Secure Mobile Commerce

Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002Author: S. Schwiderski-Grosche & H. KnospePresenter: Jung-wen Lo(駱榮問 )Date: 2004/12/16

2

Outline

Introduction M-commerce Security of Network Technologies M-payment Conclusion Comment

3

Introduction

M-commerce Mobile devices are used to do business on the

Internet Goal

Identify the special characteristics of m-commerce Consider some important security issues

Main area to discuss Network technology M-payment

4

Mobile Device

Kinds of devices Mobile phone Personal Digital Assistant Smart phone Laptop computer Earpiece

Characteristics Size & colour of display Input device Memory & CPU processing power Network connectivity, bandwidth capacity Support operating system Availability of internal smartcard reader

5

Advantages of M-commerce

Ubiquity Accessibility Security Localisation Convenience Personalisation

6

Disadvantages of M-commerce

Limited capability The heterogeneity of devices, operating

systems, and network technologies is a challenge for a uniform end user platform.

Mobile devices are more prone to theft and destruction.

Communication over the air interface introduces additional security threats

7

Security Challenges

Mobile device Confidential user data

Radio interface Protection of transmitted data

Network operator infrastructure Security mechanism

M-commerce application Payment system

8

Security of Network Technologies (1/2)

GSM (Global System for Mobile Communication) Authentication is one way Encryption is optional False base station perform a “man-in-middle” attack

UMTS (Universal Mobile Telecommunication System) Authentication is mutual Encryption is mandatory unless the mobile station a

nd the network agree on an unciphered connection. Integrity protection is always mandatory and protect

s against replay or modification of signaling messages.

9

Security of Network Technologies (2/2)

WLAN (Wireless Local Area Network) Not provide any security in default Attacker can modify data and CRC WEP (Wired Equivalent Privacy) key can be

recovery 802.1x port-based adopted

Bluetooth Provide link layer security No privacy requirement

Unique Bluetooth device address allows the tracing of personal devices

10

Transport Layer Security

SSL/TLS (Secure Socket Layer) HTTPS (HTTP over SSL) KSSL by Sun

Not offer client-side authentication Only implements certain commonly used cipher suites Has a very small footprint and runs on small devices

WTLS (WAP Transport Layer Security) No real end-to-end security is provided WAP gateway needs to be trusted

11

Service Security (1/2)

Intelligent network CAMEL (Customised Application for Mobile Enhanced network

Logic1) The IN architecture for GSM

Porlay/OSA (Open service Access) Provides gateway functionality M-commerce applications can then access network functionalit

y Offers authentication and encryption on the application layer The security depends on the underlying network architecture

SMS (Short Message Service) No end-to-end security, and the network operator Its infrastructure (e.g. SMSC, Short Message Service Centre)

must be trusted

12

Service Security (2/2)

USSD (GSM Unstructured Supplementary Service Data) No separate security property Relies on GSM/UMTS security mechanisms

SIM/USIM application toolkit (Subscriber Identity Module) security mechanisms

Authentication Message integrity Replay detection and sequence integrity Proof of receipt and proof of execution Message confidentiality Indication of the security mechanisms used

13

M-payment

Background on payment systems Categorisation of e-payment systems Categorisation of m-payment systems Examples of m-payment systems

14

Background on Payment Systems

Time of payment Relation between initial paymen

t and actual payment Prepaid payment system Pay-now payment system post-payment system

Payment amount Micropayments: Up to about 1 € Small payments: about 1 to 10 € Macropayment: more tha 10 €

Anonymity issues Complete Paritial

Security requirements Different on system Consider issues

Integrity Authentication Authorisation Confidentiality Availability Reliability

Online or offline validation Online

Background payment servers Trusted third party Double spending

Offline No trusted third party Additional communication over

head

15

Categorisation of E-payment Systems

Direct cash Cheque Credit card Bank transfer Debit advice

16

E-payment Systems

Issuer Acquirer

MerchantCustomer

Direct-cash-like

Settlement

1.Withdrawal

2.Payment

3.Deposit

Issuer Acquirer

MerchantCustomer

Cheque-like

Settlement

Indication

1.Payment

2.Authorisation and capture

Issuer Acquirer

MerchantCustomer

Bank Transfer

2.Settlement

1Transfer request

Indication

17

Categorisation of M-payment Systems

Software electronic coins $ stored on a mobile device

ex. electronic coin Hardware electronic coins

$ stored on a secure hardware token in the mobile deviceex. smartcard

Background account $ stored remotely on an account at a trusted third

party

18

Examples of m-payment systems

Software electronic coins Potentially remain completely an

onymous Example

eCash E-commerce NetCash MilliCent

Hardware electronic coins Implement an e-purse Electronic cash on a smartcard Example

GeldKarte Mondex

Background account Hold at a network operator

The charged amount is transferred to the existmg billing solution and included in the customer bill.

E. M-pay Bill service from Vodafone and Mobilepay

Hold at a credit card institution The payment mechanism is sec

ure transmission of credit card data to the credit card company

Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa

Hold at a bank The existing banking infrastruct

ure and technology can be reused.

Ex. Paybox and MobiPay by BBVA and Telefonica

19

Standardisation and forums

PayCircle (http://www.paycircle.org) MoSign (http://www.mosign.de) Mobile Payment Forum (http://www.mobilepay

ment forum.org) mSign (www.msign.org mwif (http://www.mwif.org): Radicchio (http://www.radicchio.org) Encorus (http://www.encorus.com) Mobile electronic Transactions MeT (http://www.

mobiletransaction.org

20

Conclusion

Discussed security issues relating to network and service technologies and m-payment

Regarding m-payment, some systems are under development or already operational

One of the main future challenges will be to unify payment solutions and provide the highest possible level of security

21

Comment

Survey型 paper