internet. For example, a user might not remember his or her flight number for a flight that was booked with an online travel agency, or a user might want to check the available credit on a credit card before attempting to pay a bill at a restaurant. A wireless aggregation service pulls all this pertinent, personal information together and provides secure, one-click access to mobile users.

3) Data entry on mobile devices is hard for users. Users of Palm-type devices typically need to learn Graffiti or use the software keyboard built into the operating system. Neither approach allows users to enter data at the rate at which they may do using a keyboard in front of a desktop. For users of Web-enabled phones, the situation is much worse. They must enter letters through a numeric keypad. For example, to enter a “V,” a user must press the “8” button three times. In usability tests that we have conducted at Yodlee, very few users are able to successfully enter a URL into the phone without assistance.

For access to the wireless internet from mobile devices to be successful, users are going to need to be given the ability to access a maximum amount of information with a minimal amount of data entry. Users will access internet information on wireless devices in ways that are fundamentally different (and more efficient) than the way in which they access internet information from their desktop PCs.

4) User names and passwords are inconvenient. While user names and passwords provide security for sensitive data on the internet, they are inconvenient to users for two reasons: 1) Users have trouble remembering user names and passwords for each of the online services that they use, and 2) Even if a user can remember the user name and password for a particular online service, entering it into a mobile device is frustrating for all the reasons mentioned above.

5) Browsing is not the right model for information access on mobile devices. When a mobile user is proceeding about her daily business, she has specific questions that she would like answered such as:

a. Do I have enough available credit on my credit card to pay for the restaurant bill?

b. What is the airline and flight number for my flight to Chicago?

c. Did John respond to my email about the latest proposal?

These are the types of questions that are not best answered efficiently by “browsing.” Browsing is best suited for resource discovery or search activities. The questions asked above can be answered quickly through “pointed” access to the most important information from all of a user’s personal online accounts.

What is needed to solve these problems is a secure wireless aggregation service that is capable of browsing on behalf of the user, and carrying out whatever “surgical strikes” are necessary to gather the appropriate pieces of information from the internet to answer a mobile user’s daily questions.

How Wireless Aggregation Works

This section steps through the user experience of a wireless aggregation service, and then describes the high-level architecture of how the service works.

User Experience

Since signing up and configuring any type of service involves multiple steps, and since data entry on a mobile device is difficult, the sign up process for our wireless aggregation service usually takes place on a web site. To sign up for the service, the user first chooses a secure, master user name and password. The user name must be at least three characters in length, and the password must be at least six characters with at least one digit or symbol.

The user may then peruse through any of 1400+ sites that the service supports, and is prompted to provide the credentials needed to log into his or her account at particular sites. These credentials usually consist of a user name and password, but can also include social security numbers, or personal identification numbers. After entering the user name and password for each site, the service dispatches a software robot to the target sites. The robot uses the credentials to log into the site on behalf of the user, gather the most important pieces of personal information from the site, and stores the information in a database that is encrypted. The information is then displayed for the user on one consolidated web page that has a summary of all of the user’s personal information from all of the sites that the user has added to the service. An illustration of this web page can be found in Figure 1.

[pic]

Once a user has signed up for the service, and added one or more sites to his or her account, the user may then access summarized personal information from any of the mobile devices that the service supports. Yodlee supports Web-enabled phones, as well as Palm and PocketPC devices through wireless access and synchronization.

On web-enabled phones (HDML or WML), a user may bookmark the URL for the service (in our case, ) and login to the service by entering the master user name and password[1]. At that point, the user may access personal information from any of the sites that he or she added to the account. The service presents the user with a menu of the relevant sites, and allows the user to choose any of them with one touch of a button. Upon choosing a site, the service will respond with personal account information and allow the user to click through the information with virtually no data entry.

On the web-enabled phone service, once the user has drilled-down to a particular site, the user is given the option of clicking into a menu that allows the user to:

1) Check when his or her personal account information was last updated,

2) Refresh the information in real-time, or

3) Place a one-touch call to the customer service department. For example, if the user notices that her available credit is lower than expected, she may click “Call Citibank” to automatically place a call to her credit card company.

On Palm or Pocket PC devices that are capable of synchronization with a user’s desktop, but not necessarily capable of wireless access, users may access this information on their devices via synchronization applications that are provided by Yodlee. The synchronization applications take advantage of the user’s desktop as a gateway to the web, and connect to the aggregation service every time that the user synchronizes her device with her PC. A users’ personal account information is synchronized into an application on the PDA, as well as disseminated into PIM applications. Our service synchronizes all of the user’s personal information into a “Yodlee” application on the device, as well as the Date Book / Address book applications on the Palm or into Pocket Outlook on Pocket PCs. For example, if the user has a travel reservation at Travelocity, the airline, flight number, confirmation number, etc. are synchronized into the Yodlee application, and appropriate entries are automatically made into the user’s date book for the departing and arriving flights.

High-Level Architecture

Behind our wireless aggregation service is a sophisticated distributed system that consists of three key parts: a content aggregation platform, an application platform, and a dissemination platform. The architecture is shown below in Figure 5.

Content Aggregation Platform

This part of the architecture is responsible for aggregating personal information from a variety of data sources, whether those data sources are web/HTML pages, XML or OFX data feeds, QIF files, or other custom data sources. The aggregation platform has been built to allow new sites to be added to the service very quickly; the actual technical effort required to add a new site to the service requires only one to three hours depending upon the complexity of the site. The aggregation engine is provided user authentication information from the application platform, and uses these credentials to access personal data on behalf of a user. This personal data is then encrypted and stored in the databases housed in the application platform into a semantically normalized, XML-based format.

Application Platform

The application platform stores all user data, and also handles requests to refresh user data. The data accessed from the data sources in the content aggregation platform is gathered in a “pull” fashion. Request routing services determine when data should be aggregated, and also routes real-time requests from users to have data refreshed. Currently, the application platform requests the aggregation platform to gather data on behalf of a user on a once-a-day basis, and allows users to refresh data upon request. Going forward, the application platform will be enhanced with more flexibility. For example, a bank may only update balances on its web site once a day for each user, and hence it only makes sense to aggregate shortly after those balances have been updated. For more generic types of content, such as news, headlines may be updated frequently throughout the day, and the same information can be used across users. The application platform will be enhanced to handle the gathering of data at different times, and to allow gathered data to be shared across users when this makes sense.

Dissemination Platform

The dissemination platform allows the service to render data to multiple platforms including the web, wireless and synchronized handheld devices, and web-enabled phones. The dissemination platform interfaces with wireless gateways and proxy servers, and renders data in several mark-up languages including HDML, WML, and HTML. The dissemination engine is architected such that new rendering agents can be written quickly. In addition, the dissemination platform contains a set of security services that allows users to authenticate themselves from various platforms, and also handles all of the necessary synchronization logic to deal with those devices that support synchronized access.

Security in a Wireless Aggregation Service

Security is required at multiple levels in a wireless aggregation service. Physical security is required to protect the databases in the data center where the servers running the service reside. Network layer security is required to protect data as it travels from one node on the network to another. Database security is required to protect data while it is stored in our databases. Application layer security provides end-to-end security and is required to protect it from being viewed by third-party nodes on the network. In this section, we will expand on the security layers that have been built and integrated into our wireless aggregation service to protect user data 24 hours a day, 7 days a week.

Physical Security

The servers that store user names, passwords, and other personal data about users of the service are housed at a third-party data center in a vault. The vault is constructed with double aluminum walls and high-impact resistant glass. Access to the vault requires biometric authentication by hand print scan, and is under 24 x 7 video surveillance. The floor tiles in the vault are locked down. The vault has dedicated power, lighting, fire suppression, and has dedicated shielded connections to the network. Access to the vault is limited to a very small number of administrators, and access to the vault must be signed off by two specific high-level technical managers at Yodlee.

Network Layer Security

• Firewalls. All access to the application network must go through doubly-redundant firewalls. Additional firewalls are used to secure access to the Yodlee database from the application servers.

• Intrusion Detection. The entire production network is monitored and policed for intrusion attempts 24x7.

• Private Addressing. The application network uses private IP addressing, which protects servers that do not require access to the Internet.

• Sanitized Systems. The machines on the Yodlee network run only the minimum set of services required to operate the Yodlee application. Yodlee installs all machines inside its network by cloning from a single master server, to eliminate security flaws that may occur due to improper configuration.

Database Security

All usernames and passwords in the databases for the aggregation service are stored encrypted using Triple-DES (3DES) with a 192-bit key.

Application Security

Data that is exchanged by application servers is encrypted in transit over the privately addressed application network.

Security on Desktop PC Platforms

• SSL. All communication between a web browser and the service takes places over SSL, which creates a server-side authenticated, encrypted connection between a user's browser and the application’s web servers.

Security on Web-enabled Phones

• WTLS/Encrypted HDTP. All access to the service from wireless web-enabled phones through proxies requires the use of WTLS (Wireless Transport Layer Security) or Encrypted HDTP between the mobile phone and the proxy.

Security on Palm and PocketPC Devices

• Certicom ECC. All access to the service from wireless PDAs such as the Palm (either via Palm VII or the OmniSky/Minstrel wireless modem) is encrypted using Certicom’s ECC toolkit.

• Secure Logout Functionality. On wireless Palm devices, the Web Clipping browser stores a cache of previously accessed pages. After using the wireless aggregation service, a user may have pages cached that contain bank balances, credit card balances, account numbers, and other sensitive information stored in the cache of the browser. In the case that the user’s Palm gets stolen, an adversary may be able to access this sensitive information simply by accessing pages in the cache without even being required to enter a password. Although there does not exist any native APIs in the browser or in the Palm OS, we built functionality that allows a user to click a “Logout” button that clears the cache of any sensitive data. Additionally, this functionality sends a network message to the server to terminate and invalidate the user’s session.

• Synchronization Security. The synchronization applications connect to the aggregation service each time that the user synchronizes her PDA with her PC and accesses new personal information that may be available at the server. Of course, the user must be authenticated each time this synchronization takes place, but it would be inconvenient for the user to enter her password each time that she wants to synchronize.

To address this trade-off between security and convenience, our synchronization applications prompt the user for her password the first time she synchronizes with the service, authenticates the user, and stores an authentication token on the user’s PDA that is only known to the server. On subsequent synchronizations, the authentication token is sent to the server, and the user is authenticated based on the token.

In the case that the user’s PDA is stolen, it is of critical importance that the adversary is not able to compromise the user’s password. Since the password itself is never stored on the PDA, the adversary is not able to compromise the user’s password.

Conclusion & Future Work

A secure wireless aggregation service addresses the key barriers that users have today when trying to access a large breadth of personal information on mobile devices. The secure wireless aggregation service discussed in this paper provides a solid foundation upon which more significant value-added services can be built by other companies as well as Yodlee itself. For example, since the service’s information vault stores all of a user’s information in a single place in a normalized fashion, a user’s credit card balances can be reconciled against bank account balances, and the user can be sent an alert if there is not enough funds to pay the credit card bills. The value of a wireless aggregation service is that it provides a platform upon which many other companies can build, bringing to market a wave of advanced advisory and transactional services for mobile devices specifically designed to meet the unique needs of the mobile user community.

-----------------------

[1] The first time that the user uses the service, he or she will have to enter the user name, but once the user successfully logs in, the user name is pre-populated to minimize data entry.

-----------------------

[pic]

Banking

• Chase Manhattan Bank

• Citibank

• Wells Fargo

• Bank of America

Credit Cards

• American Express

• Citibank

• FirstUSA Visa

• Discover Card

[pic]

[pic]

[pic]

Investments

• Fidelity

• E*Trade

• Charles Schwab

• TD Waterhouse

Bills

• Service

• Sprint PCS

• MCI WorldCom

• AT&T Wireless

Email

• AOL NetMail

• Hotmail

• Yahoo! Mail

• Excite Mail

Travel

• Travelocity

• Expedia

• CheapTickets

• Preview Travel

Figure 2(a): A user may sign up for a wireless aggregation account by choosing a master user name and password.

Figure 2(b): After creating the account, the user may enter user names and passwords for all of the web sites that he or she uses on the web.

Figure 2(c): A user can see all of the personal information from all of the web sites that he or she typically uses on the web.

Figure 2(d): By clicking on any of the links in Figure 2(c), the user may get more detail about a particular account. The Palm VII aggregation application also integrates with the PIM functionality of the device, and allows the user to save this information to the memo pad.

Figure 4: A sampling of just a few of the 1400 sites that the wireless aggregation service supports is shown above. The sites that are supported on the service are chosen through a combination of research on the most popular sites on the Internet conducted by Yodlee’s product marketing group, as well as through user suggestions.

Figure 3(a): After a user logs into the aggregation service on a web-enabled phone, she can access any of the web sites she uses with one touch of the numeric keypad.

Figure 3(b): By pressing “1” on the menu, the user accesses travel reservation information from Expedia without having to enter another user name and password.

Figure 3(c): By pressing “5” on the menu, the user accesses credit card information from Citibank without having to enter another user name and password.

Figure 5: High-Level Architecture of the Yodlee Wireless Aggregation Service.

The user typically goes about the process of signing up for the service and adding sites on the web, but the service also allows the user to sign-up on some mobile devices, such as the Palm VII, if the form factor permits. While users in the domestic US are most likely to take advantage of the web as the preferred medium by which to sign up and add sites to the account, this may not hold true as the service is deployed internationally, where mobile devices may be the primary mode of access to the Internet.

Yodlee’s aggregation service supports over 1400 sites, and sites are continuously being added to the service. These sites are organized into approximately 25 categories, and users take advantage of the category classifications to help them search for the sites that they commonly use on the Internet. Alternatively, users may search for supported sites by entering a search keyword. Examples of the sign up process, and the process by which a user may add sites to the service on a Palm VII is shown in Figure 2. Examples of some of the categories and sites that the service supports are shown in Figure 4.

Figure 1: An illustration of a user’s information aggregated on a web page after the appropriate user names and passwords have been entered.

Database

Web

Application

Services

Request

Routing

Services

Yodlee

Dissemination

Platform

Customizable

Cobrand

Interface

Summarization

Yodlee

Email

Desktop Software /

Mobile & Wireless

Interface

Cobrand

Customizable

Platform

Dissemination

Yodlee

Services

Routing

Request

Services

Application

Web

Database

Platform

XML

OFX

QIF

Custom

HTML

YRobot

Application Platform

Content Aggregation

Platform

Dissemination Platform

To Distribution Partners

From Content Partners

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download