Mobile Signature in Turkey

Home , Mobile signature, Turkcell

Mobile Signature in Turkey A case study of Turkcell: MobilImza Co-authored: GSMA Mobile Identity team & Turkcell 2 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

I. Executive Summary

In 2007, Turkey was the first country to launch a mobile signature solution – Turkcell’s “MobilImza” service. Since then, the solution has evolved, the number of available services has increased, and usage per subscriber has multiplied by five. Turkcell is now a reference for other operators that have launched similar mobile signature solutions (e.g. Finland, Estonia) or are planning launches (e.g. Moldova).

With a limited but growing number of users, Turkcell continues to identify and overcome barriers to adoption. This represents a good opportunity to study the requirements and key success factors of mobile signature solutions.

This case study begins with a summary of the Turkish ecosystem, highlighting the favourable conditions that have contributed to the creation of the Turkcell mobile signature solution. It then describes the different aspects of the solution: technical architecture, partnerships, user adoption and usage, and the business model. Finally, it examines key success factors identified by Turkcell and the GSMA Mobile Identity team; factors such as the lean subscription process, favourable local legislation and necessary partnerships with service providers that drive adoption and usage. 3 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

II. Introduction to the Turkish environment and to Turkcell

A. The Turkish environment 2. Mobile phone penetration An electronic ID card that includes an Mobile phone penetration in Turkey electronic certificate has been piloted 1 1. The importance of signature in is approximately 88% which, whilst since 2008 in some areas of Turkey with administrative processes high is still lower than the regional a national roll-out planned. 1 The launch of mobile signature average (99.8% in the Middle East ). 4. High popularity of internet services in Turkey was a global first. To Mobile internet has a larger reach understand why this technology than the regional average (43% of 3G Another reason to explain why Turkey emerged in Turkey in the first place, connections), however smartphone was first to launch mobile signature penetration is relatively low (11% is the sophisticated and demanding it is important to understand the role 2 of signature in Turkey. As in all other according to the latest figures ). nature of Turkish customers. E-banking countries, signatures are required to platforms are for example very finalise contracts. For example, opening These figures suggest that the advanced in Turkey. “Despite being a a bank account, even with a branchless emergence of mobile signature is not less-developed country than the UK, (online) bank, requires a contract with a due to an unusual success of mobile. the level of expectations for services traditional “wet signature”. Despite its It indicates that for a solution to be from banks and mobile operators is simplicity, it is the most universal way pervasive, it needs to be compatible much higher in Turkey” explains to authenticate documents. with all kinds of phone, including a former member of the MobilImza basic devices. team, now living in London. The launch In Turkey, a signature is required for of mobile signature was supported by 3. ID cards in Turkey many processes, which would not require the banks which were ready to improve proof of acceptance in other countries. ID cards are mandatory for every customers’ experiences. For example, it is compulsory for all citizen in Turkey from birth, and are companies in Turkey to collect employees’ widely accepted as a secure proof of signatures when monthly payslips are ID. This was a favourable condition for distributed. This is a legal necessity the launch of mobile signature since specified by the country’s labour laws. Certificate Authorities can refer to a The same is true for holiday requests, single database to check the identity of Positive factors for emergence of corporate flight reservations, annual leave individuals. But unlike many countries mobile signature in Turkey: and a number of other daily processes. that have launched mobile signature (e.g. Estonia, Finland), Turkish ID cards ■ Importance of signature in The extensive use of signatures explains are not electronic, and thus do not why Turkey adopted an electronic include electronic certificates. administrative processes signature law early in 2004 in order ■ High mobile phone to give digital signatures the same This represented both an opportunity penetration legal value as wet signatures. At that and a risk for the development of time, four Certificate Authorities mobile signature. On the one hand, it ■ Mandatory ID cards meant there was room for operators were designated by the State to issue ■ High popularity of internet digital certificates to companies and to play the role of an “electronic ID” individuals. Turkcell was able to rely provider. But on the other hand, it services on this pre-existing ecosystem for meant that service providers did not electronic signatures to launch mobile see the acceptance of electronic forms of signature in 2007, even though the Identity as a priority. law needed to be adapted slightly to include mobile use cases.

1. Turkey penetration: operators’ announcements as of 2Q12; ME penetration: Wireless Intelligence Q411 2. TomiAhonen Consulting Analysis December 2011, based on raw data from Google/Ipsos, the Netsize Guide/Informa, and TomiAhonen Almanac 2011 reported data 4 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

B. Turkcell specificities 2. Relation to service providers 3. Focus on innovation Turkcell runs a partner programme Innovation is one of Turkcell’s 1. Market share and since 2002 Turkcell has been corporate values. A separate entity Turkcell is the market leader in Turkey developing new products and services called Turkcell Teknoloji was created with a market share of 53%3, which with its partners and the programme in 2007 to work on the research has been a crucial element for the now includes over 200 business and development of new mobile launch of MobilImza, because Turkcell partners. Turkcell also launched a technologies, which since launch has alone had sufficient market share and programme called Turkcell LAB, facilitated three million hours of R&D therefore customer reach to convince targeting universities and developers. by its 360 engineers. service providers to adopt its mobile These programmes make it possible signature service. for the mobile operator to be in contact In addition to programmes tailored for with companies and individuals with individual end-users, Turkcell provides In most other countries where mobile specific expertise or capabilities in order products and services designed to signature has been launched, the to identify new business opportunities. boost productivity of its corporate State has lead the project and subscribers. Turkcell’s willingness to promoted interoperability between Turkcell developed and maintained offer innovative services and test new the different operators. Very few close relationships with the main technologies also helps to explain why operators have the market position to Turkish banks. In 2003, Turkcell Turkcell MobilImza was the first mobile independently lead the launch of initiated Mobile Payment in signature solution. a mobile signature service. cooperation with Yapi Kredi Bank, one of Turkey’s leading banks. In 2007, an SMS-based mobile advertising programme for consumer loans was launched with AKBank. In 2008 Turkcell and Garanti Bank worked together on an NFC pilot. These pre- existing partnerships helped Turkcell gain bank support when they first launched mobile signature.

3. Wireless Intelligence, Q4 2011 5 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

III. Turkcell’s mobile signature service: MobilImza

A. Concept description

1. Vision and principle Mobile signature services are easy The idea behind Turkcell MobilImza to use, since they don’t require any is to offer a remote way to complete software installation. The certificate is transactions equivalent to an “original” activated Over-The-Air once the user signature on a hard copy - making has subscribed to the service. Signature it possible to sign documents and requests then automatically pop-up on authenticate oneself via a mobile phone, the user’s phone each time he requests in a way that is legally approved, access to secure services. Once the user secure, easy and convenient. has entered his PIN, the signature is sent to the service provider, who checks its Legal compliance is ensured by validity and grants access to the service. the 5070 Electronic Signature Law that was passed by the Turkish Making electronic signature mobile government in 2007. This law gives also made it more convenient for users. electronic signatures the same The smartcard alternative existed when authentication level as wet signature Turkcell launched MobilImza, but as long as they rely on a “qualified Turkcell desired “to spare subscribers certificate”. Qualified certificates are the hassle of buying and setting up a 4 defined by the ETSI Standards and smart card reader and carrying an extra 5 a directive by the EU Commission smartcard to perform secure online as certificates that are issued by an transactions with qualified digital authorised Certificate Authority signatures”6. following face-to-face verification of both the user and government issued photographic identification.

Security is guaranteed by cryptographic systems (e.g. SHA1) and on-board key generation. The service is only made available on EAL4+ certified SIM cards which provide a high level of security.

4. ETSI TS 101.456 and ETSI TS 101.862 5. Directive 1999/93/EC 6. Original launch press release (http://www.gemalto.com/php/pr_view.php?id=164) 6 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

2. How it works

The chart to the right explains how 1 Web, Wap, SMS, IVR, 6 Signature MobilImza works: Mobile Application Verification

Mobile signature relies on the Wireless Public Key Infrastructure (WPKI) 8 Authentication 7 Verification Result Certificate Authority technology. A couple of “keys” are Service Provider generated for each certificate. One is a private key, and the other is a public key. The private key is unique and 2 5 stored on the SIM card. It is used to User encrypt the documents sent by the user. Signing Signed The public key is made public by being Request Data published in a directory and can only decipher documents that have been encrypted by the associated private key. Qualified digital certificates are a means 3 Signing Request + Info of unambiguously binding one person to a public key. 4 Signed Data Turkcell is working with eGuven Mobile Operator (one of the four authorised Certificate Authorities in Turkey) which is responsible for issuing and revoking the certificates.

From the user’s point of view, there is a three step process: 1. Click on the “Sign” button on the application/website where you want to authenticate yourself or sign a document APPLICATION APPLICATION 2. An explanation text of the transaction and a unique fingerprint pops up on the screen of your handset 3. To sign the transaction, enter your Do you accept to send Fingerprint of the Please enter your pin 100 YTL to ACME Bank transaction

private PIN (password) 12345 John Smith 6F74 A37D D0B4 E37A xxxxxx account 5F48 8087 BF29 40CD Once approved the application Ok Back Ok Back Ok Back is completed. 7 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

B. Technical solution 2. Development of Turkcell’s 3. Subscription process own technology The mobile signature subscription 1. Original solution chosen In 2010, Turkcell Technology developed process needs to be very secure since Mobile signature solutions only work its own MSSP solution. The main the whole service relies on the trust that on compatible SIM cards, that match driver for this decision was that mobile service providers put in the initial user the WPKI specifications in terms of signature solutions have to be regularly identification. However, this process security and capacity, and contain a adapted when legislation changes, can also be a barrier to adoption if it SIM Toolkit application capable of or when a service provider requires becomes too long and complicated. performing signatures. A solution must a customisation of the system. By also be implemented on the operator developing their own MSSP solution, Turkcell’s registration process side to manage signature requests. Turkcell has greater flexibility to for MobilImza includes three update their own technology to match identity checks: changing requirements. In addition, A few companies (called Mobile 1. A physical check of the person there were also a number of operational Signature Service Providers or MSSPs), and his/her ID at a Turkcell store or cost and performance benefits. such as Methics and Valimo offer bank branch this suite of services for operators to deliver mobile signature. For the The MSSP developed by Turkcell 2. A comparison of the captured ID with first few years, Turkcell chose Valimo Technology is called mSign and is now the national ID database commercialised to other operators. as their MSSP. Valimo is now a part 3. A call to the user to ask further of the SIM vendor Gemalto. There questions to confirm the identity are many advantages to choosing a The choice between developing a solution or choosing a vendor’s turnkey solution like Valimo mobile ID, This process requires the user to visit depends on the specificities of the including reduced time-to-market and a Turkcell shop or Bank branch to show market, namely: technical support. his or her ID, sign the contract and ■ The time available to launch upgrade to a compatible, 128K SIM the solution card. Originally, the registration ■ process took up to five days, mainly The ability for the operator to develop because of postal delays as completed a solution internally forms needed to be sent to the ■ The ability of the turnkey solution to certificate authority. match local regulations ■ The compatibility of the solution with standards chosen at a national level to ensure interoperability 8 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

Turkcell improved this process by C. Service provider adoption introducing a “pre-registration” process. If the user performs this pre- registration, the subscription process is 1. Initial support of service providers much faster. During the pre-application It is often the case that service providers process, the subscriber’s details are are reticent about adopting mobile captured (national ID number, name, signature solutions if there is not a date of birth…) together with the large installed base of users, and users MSISDN number (phone number) for are not enthusiastic about services that which the mobile signature service are not backed by multiple service is to be activated. This can be done providers. This leads to a stand-off on partner banks’ websites, via the that can often threaten the commercial customer care centre or via an SMS success of mobile signature services. message. But the subscriber still needs to visit a point of sale, and the process Initially, Turkcell’s project was typically last 3-4 days. supported by the five main Turkish banks, which together pushed for the The service then needs to be activated government to adapt the electronic by the user: signature law. This collaboration helped ■ A mobile signature pop-up menu drive adoption since banks offered appears on the subscriber’s mobile customers pre-registration at their phone. The menu prompts the branches, and then sent the forms to subscriber for the activation code. Turkcell. The banks also promoted the use of mobile signature through ■ The subscriber defines his/her 6 marketing campaigns. digit signature and approves it by re-entering. The service was launched in February ■ 2007 with the 5 main banks. Ten The mobile signature becomes months later, 23 services were available active. The subscriber is informed including enhanced e-banking services via SMS once his mobile by 12 different banks. signature becomes usable (his certificate has been published by In 2008, banks declared that mobile the Certificate Authority). signature was the best and most secure authentication method. Other companies started to use it in their workflows. 9 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

Mobile Digital Identity Financial services remained the real Convenient and secure way to key driver for adoption. In 2007, 84% identify yourself via mobile handset of all mobile signatures were used for financial purposes7, however further use cases include: ■ Online application for loans ■ Online opening of a bank account Digital Certificate in SIM Card ■ Stock trading on Istanbul Stock MSign Mobile Payment Exchange Simple and smart way to pay via mobile with peace of mind ■ PDF and email signing ■ E-procurement Mobile Signature Digitally sign content ■ Online bidding to your mobile SIM with non-repudiation 2. Additional service providers joining at a later stage In 2009, the government started to use m-signature in its login process to an eGovernment services portal. Other The mobile signature value proposition ■ Merchants, Dealers, Sellers, public services were added in the varies between different user segments: Resellers: to use e-payments, following months. ■ e-commerce, m-commerce, mobile Banking & financial institutions: payment, mobile money transfer More services were gradually added to to access and to perform ■ the initial list. The number of available transactions securely Large companies: for their internal services has grown to 66. New services workflows or document management ■ Public sector including government have been added such as secure access organisations, municipalities: to to medical records by doctors, secure minimise loss of time, to reduce the VPN remote access for businesses, and number of physical documents, local tax declaration. A list of use cases and serve citizens remotely and is available in the appendix section of more efficiently this document.

7. Source: Turkcell 10 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

Mobile signature is not restricted to online services, and can also be used in the physical world. For example MobilImza makes it possible to withdraw money from ATMs without a bank card. 11 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

3. Signature as a platform for Nonetheless the mobile signature service Additionally, pricing could be a barrier innovative services remained a “niche” product when to wider adoption. The monthly cost of As mobile signature has become more compared to the number of Turkcell MobilImza is US$2.74 (5 Turkish Liras) popular, some businesses have started subscribers. which represents more than a quarter of to develop solutions to make the most the estimated average revenue per of this new technology as an enabler for 2. Take-up limitation user in Turkey (US$10.849). As such, consumer services. The take-up of mobile digital signature this proposition is of greater appeal to a has remained low compared to the specific sub-segment of the customer For example, a Turkish door lock total user base so far, and lower than in base - high-value customers. It would be manufacturer has developed a new smaller countries like Lithuania. difficult to lower this price as the unit cost kind of SIM-embedded lock that can for the operator is high. Issuing a digital be locked or unlocked with a mobile Turkcell believes two primary certificate is a costly process. The price 8 phone . Another example is a parking factors explain this limitation: the paid by Turkcell remains confidential, but meter system: individuals can now lack of compatible services and the the public price for a certificate on a smart pay parking fees via mobile thanks to subscription process. card is currently around $8910 in Turkey, mobile signature. which gives an idea of the cost range. ■ Due to the limited number of subscribers, service providers are 3. Usage D. User adoption not always eager to integrate mobile Although subscriber numbers remain signature in their processes. And comparatively low in absolute terms, because of the limited number of annual growth is encouragingly high, 1. Initial take-up available services, people hesitate to running at over 80% per annum. Users The number of transactions conducted subscribe to Mobile Signature. are steadily realising the benefits of the quickly increased in the months ■ mobile digital signature service, and following the launch. This increase was The current subscription process represents a barrier to adoption: it once subscribed to it, appear to be encouraging, particularly since under very satisfied. the initial pricing model, each signature requires customers to physically be at cost as much as an SMS. the point of sale to prove their identity and sign many documents. Also Over the years, the number of people are reluctant to change their subscribers kept increasing, as well as SIM cards. the average number of signatures sent by users.

8. KaleKilit press release : http://www.kalekilit.com.tr/kapinizi-cep- telefonunuzdan-acip-kitleyin_3_68 9. Wireless Intelligence Q4 2011 10. $47 for the certificate + $20 for the smartcard + $22 for the identity checks source: eGuven 12 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

E. Economics Therefore this business model was Turkcell suggests that because the fixed replaced by two complementary costs are high, profitability is relatively Business model approaches: low, but expects an improvement in its operating margin due to improving The initial business model for Turkcell ■ Monthly subscription: subscribers scale economies as the user base grows. MobilImza was a pay-per-use model. pay 5 Turkish Liras for an unlimited The service was free to subscribe to, number of signatures and users had to pay a fee each time ■ they used the signature service. The Price per signature: service providers idea was that the cost of the certificate pay a small fee per transaction. would be covered after a certain Public enterprises and educational number of transactions, and then profit institutions are not required to pay would be generated by extra usage. But this fee, because of their public this model relied on consistent levels service orientation. It is anticipated of usage from subscribers. However a that service providers who actively significant proportion of non-active promote mobile digital signature will users made this model unsustainable. also enjoy a waiver of this fee. 13 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

IV. Key Success Factors

A. Identified success factors 3. Distribution / subscription process In some countries where mobile According to Turkcell, the service signature has been launched (like 1. Partnerships at launch subscription process represents 93% Finland) operators made the WPKI Due to the double-sided nature of the of customers complaints related to 128K SIM a standard a few years before market, it was important for Turkcell mobile signature and this process the service was launched. It made to have strong partners at launch, has been identified as a key barrier to adoption much easier, but represented especially because the government adoption. As such, improvements to the a high cost. was not initially a participant in subscription process became a priority the programme. for Turkcell. 128K SIM cards are distributed de facto to all of Turkcell’s business customers Receiving early support from leading A new subscription process is currently but this does not address the whole banks helped drive initial adoption of being tested, which would allow consumer base. the service and has had a sustained customers to subscribe without having impact on mobile signature. to go to a point of sale (provided he is equipped with a compatible SIM card), Key Success factors: 2. Business model and would only take a few hours to be As the attractiveness of the mobile completed. It would use the credentials ■ Key partnerships at launch already captured by the bank. Turkcell signature service can be modest in ■ Pricing to stimulate usage the period immediately following is partnering with Garanti Bank on this, launch - due to limited service provider and believe this improvement will be ■ Simple subscription process key to driving adoption rates. participation - it can be accordingly ■ WPKI SIM card difficult to persuade consumers to pay pre-dissemination for the service. Clearly, to be sustainable, revenues need to be B. Potential additional success ■ Interoperability with other sufficient to cover development costs, factors according to Turkcell operators investment in digital certificates, ■ B-to-B-to-C business model customer acquisition costs and any ■ other attributable opex. The approach 1. SIM dissemination Cooperation with the state adopted by Turkcell helped to minimise One of the barriers to adoption is on signature regulation these issues, by employing both a flat the replacement of the SIM, for monthly fee for subscribers and a per- two reasons: transaction fee for service providers. ■ It makes it necessary for customers to go to a point of sale ■ It may contain information that users don’t want to lose (e.g. address book) 14 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

2. Interoperability 3. B2B Business model 4. State regulation Another element that could lead Turkcell is working on an additional The Electronic Signature Law #5070 to further penetration is interoperability business model for 2013. The idea which defines the principle of electronic with other mobile signature solutions. is to make mobile signature free for signature in Turkey made it possible It is quite clear to every operator that individuals, and have the price paid for Turkcell to launch MobilImza mobile signatures would be more by service providers who benefit very early. Now new regulation is successful if all operators agreed from the service. Banks for example likely to benefit mobile signature: on interoperability at a national benefit from mobile signatures as “E-Tebligat” and the “New Turkish level: service providers would be their customers can apply for financial Code of Commerce” encourage people incentivised to use the service, and products more easily. They also to use electronic signature solutions customer awareness would be higher. don’t have to distribute and manage and companies to move to “paperless Turkcell welcomes the launch of mobile authentication tokens. Garanti Bank offices” starting from mid-2012. This signature services by Avea, one of their already offers MobilImza to its most law even makes use of electronic competitors in the Turkish market. valuable customers, and is currently signature obligatory in some cases: negotiating with Turkcell to extend this agreements that require an attached In Finland and Moldova, the solutions to more customers. signature under the Law of Obligations offered by the different operators are will require an e-signature if they are interoperable, and higher adoption made in electronic format. rates are expected. 15 Mobile Signature in Turkey GSMA: Mobile Identity — Turkcell

Appendix:

List of Mobilimza use cases available today:

■ Sign documents such as PDF files ■ E-Government: For usage on the ■ E-Municipality: The mobile signature and email (live) e-government portal following are is used in the municipalities’ web sites the use cases: for other means such as housing/ ■ Secure online log-in and transactions environmental tax payments, (live) Entrance to the e-government applications for opening a trading portal (live) ■ Secure e-Commerce purchases entity (such as a restaurant, Information query: (live) doctor’s office, etc.), application ■ Sign corporate transactions (live) for marriage (live). Payment ■ ATM withdrawals without an ATM ■ Tax payment and declarations: Motor card (live) Application for licenses/ vehicle, corporate, income taxes can examinations/permissions etc.: also be declared/queried and paid ■ Remotely access health records (live) military, birth certificate, change using the mobile signature as a means ■ Conveniently access corporate of address, application for a state of authentication to the “Revenue networks (VPN) (live) job (live) Administration” (live). ■ Secure mobile contactless (NFC) payment account registration ■ Top-up mobile wallets and other mobile applications [email protected] www.gsma.com/mobileidentity/