2 Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
3 Mobile Commerce: Overview Mobile commerce (m-commerce,m-business)—any e-commerce done in a wireless environment, especially via the InternetCan be done via the Internet, private communication lines, smart cards, etc.Creates opportunity to deliver new services to existing customers and to attract new ones
4 Mobile commerce from the Customer‘s point of view The customer wants to access information, goods and services any time and in any place on his mobile device.He can use his mobile device to purchase tickets for events or public transport, pay for parking, download content and even order books and CDs.He should be offered appropriate payment methods. They can range from secure mobile micropayment to service subscriptions.
5 Mobile commerce from the Provider‘s point of view The future development of the mobile telecommunication sector is heading more and more towards value-added services. Analysts forecast that soon half of mobile operators‘ revenue will be earned through mobile commerce.Consequently operators as well as third party providers will focus on value-added-services. To enable mobile services, providers with expertise on different sectors will have to cooperate.Innovative service scenarios will be needed that meet the customer‘s expectations and business models that satisfy all partners involved.
6 M-Commerce Terminology Generations1G: wireless technology2G: current wireless technology; mainly accommodates text2.5G: interim technology accommodates graphics3G: 3rd generation technology ( ) supports rich media (video clips)4G: will provide faster multimedia display ( )
7 Terminology and Standards GPS: Satellite-based Global Positioning SystemPDA: Personal Digital Assistant—handheld wireless computerSMS: Short Message ServiceEMS: Enhanced Messaging ServiceMMS: Multimedia Messaging ServiceWAP: Wireless Application ProtocolSmartphones—Internet-enabled cell phones with attached applications
8 Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devicesBroad reach—people can be reached at any timeUbiquity—easier information access in real-timeConvenience—devices that store data and have Internet, intranet, extranet connectionsInstant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databasesPersonalization—preparation of information for individual consumersLocalization of products and services—knowing where the user is located at any given time and match service to them
9 Outline M-Commerce Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
10 Mobile Computing Infrastructure HardwareCellular (mobile) phonesAttachable keyboardPDAsInteractive pagersOther devicesNotebooksHandheldsSmartpadsScreenphones—a telephone equipped with color screen, keyboard, , and Internet capabilitieshandheldsWirelined—connected by wires to a network
11 Mobile Computing Infrastructure (cont.) Unseen infrastructure requirementsSuitably configured wireline or wireless WAN modemWeb server with wireless supportApplication or database serverLarge enterprise application serverGPS locator used to determine the location of mobile computing device carrier
12 Mobile Computing Infrastructure (cont.) SoftwareMicrobrowserMobile client operating system (OS)Bluetooth—a chip technology and WPAN standard that enables voice and data communications between wireless devices over short-range radio frequency (RF)Mobile application user interfaceBack-end legacy application softwareApplication middlewareWireless middleware
13 Mobile Computing Infrastructure (cont.) Networks and accessWireless transmission mediaMicrowaveSatellitesRadioInfraredCellular radio technologyWireless systems
14 Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
15 Mobile Service Scenarios Financial Services.Entertainment.Shopping.Information Services.Payment.Advertising.And more ...
16 Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation.EntertainmentMusicGamesGraphicsVideoPornographyCommunicationsShort MessagingMultimedia MessagingUnified MessagingChatroomsVideo - conferencingM- commerceInformationNewsCity guidesDirectory ServicesMapsTraffic and weatherCorporate informationMarket dataTransactionsBankingBrokingShoppingAuctionsBettingBooking & reservationsMobile walletMobile purse
18 Mobile Application: Financial Tool As mobile devices become more secureMobile bankingBill payment servicesM-brokerage servicesMobile money transfersMobile micropaymentsReplace ATM’s and credit cards??
19 Financial Tool: Wireless Electronic Payment Systems “transform mobile phones into secure, self-contained purchasing tools capable of instantly authorizing payments…”Types:MicropaymentsWireless wallets (m-wallet)Bill payments
20 Examples Swedish Postal Bank Dagens Industri Citibank Check Balances/Make Payments & Conduct some transactionsDagens IndustriReceive Financial Data and Trade on Stockholm ExchangeCitibankAccess balances, pay bills & transfer funds using SMS
21 Mobile Applications : Marketing, Advertising, And Customer Service Shopping from Wireless DevicesHave access to services similar to those of wireline shoppersShopping cartsPrice comparisonsOrder statusFutureWill be able to view and purchase products using handheld mobile devices
22 Mobile Applications : Marketing, Advertising, And Customer Service Targeted AdvertisingUsing demographic information can personalize wireless services (barnesandnoble.com)Knowing users’ preferences and surfing habits marketers can send:User-specific advertising messagesLocation-specific advertising messages
23 Mobile Applications : Marketing, Advertising, And Customer Service CRM applicationsMobileCRMComparison shopping using Internet capable phonesVoice PortalsEnhanced customer service improved access to data for employees
24 Mobile Portals“A customer interaction channel that aggregates content and services for mobile users.”Charge per time for service or subscription basedExample: I-Mode in JapanMobile corporate portalServes corporations customers and suppliers
25 Mobile Intrabusiness and Enterprise Applications Support of Mobile Employeesby % of all workers could be mobile employeessales people in the field, traveling executives, telecommuters, consultants working on-site, repair or installation employeesneed same corporate data as those working inside company’s officessolution: wireless deviceswearable devices: cameras, screen, keyboard, touch-panel display
26 Mobile B2B and Supply Chain Applications “mobile computing solutions enable organizations to respond faster to supply chain disruptions by proactively adjusting plans or shifting resources related to critical supply chain events as they occur.”accurate and timely informationopportunity to collaborate along supply chainmust integrate mobile devices into information exchangesexample: “telemetry” integration of wireless communications, vehicle monitoring systems, and vehicle location devicesleads to reduced overhead and faster service responsiveness (vending machines)
27 Applications of Mobile Devices for Consumers/Industries Personal Service Applicationsexample airportMobile Gaming and GamblingMobile Entertainmentmusic and videoHotelsIntelligent Homes and AppliancesWireless TelemedicineOther Services for Consumers
28 Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
29 Mobile Payment for M-Commerce Mobile Payment can be offered as a stand-alone service.Mobile Payment could also be an important enabling service for other m-commerce services (e.g. mobile ticketing, shopping, gambling…) :It could improve user acceptance by making the services more secure and user-friendly.In many cases offering mobile payment methods is the only chance the service providers have to gain revenue from an m-commerce service.
30 Mobile Payment (cont.) the consumer must be informed of: what is being bought, andhow much to payoptions to pay;the payment must be madepayments must be traceable.
31 Mobile Payment (cont.) Customer requirements: Merchant benefits: a larger selection of merchants with whom they can tradea more consistent payment interface when making the purchase with multiple payment schemes, like:Credit Card paymentBank Account/Debit Card PaymentMerchant benefits:brands to offer a wider variety of paymentEasy-to-use payment interface developmentBank and financial institution benefitsto offer a consistent payment interface to consumer and merchants
32 Payment via Internet Payment Provider WAP GW/ProxyMerchantUserBrowsing (negotiation)MePGSM SecuritySSL tunnelSMS-CIPPMobile WalletCC/Bank
33 Payment via integrated Payment Server WAP GW/ProxyUserBrowsing (negotiation)MerchantMobile CommerceServerGSM SecuritySSL tunnelSMS-CISO8583 BasedCPVPP IFCC/BankMobile WalletVoice PrePaid
34 Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
35 Limitations of M-Commerce Usability Problemsmall size of mobile devices (screens, keyboards, etc)limited storage capacity of deviceshard to browse sitesTechnical Limitationslack of a standardized security protocolinsufficient bandwidth3G liscenses
36 Limitations of M-Commerce Technical Limitations…transmission and power consumption limitationspoor reception in tunnels and certain buildingsmultipath interference, weather, and terrain problems and distance-limited connectionsWAP LimitationsSpeedCostAccessibility
37 Limiting technological factors NetworksBandwidthInteroperabilityCell RangeRoamingMobile MiddlewareStandardsDistributionLocalisationUpgrade of NetworkUpgrade of MobileDevicesPrecisionSecurityMobile DeviceNetworkGatewayMobile DevicesBatteryMemoryCPUDisplay Size
38 Potential Health Hazards Cellular radio frequecies = cancer?No conclusive evidence yetcould allow for myriad of lawsuitsmobile devices may interfere with sensitive medical devices such as pacemakers
39 Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile PaymentLimitationsSecurity in M-Commerce
40 Security in M-Commerce: Environment CAOperator centric modelShoppingContentAggregationSAT GWMobileNetwork(SIM)InternetMobile IP Service ProviderNetworkWAP1.1(+SIM where avail.)MerchantSecurity andPaymentMobile e-CommerceServerBank (FI)WAP GWMobile BankWAP1.2(WIM)
41 WAP Architecture Web Server WAP Gateway Client HTTP WSP/WTP ContentCGIScriptsetc.with WML-ScriptWML DecksWAP GatewayWML EncoderWMLScriptCompilerProtocol AdaptersClientWMLWML-ScriptWTAIEtc.HTTPWSP/WTP
43 WAP Risks WAP Gap Wireless gateways as single point of failure Claim: WTLS protects WAP as SSL protects HTTPProblem: In the process of translating one protocol to another, information is decrypted and re-encryptedRecall the WAP ArchitectureSolution: Doing decryption/re-encryption in the same process on the WAP gatewayWireless gateways as single point of failure
44 Platform RisksWithout a secure OS, achieving security on mobile devices is almost impossibleLearned lessons:Memory protection of processesProtected kernel ringsFile access controlAuthentication of principles to resourcesDifferentiated user and process privilegesSandboxes for untrusted codeBiometric authentication
46 WMLScript (cont.) Integrated with WML Reduces network trafficHas procedural logic, loops, conditionals, etcOptimized for small-memory, small-CPU devicesBytecode-based virtual machineCompiler in networkWorks with Wireless Telephony Application (WTA) to provide telephony functions
47 Risks of WMLScript Lack of Security Model Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!!WML Script is not type-safe.Scripts can be scheduled to be pushed to the client device without the user’s knowledgeDoes not prevent access to persistent storagePossible attacks:Theft or damage of personal informationAbusing user’s authentication informationMaliciously offloading money saved on smart cards
48 BluetoothBluetooth is the codename for a small, low-cost, short range wireless technology specificationEnables users to connect a wide range of computing and telecommunication devices easily and simply, without the need to buy, carry, or connect cables.Bluetooth enables mobile phones, computers and PDAs to connect with each other using short-range radio waves, allowing them to "talk" to each otherIt is also cheap
49 Bluetooth SecurityBluetooth provides security between any two Bluetooth devices for user protection and secrecymutual and unidirectional authenticationencrypts data between two devicesSession key generationconfigurable encryption key lengthkeys can be changed at any time during a connectionAuthorization (whether device X is allowed to have access service Y)Trusted Device: The device has been previously authenticated, a link key is stored and the device is marked as “trusted” in the Device Database.Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device DatabaseUnknown Device: No security information is available for this device. This is also an untrusted device.automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop
50 New Security Risks in M-Commerce Abuse of cooperative nature of ad-hoc networksAn adversary that compromises one node can disseminate false routing information.Malicious domainsA single malicious domain can compromise devices by downloading malicious codeRoaming (are you going to the bad guys ?)Users roam among non-trustworthy domains
51 New Security Risks (cont.) Launching attacks from mobile devicesWith mobility, it is difficult to identify attackersLoss or theft of deviceMore private information than desktop computersSecurity keys might have been saved on the deviceAccess to corporate systemsBluetooth provides security at the lower layers only: a stolen device can still be trusted
52 New Security Risks (cont.) Problems with Wireless Transport Layer Security (WTLS) protocolSecurity Classes:No certificatesServer only certificate (Most Common)Server and client CertificatesRe-establishing connection without re-authenticationRequests can be redirected to malicious sites
53 New Privacy Risks Monitoring user’s private information Offline telemarketingWho is going to read the “legal jargon”Value added services based on location awareness (Location-Based Services)