Secure Mobile Commerce Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002 Author: S. Schwiderski-Grosche & H. Knospe Presenter: Jung-wen Lo(駱榮問) Date: 2004/12/16

Outline Introduction M-commerce Security of Network Technologies M-payment Conclusion Comment

Introduction M-commerce Goal Main area to discuss Mobile devices are used to do business on the Internet Goal Identify the special characteristics of m-commerce Consider some important security issues Main area to discuss Network technology M-payment

Mobile Device Kinds of devices Characteristics Mobile phone Personal Digital Assistant Smart phone Laptop computer Earpiece Characteristics Size & colour of display Input device Memory & CPU processing power Network connectivity, bandwidth capacity Support operating system Availability of internal smartcard reader

Advantages of M-commerce Ubiquity Accessibility Security Localisation Convenience Personalisation

Disadvantages of M-commerce Limited capability The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. Mobile devices are more prone to theft and destruction. Communication over the air interface introduces additional security threats

Security Challenges Mobile device Radio interface Confidential user data Radio interface Protection of transmitted data Network operator infrastructure Security mechanism M-commerce application Payment system Mobile device Confidential user data should be protected from unauthorised use Radio interface Require the protetcion of transmitted data in terms of confidentiality, integrity and authenticity Network operator infrastructure Security mechanism M-commerce application Payment system

Security of Network Technologies (1/2) GSM (Global System for Mobile Communication) Authentication is one way Encryption is optional False base station perform a “man-in-middle” attack UMTS (Universal Mobile Telecommunication System) Authentication is mutual Encryption is mandatory unless the mobile station and the network agree on an unciphered connection. Integrity protection is always mandatory and protects against replay or modification of signaling messages.

Security of Network Technologies (2/2) WLAN (Wireless Local Area Network) Not provide any security in default Attacker can modify data and CRC WEP (Wired Equivalent Privacy) key can be recovery 802.1x port-based adopted Bluetooth Provide link layer security No privacy requirement Unique Bluetooth device address allows the tracing of personal devices

Transport Layer Security SSL/TLS (Secure Socket Layer) HTTPS (HTTP over SSL) KSSL by Sun Not offer client-side authentication Only implements certain commonly used cipher suites Has a very small footprint and runs on small devices WTLS (WAP Transport Layer Security) No real end-to-end security is provided WAP gateway needs to be trusted

Service Security (1/2) Intelligent network CAMEL (Customised Application for Mobile Enhanced network Logic1) The IN architecture for GSM Porlay/OSA (Open service Access) Provides gateway functionality M-commerce applications can then access network functionality Offers authentication and encryption on the application layer The security depends on the underlying network architecture SMS (Short Message Service) No end-to-end security, and the network operator Its infrastructure (e.g. SMSC, Short Message Service Centre) must be trusted

Service Security (2/2) USSD (GSM Unstructured Supplementary Service Data) No separate security property Relies on GSM/UMTS security mechanisms SIM/USIM application toolkit (Subscriber Identity Module) security mechanisms Authentication Message integrity Replay detection and sequence integrity Proof of receipt and proof of execution Message confidentiality Indication of the security mechanisms used

M-payment Background on payment systems Categorisation of e-payment systems Categorisation of m-payment systems Examples of m-payment systems

Background on Payment Systems Time of payment Relation between initial payment and actual payment Prepaid payment system Pay-now payment system post-payment system Payment amount Micropayments: Up to about 1 € Small payments: about 1 to 10 € Macropayment: more tha 10 € Anonymity issues Complete Paritial Security requirements Different on system Consider issues Integrity Authentication Authorisation Confidentiality Availability Reliability Online or offline validation Online Background payment servers Trusted third party Double spending Offline No trusted third party Additional communication overhead

Categorisation of E-payment Systems Direct cash Cheque Credit card Bank transfer Debit advice

E-payment Systems Direct-cash-like Cheque-like Bank Transfer Issuer Acquirer Issuer Acquirer Settlement Settlement 2.Authorisation and capture 1.Withdrawal 3.Deposit Indication Customer Merchant Customer Merchant 2.Payment 1.Payment Bank Transfer Issuer Acquirer 2.Settlement 1Transfer request Indication Customer Merchant

Categorisation of M-payment Systems Software electronic coins $ stored on a mobile device ex. electronic coin Hardware electronic coins $ stored on a secure hardware token in the mobile device ex. smartcard Background account $ stored remotely on an account at a trusted third party

Examples of m-payment systems Software electronic coins Potentially remain completely anonymous Example eCash E-commerce NetCash MilliCent Hardware electronic coins Implement an e-purse Electronic cash on a smartcard GeldKarte Mondex Background account Hold at a network operator The charged amount is transferred to the existmg billing solution and included in the customer bill. E. M-pay Bill service from Vodafone and Mobilepay Hold at a credit card institution The payment mechanism is secure transmission of credit card data to the credit card company Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa Hold at a bank The existing banking infrastructure and technology can be reused. Ex. Paybox and MobiPay by BBVA and Telefonica

Standardisation and forums PayCircle (http://www.paycircle.org) MoSign (http://www.mosign.de) Mobile Payment Forum (http://www.mobilepayment forum.org) mSign (www.msign.org mwif (http://www.mwif.org): Radicchio (http://www.radicchio.org) Encorus (http://www.encorus.com) Mobile electronic Transactions MeT (http://www.mobiletransaction.org

Conclusion Discussed security issues relating to network and service technologies and m-payment Regarding m-payment, some systems are under development or already operational One of the main future challenges will be to unify payment solutions and provide the highest possible level of security

Comment Survey型paper