2Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
3Mobile Commerce: Overview Mobile commerce (m-commerce,m-business)—any e-commerce done in a wireless environment, especially via the InternetCan be done via the Internet, private communication lines, smart cards, etc.Creates opportunity to deliver new services to existing customers and to attract new ones
4Mobile commerce from the Customer‘s point of view The customer wants to access information, goods and services any time and in any place on his mobile device.He can use his mobile device to purchase tickets for events or public transport, pay for parking, download content and even order books and CDs.He should be offered appropriate payment methods. They can range from secure mobile micropayment to service subscriptions.
5Mobile commerce from the Provider‘s point of view The future development of the mobile telecommunication sector is heading more and more towards value-added services. Analysts forecast that soon half of mobile operators‘ revenue will be earned through mobile commerce.Consequently operators as well as third party providers will focus on value-added-services. To enable mobile services, providers with expertise on different sectors will have to cooperate.Innovative service scenarios will be needed that meet the customer‘s expectations and business models that satisfy all partners involved.
6M-Commerce Terminology Generations1G: wireless technology2G: current wireless technology; mainly accommodates text2.5G: interim technology accommodates graphics3G: 3rd generation technology ( ) supports rich media (video clips)4G: will provide faster multimedia display ( )
7Terminology and Standards GPS: Satellite-based Global Positioning SystemPDA: Personal Digital Assistant—handheld wireless computerSMS: Short Message ServiceEMS: Enhanced Messaging ServiceMMS: Multimedia Messaging ServiceWAP: Wireless Application ProtocolSmartphones—Internet-enabled cell phones with attached applications
8Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devicesBroad reach—people can be reached at any timeUbiquity—easier information access in real-timeConvenience—devices that store data and have Internet, intranet, extranet connectionsInstant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databasesPersonalization—preparation of information for individual consumersLocalization of products and services—knowing where the user is located at any given time and match service to them
9Outline M-Commerce Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
10Mobile Computing Infrastructure HardwareCellular (mobile) phonesAttachable keyboardPDAsInteractive pagersOther devicesNotebooksHandheldsSmartpadsScreenphones—a telephone equipped with color screen, keyboard, , and Internet capabilitieshandheldsWirelined—connected by wires to a network
11Mobile Computing Infrastructure (cont.) Unseen infrastructure requirementsSuitably configured wireline or wireless WAN modemWeb server with wireless supportApplication or database serverLarge enterprise application serverGPS locator used to determine the location of mobile computing device carrier
12Mobile Computing Infrastructure (cont.) SoftwareMicrobrowserMobile client operating system (OS)Bluetooth—a chip technology and WPAN standard that enables voice and data communications between wireless devices over short-range radio frequency (RF)Mobile application user interfaceBack-end legacy application softwareApplication middlewareWireless middleware
13Mobile Computing Infrastructure (cont.) Networks and accessWireless transmission mediaMicrowaveSatellitesRadioInfraredCellular radio technologyWireless systems
14Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
15Mobile Service Scenarios Financial Services.Entertainment.Shopping.Information Services.Payment.Advertising.And more ...
16Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation.EntertainmentMusicGamesGraphicsVideoPornographyCommunicationsShort MessagingMultimedia MessagingUnified MessagingChatroomsVideo - conferencingM- commerceInformationNewsCity guidesDirectory ServicesMapsTraffic and weatherCorporate informationMarket dataTransactionsBankingBrokingShoppingAuctionsBettingBooking & reservationsMobile walletMobile purse
18Mobile Application: Financial Tool As mobile devices become more secureMobile bankingBill payment servicesM-brokerage servicesMobile money transfersMobile micropaymentsReplace ATM’s and credit cards??
19Financial Tool: Wireless Electronic Payment Systems “transform mobile phones into secure, self-contained purchasing tools capable of instantly authorizing payments…”Types:MicropaymentsWireless wallets (m-wallet)Bill payments
20Examples Swedish Postal Bank Dagens Industri Citibank Check Balances/Make Payments & Conduct some transactionsDagens IndustriReceive Financial Data and Trade on Stockholm ExchangeCitibankAccess balances, pay bills & transfer funds using SMS
21Mobile Applications : Marketing, Advertising, And Customer Service Shopping from Wireless DevicesHave access to services similar to those of wireline shoppersShopping cartsPrice comparisonsOrder statusFutureWill be able to view and purchase products using handheld mobile devices
22Mobile Applications : Marketing, Advertising, And Customer Service Targeted AdvertisingUsing demographic information can personalize wireless services (barnesandnoble.com)Knowing users’ preferences and surfing habits marketers can send:User-specific advertising messagesLocation-specific advertising messages
23Mobile Applications : Marketing, Advertising, And Customer Service CRM applicationsMobileCRMComparison shopping using Internet capable phonesVoice PortalsEnhanced customer service improved access to data for employees
24Mobile Portals“A customer interaction channel that aggregates content and services for mobile users.”Charge per time for service or subscription basedExample: I-Mode in JapanMobile corporate portalServes corporations customers and suppliers
25Mobile Intrabusiness and Enterprise Applications Support of Mobile Employeesby % of all workers could be mobile employeessales people in the field, traveling executives, telecommuters, consultants working on-site, repair or installation employeesneed same corporate data as those working inside company’s officessolution: wireless deviceswearable devices: cameras, screen, keyboard, touch-panel display
26Mobile B2B and Supply Chain Applications “mobile computing solutions enable organizations to respond faster to supply chain disruptions by proactively adjusting plans or shifting resources related to critical supply chain events as they occur.”accurate and timely informationopportunity to collaborate along supply chainmust integrate mobile devices into information exchangesexample: “telemetry” integration of wireless communications, vehicle monitoring systems, and vehicle location devicesleads to reduced overhead and faster service responsiveness (vending machines)
27Applications of Mobile Devices for Consumers/Industries Personal Service Applicationsexample airportMobile Gaming and GamblingMobile Entertainmentmusic and videoHotelsIntelligent Homes and AppliancesWireless TelemedicineOther Services for Consumers
28Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
29Mobile Payment for M-Commerce Mobile Payment can be offered as a stand-alone service.Mobile Payment could also be an important enabling service for other m-commerce services (e.g. mobile ticketing, shopping, gambling…) :It could improve user acceptance by making the services more secure and user-friendly.In many cases offering mobile payment methods is the only chance the service providers have to gain revenue from an m-commerce service.
30Mobile Payment (cont.) the consumer must be informed of: what is being bought, andhow much to payoptions to pay;the payment must be madepayments must be traceable.
31Mobile Payment (cont.) Customer requirements: Merchant benefits: a larger selection of merchants with whom they can tradea more consistent payment interface when making the purchase with multiple payment schemes, like:Credit Card paymentBank Account/Debit Card PaymentMerchant benefits:brands to offer a wider variety of paymentEasy-to-use payment interface developmentBank and financial institution benefitsto offer a consistent payment interface to consumer and merchants
32Payment via Internet Payment Provider WAP GW/ProxyMerchantUserBrowsing (negotiation)MePGSM SecuritySSL tunnelSMS-CIPPMobile WalletCC/Bank
33Payment via integrated Payment Server WAP GW/ProxyUserBrowsing (negotiation)MerchantMobile CommerceServerGSM SecuritySSL tunnelSMS-CISO8583 BasedCPVPP IFCC/BankMobile WalletVoice PrePaid
34Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
35Limitations of M-Commerce Usability Problemsmall size of mobile devices (screens, keyboards, etc)limited storage capacity of deviceshard to browse sitesTechnical Limitationslack of a standardized security protocolinsufficient bandwidth3G liscenses
36Limitations of M-Commerce Technical Limitations…transmission and power consumption limitationspoor reception in tunnels and certain buildingsmultipath interference, weather, and terrain problems and distance-limited connectionsWAP LimitationsSpeedCostAccessibility
37Limiting technological factors NetworksBandwidthInteroperabilityCell RangeRoamingMobile MiddlewareStandardsDistributionLocalisationUpgrade of NetworkUpgrade of MobileDevicesPrecisionSecurityMobile DeviceNetworkGatewayMobile DevicesBatteryMemoryCPUDisplay Size
38Potential Health Hazards Cellular radio frequecies = cancer?No conclusive evidence yetcould allow for myriad of lawsuitsmobile devices may interfere with sensitive medical devices such as pacemakers
39Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
40Security in M-Commerce: Environment CAOperator centric modelShoppingContentAggregationSAT GWMobileNetwork(SIM)InternetMobile IP Service ProviderNetworkWAP1.1(+SIM where avail.)MerchantSecurity andPaymentMobile e-CommerceServerBank (FI)WAP GWMobile BankWAP1.2(WIM)
41WAP Architecture Web Server WAP Gateway Client HTTP WSP/WTP ContentCGIScriptsetc.with WML-ScriptWML DecksWAP GatewayWML EncoderWMLScriptCompilerProtocol AdaptersClientWMLWML-ScriptWTAIEtc.HTTPWSP/WTP
43WAP Risks WAP Gap Wireless gateways as single point of failure Claim: WTLS protects WAP as SSL protects HTTPProblem: In the process of translating one protocol to another, information is decrypted and re-encryptedRecall the WAP ArchitectureSolution: Doing decryption/re-encryption in the same process on the WAP gatewayWireless gateways as single point of failure
44Platform RisksWithout a secure OS, achieving security on mobile devices is almost impossibleLearned lessons:Memory protection of processesProtected kernel ringsFile access controlAuthentication of principles to resourcesDifferentiated user and process privilegesSandboxes for untrusted codeBiometric authentication
46WMLScript (cont.) Integrated with WML Reduces network trafficHas procedural logic, loops, conditionals, etcOptimized for small-memory, small-CPU devicesBytecode-based virtual machineCompiler in networkWorks with Wireless Telephony Application (WTA) to provide telephony functions
47Risks of WMLScript Lack of Security Model Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!!WML Script is not type-safe.Scripts can be scheduled to be pushed to the client device without the user’s knowledgeDoes not prevent access to persistent storagePossible attacks:Theft or damage of personal informationAbusing user’s authentication informationMaliciously offloading money saved on smart cards
48BluetoothBluetooth is the codename for a small, low-cost, short range wireless technology specificationEnables users to connect a wide range of computing and telecommunication devices easily and simply, without the need to buy, carry, or connect cables.Bluetooth enables mobile phones, computers and PDAs to connect with each other using short-range radio waves, allowing them to "talk" to each otherIt is also cheap
49Bluetooth SecurityBluetooth provides security between any two Bluetooth devices for user protection and secrecymutual and unidirectional authenticationencrypts data between two devicesSession key generationconfigurable encryption key lengthkeys can be changed at any time during a connectionAuthorization (whether device X is allowed to have access service Y)Trusted Device: The device has been previously authenticated, a link key is stored and the device is marked as “trusted” in the Device Database.Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device DatabaseUnknown Device: No security information is available for this device. This is also an untrusted device.automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop
50New Security Risks in M-Commerce Abuse of cooperative nature of ad-hoc networksAn adversary that compromises one node can disseminate false routing information.Malicious domainsA single malicious domain can compromise devices by downloading malicious codeRoaming (are you going to the bad guys ?)Users roam among non-trustworthy domains
51New Security Risks (cont.) Launching attacks from mobile devicesWith mobility, it is difficult to identify attackersLoss or theft of deviceMore private information than desktop computersSecurity keys might have been saved on the deviceAccess to corporate systemsBluetooth provides security at the lower layers only: a stolen device can still be trusted
52New Security Risks (cont.) Problems with Wireless Transport Layer Security (WTLS) protocolSecurity Classes:No certificatesServer only certificate (Most Common)Server and client CertificatesRe-establishing connection without re-authenticationRequests can be redirected to malicious sites
53New Privacy Risks Monitoring user’s private information Offline telemarketingWho is going to read the “legal jargon”Value added services based on location awareness (Location-Based Services)