2-way iSMS

From Wikipedia, the free encyclopedia
Jump to: navigation, search

iSMS often referred to as intelligent text messaging, is a patented,[1] interactive two-way SMS text message and a trademark, which enables iSMS–powered solutions to perform interactive iSMS-dialogues between sender and receiver, for example between organizations and their customers or employees. Customers reply to iSMS messages by selecting among predefined choices, and replying with a single letter.

In these iSMS powered solutions and applications the iSMS technology establishes a session with the user and manages the flow of SMS messages between the application and users so that right responses are linked to the right application even if several simultaneous sessions are established. The authentication of users is secured so customers do not need to remember user names, passwords or special authentication procedures.

The iSMS powered solutions also work on all mobile phones and all networks without installing software or configurations to the phone because the iSMS messages are delivered as standard SMS messages.

The iSMS technology has been developed and patented by a Finnish high tech company called Bookit (Finnish company). The iSMS has become very popular in BookIT’s home country Finland, where people are using the iSMS for different types of easy to use bookings.

For example, in 2004 Finnair [1] was the first airline in the world to enable passengers to check-in in advance for flights with iSMS text messages.[2] In 2008 more than half of the Finnair’s airline passengers do their check-in with iSMS.[3] The service is very easy to use since the user automatically receives a check-in request from the iSMS service and can then do the check-in simply by one-button-reply with his/her mobile phone. The passengers are extremely satisfied since they avoid queuing and can proceed directly to the gate because the iSMS service completes the dialogue by sending an iSMS boarding pass directly to the screen of a mobile phone. This Finnair's service is called Check-in via text message -service [2].

iSMS Technology versus 2-way SMS[edit]

The iSMS technology is often confused with basic 2-way SMS (or bilateral SMS). Simple two-way SMS is actually managed as a series of one way communications similar to HTTP, with a series of independent requests and responses. Messages are presumed to flow back and forth in an ordered, synchronous fashion similar to the way in which messages flow in a typical web session. For simple, low-value, low-risk transactions and interactions initiated by the end users such as checking bank balances, simple 2 way (bidirectional SMS) has sufficed. Two-way SMS logic depends on keywords typed and/or time of delivery. 2-way SMS sessions usually expire after 5 minutes similar to a web-session for security reasons. The challenge with traditional 2-way SMS has been that in practice SMS messages can be replied to out of order (asynchronously) and that text message origination addresses can be readily spoofed or faked leading to various scams. Where higher security, accuracy, and integrity is concerned, simple 2-way text messaging is considered by most experts to be an insecure channel. iSMS involves message handling logic external to 2-way SMS so that message replies coming out of sequence can be associated back to the correct original inquiry message initiated by enterprise software, while a random signature embedded within each message validates authentication. iSMS is considered a misnomer by certain security experts because the intelligence does not rely within the network itself and the network level protocols and equipment (SMS gateways, etc.) are unaffected and continue to function exactly as per the specifications and GSM standards as put forth originally by Friedhelm Hillebrand. iSMS is a proprietary approach to security whereby logic relies entirely in the cloud, and is based on patented BookIT DDM (Dynamic Dialogue Matrix) -method, which enhances the global standard SMS infrastructure with business transaction capabilities—most notably session management and automatic secure authentication. The stated purpose of the DDM by Bookit Oy is to "enable easy-to-use and secure transactions between applications and mobile phones".[4]

Application-to-person (A2P) dialogues and transactions and asynchronous iSMS sessions are managed by a unique and patented BookIT DDM method. The BookIT DDM technology is implemented on industry standard application server platforms and protocols for internet. This together with the open and universal SMS connectivity enables it’s rapid deployment.

Pioneers of SMS[edit]

Matti Makkonen, a pioneer in the development of SMS text messaging, later became a Board Member and Shareholder in Bookit, which was working extend the capabilities of SMS to interactive business transactions.[5]

Jukka Salonen worked with Matti Makkonen at Telecom Finland, and after leaving Telecom Finland sought means to extend the functionality of SMS without changing the protocol which had already been widely adopted globally. Salonen's innovations are entirely separate from the network protocol stack or infrastructure and instead focus on building intelligence in the cloud that sits on-top of SMS and other messaging channels. Multi-factor authentication, anti-spoofing, and session management are key features available in Salonen's iSMS, but were notably absent from the original SMS standards set in 1985 by the non-voice services committee of the original GSM standards body chaired by Friedhelm Hillebrand, the widely credited inventor of SMS. Bookit’s innovation uses the benefits of an already existing SMS standard but manages SMS transactions intelligently by adding “fingerprints” to each message. The network does not notice these secret fingerprints and as a result the iSMS service can be used by any of the existing 5 billion SMS users internationally and on any phone.

Inventions and Enabling Technologies[edit]

Overcoming the usability problem[edit]

While doing research on commerce over the mobile Internet while at Telecom Finland, Jukka Salonen became convinced that reproducing the “browser” experience on a mobile device was the wrong approach. Salonen noticed that the browser experience, which worked over PC, failed on mobile due to differences in the form factor (e.g. small screen size and small keyboard) as well as differences in consumer behavior when they are mobile (e.g. the need for mobile transactions to be very quick and seamless so as not to interrupt the customer’s activities, and also the need for services to be proactive). Salonen also felt that resubmitting sensitive data such as passwords and credit card information with each new session created high security risk. And most importantly, Salonen had learned from his experience at MicroWarehouse that to achieve high response rates on direct marketing, the customer had to be able to reply within 20 seconds or less, preferably with a single click.

Mediator as Intelligent Personal Assistant[edit]

Salonen’s turn-around idea was that instead of the user re-establishing a session each time he/she uses a service, the session could be made to last indefinitely and be maintained by what he called "the Mediator". The technical breakthroughs required to turn this concept into a reality enabled the Mediator to serve as an Intelligent Personal Assistant that could simultaneously maintain dialogues with millions of users and reliably maintain the state and context of dialogue with each of those users where they last left off. At the technical level, the Mediator enabled sessions to be kept alive (maintained 'statefully') and flow smoothly across multiple service providers (e.g. airline, taxi, credit card processor), multiple channels (e.g. web, email, SMS) and even across interactions separated by weeks or months. The Mediator would be able to proactively engage the consumer with the “right offer at the right time” allowing users to board planes and trains, pay bills, schedule appointments, route parcel deliveries, and conduct other similar business transactions in just a few seconds without interrupting the flow of other daily tasks. Salonen's mediator service is a fore-runner of other intelligent personal assistants for mobile such as Google Now.

The Mediator service eliminated the need for consumers to login with a username and password each time they wanted to establish a mobile dialogue with a service provider. Moreover, the mediator would only need to collect personal information such as credit card information once during initial registration so that subsequent transactions over a mobile device would be very quick and entirely secure.[6]

Data privacy and security – overcoming the risks of storing data[edit]

In Salonen’s preferred embodiment, the mediator itself would not need to store sensitive data, but rather that stored personal data would be distributed across multiple service providers, each with their own trusted relationship with the customer. Hence, no single party would have access to all the customer’s data; the credit card issuer would maintain data on past purchases (e.g. for fraud identification), the airline would maintain flight preference data, and a hotel would maintain room preference information, but no party would have access to all this information. Instead, BookIT would be able to maintain session state information and use that state information to trigger dialogues, processes, and transactions with additional service providers (e.g. when the passenger lands at his destination, he/she may receive an offer for a limo or taxi).

In this preferred embodiment, Salonen envisioned that the mediator would store certain non-sensitive data such as preferences of the user so that it could also function as an effective “broker” of offers, and only communicate very relevant messages and offers to the customer in order to maintain trust and high customer responsiveness.

The Dynamic Dialogue Matrix: session management and authentication[edit]

Salonen realized that he would also need to provide a means of authenticating the end user (i.e. “how does the service provider know that you are really you?). He had learned from previous experiences that static identifiers could easily be stolen or faked. For example, usernames and password pairs could be guessed or phished, and the customer's mobile phone number (while serving as a unique identifier of each end user) could be easily faked using readily available internet tools.

Salonen then envisioned using a dynamically changing session identifier that would be known by the mediator. The problem he encountered many times over in devising a solution is that if you changed the protocol you created a proprietary solution that only worked if you controlled the entire service end-to-end. For example, Nokia had tried to insert a dynamic identifier in the time-stamp field, but this approach worked only over certain networks where the SMS Gateway could be changed because this approach wasn't consistent with the existing SMS protocol and therefore so was not backward compatible with existing infrastructure deployments globally. This solution, while functional, proved impossible to deploy at a large geographic scale. An alternative suggestion by others at the time was to change the SMS protocol itself, but Salonen understood correctly, that it would not be possible to convince everyone to adopt a new protocol and replace existing equipment. To address this hurdle, Salonen decided that he would need to devise a solution that worked with all existing network infrastructure and terminals and with any existing protocol, including the ubiquitous SMS text messaging protocol.

Salonen’s breakthrough solution for authentication was to reverse the problem from conventional thinking. Instead of a traditional solution in which the lock was public and the key was private, he reversed the system to make the key public and the lock private (e.g. you could find a key on the streets of NYC but if you don’t know to what door it belongs it would be useless). The key could be for example, the mobile user’s telephone number (or other fixed personal identifier) but only the owner of the actual device would know which door the key belonged to (e.g. the dynamically changing reply address). Salonen envisioned this lock as a multi-dimensional matrix in which some axes would consist of static elements and at least one axis would consist of a dynamically changing random element. In his preferred embodiments,[7] the dynamic element would be one of the address fields and/or reply options contained in the message body. The advantage of the matrix is that you would have a nearly infinite supply of secret session identifiers (fingerprints). For example, if you relied only on using the reply address to authenticate the user, then you would not be able to provide enough real addresses capable of receiving the customer replies. And if you used artificial addresses, you could create an infinite supply, but you would not receive back the customer responses. However, by using a combination of the user address and sender address (and optionally the reply choice) the mediator could create a nearly infinite supply of session identifiers (e.g. 20 reply addresses and 1 million customer phone numbers, could create a pool of 20 million unique session identifiers (20 million unique locks with a pool of just 20 provisioned sender numbers).

Solving the "man-in-the-middle" problem[edit]

Because Salonen’s solution does not rely on transmitting sensitive data back and forth between the end user and the server, there is very little security risk. A “man-in-the-middle” would only see random, single-letter replies to unknown service providers, which are meaningless to anyone other than the true mediator.

Only the mediator understands the various customer replies and to which of multiple service providers these messages pertain. There are zero security risks of transmitting single letter replies since those replies only make a reference to previously provided personal data. For example, a customer can authorize a charge to a payment card with a one-letter reply without “transmitting” their entire credit card number.[8]

Ability to combine offers[edit]

Salonen’s mediator has a built-in syntax for 7-session stages or phases, which allows various service providers to combine offers.[9] For example, when a passenger of an airline (first service provider) has landed at the destination, a taxi company (second service provider) is able to send an offer for a taxi from the airport to the hotel. In this scenario, the taxi service does not to know the private information such as flight information, they simply need to know from the mediator when and where to pick you up and whether or not the fare has been paid in advance.

Semantic analysis[edit]

Occasionally a mobile user will reply with a message that is out of syntax. For example, if an airline offers the customer an upgrade and asks the customer to reply with a single letter “A” to accept, and instead the customer replies “Yes, but only if my wife also gets the upgrade”, then in some implementations, the mediator may apply semantic analysis in order to interpret the meaning of the reply.


Actionable Alerts in Fraud Prevention[edit]

Actionable iSMS fraud alerts have become the norm in the U.S. and other developed markets.[10] Whereas, first-generation alerts notified customers of charges to their account, second-generation fraud alerts include options for accepting or rejecting charges.[11] indispensable tool for financial institutions to resolve suspected fraud and differentiate between actual fraud and false positive-alerts.

iSMS in Remote Payments[edit]

First generation SMS alerts, notified customers when bills were due. Second generation iSMS alerts enable customers to pay bills by replying to the alert message. Remote iSMS payments may be applied to bills as well-as pre-paid account top-ups. Bill payment by SMS in the U.S. is available by AT&T and others, but gained steam when Cure Auto Insurance ran a Super Bowl commercial in 2013 advertising the advantages of paying by text.[12]

iSMS in Parcel Delivery[edit]

First generation SMS message alerts are prevalent today, with most carriers providing the ability for consumers to see when their parcels have been shipped and delivered.[13] Second-generation iSMS-type alerts that enable users to control delivery options and scheduling are less common today in the U.S., but prevalent in the Nordics where they are in use by large carriers such as Itella (Postal Services of Finland).


  1. ^ "Patents filed under Bookit Oy Ajanvarauspalvelu". Google Patent Search. US PTO. Retrieved August 21, 2001. 
  2. ^ Makkonen, Tuija. "Finnair to introduce the world’s easiest check-in -- with a text message". Finnairgroup.com. Retrieved 19 May 2015. 
  3. ^ Ahonen, Tomi. "Update on the mobile phone check-in: Finnair finds half of passengers using it". Communities Dominate Brands. Retrieved 19 May 2015. 
  4. ^ Lee, Johnson (2008). International Book Series: Information Science and Computing (PDF). Intelligent Information and Engineering Systems. pp. 125–130. 
  5. ^ "Making More of SMS: Much More". High Tech Finland. Retrieved 2009. 
  6. ^ Issued US patents whereas assignee is Bookit and inventor is Jukka Salonen (Source: USPTO): http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.htm&r=0&p=1&f=S&l=50&Query=an%2Fbookit+and+in%2Fsalonen-jukka&d=PTXT
  7. ^ Salonen, Jukka U.S. Issued Patents. USPTO http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.htm&r=0&p=1&f=S&l=50&Query=an%2Fbookit+and+in%2Fsalonen-jukka&d=PTXT
  8. ^ Nilson Report, January 2011, Issue 964. Text Message Payments in Finland http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=964
  9. ^ Salonen, Jukka. Booking Method and System. Bookit Oy Ajanvarauspalvelu (Helsinki, FI), assignee. Patent 7,406,429. 29 May 2003. Print.
  10. ^ Whitepaper: Can Fraud Raise Customer Loyalty. FICO. 2012 http://www.fico.com/en/latest-thinking/white-papers/can-fraud-alerts-raise-customer-loyalty
  11. ^ Interactive Financial Alerts. Javelin Research. March, 2011
  12. ^ Golia, Nathan. CURE Insurance COO Eric Poe Dishes on Text-to-Pay. InformationWeek: Insurance and Technology , January 5, 2012 http://www.insurancetech.com/cure-insurance-coo-eric-poe-dishes-on-text-to-pay/a/d-id/1313324?
  13. ^ UPS Will Text You Before Your Pahttp://mashable.com/2011/09/14/ups_my_choice/

External links[edit]