Download presentation
1
Secure Mobile Commerce
Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp , Oct. 2002 Author: S. Schwiderski-Grosche & H. Knospe Presenter: Jung-wen Lo(駱榮問) Date: 2004/12/16
2
Outline Introduction M-commerce Security of Network Technologies
M-payment Conclusion Comment
3
Introduction M-commerce Goal Main area to discuss
Mobile devices are used to do business on the Internet Goal Identify the special characteristics of m-commerce Consider some important security issues Main area to discuss Network technology M-payment
4
Mobile Device Kinds of devices Characteristics Mobile phone
Personal Digital Assistant Smart phone Laptop computer Earpiece Characteristics Size & colour of display Input device Memory & CPU processing power Network connectivity, bandwidth capacity Support operating system Availability of internal smartcard reader
5
Advantages of M-commerce
Ubiquity Accessibility Security Localisation Convenience Personalisation
6
Disadvantages of M-commerce
Limited capability The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. Mobile devices are more prone to theft and destruction. Communication over the air interface introduces additional security threats
7
Security Challenges Mobile device Radio interface
Confidential user data Radio interface Protection of transmitted data Network operator infrastructure Security mechanism M-commerce application Payment system Mobile device Confidential user data should be protected from unauthorised use Radio interface Require the protetcion of transmitted data in terms of confidentiality, integrity and authenticity Network operator infrastructure Security mechanism M-commerce application Payment system
8
Security of Network Technologies (1/2)
GSM (Global System for Mobile Communication) Authentication is one way Encryption is optional False base station perform a “man-in-middle” attack UMTS (Universal Mobile Telecommunication System) Authentication is mutual Encryption is mandatory unless the mobile station and the network agree on an unciphered connection. Integrity protection is always mandatory and protects against replay or modification of signaling messages.
9
Security of Network Technologies (2/2)
WLAN (Wireless Local Area Network) Not provide any security in default Attacker can modify data and CRC WEP (Wired Equivalent Privacy) key can be recovery 802.1x port-based adopted Bluetooth Provide link layer security No privacy requirement Unique Bluetooth device address allows the tracing of personal devices
10
Transport Layer Security
SSL/TLS (Secure Socket Layer) HTTPS (HTTP over SSL) KSSL by Sun Not offer client-side authentication Only implements certain commonly used cipher suites Has a very small footprint and runs on small devices WTLS (WAP Transport Layer Security) No real end-to-end security is provided WAP gateway needs to be trusted
11
Service Security (1/2) Intelligent network
CAMEL (Customised Application for Mobile Enhanced network Logic1) The IN architecture for GSM Porlay/OSA (Open service Access) Provides gateway functionality M-commerce applications can then access network functionality Offers authentication and encryption on the application layer The security depends on the underlying network architecture SMS (Short Message Service) No end-to-end security, and the network operator Its infrastructure (e.g. SMSC, Short Message Service Centre) must be trusted
12
Service Security (2/2) USSD (GSM Unstructured Supplementary Service Data) No separate security property Relies on GSM/UMTS security mechanisms SIM/USIM application toolkit (Subscriber Identity Module) security mechanisms Authentication Message integrity Replay detection and sequence integrity Proof of receipt and proof of execution Message confidentiality Indication of the security mechanisms used
13
M-payment Background on payment systems
Categorisation of e-payment systems Categorisation of m-payment systems Examples of m-payment systems
14
Background on Payment Systems
Time of payment Relation between initial payment and actual payment Prepaid payment system Pay-now payment system post-payment system Payment amount Micropayments: Up to about 1 € Small payments: about 1 to 10 € Macropayment: more tha 10 € Anonymity issues Complete Paritial Security requirements Different on system Consider issues Integrity Authentication Authorisation Confidentiality Availability Reliability Online or offline validation Online Background payment servers Trusted third party Double spending Offline No trusted third party Additional communication overhead
15
Categorisation of E-payment Systems
Direct cash Cheque Credit card Bank transfer Debit advice
16
E-payment Systems Direct-cash-like Cheque-like Bank Transfer
Issuer Acquirer Issuer Acquirer Settlement Settlement 2.Authorisation and capture 1.Withdrawal 3.Deposit Indication Customer Merchant Customer Merchant 2.Payment 1.Payment Bank Transfer Issuer Acquirer 2.Settlement 1Transfer request Indication Customer Merchant
17
Categorisation of M-payment Systems
Software electronic coins $ stored on a mobile device ex. electronic coin Hardware electronic coins $ stored on a secure hardware token in the mobile device ex. smartcard Background account $ stored remotely on an account at a trusted third party
18
Examples of m-payment systems
Software electronic coins Potentially remain completely anonymous Example eCash E-commerce NetCash MilliCent Hardware electronic coins Implement an e-purse Electronic cash on a smartcard GeldKarte Mondex Background account Hold at a network operator The charged amount is transferred to the existmg billing solution and included in the customer bill. E. M-pay Bill service from Vodafone and Mobilepay Hold at a credit card institution The payment mechanism is secure transmission of credit card data to the credit card company Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa Hold at a bank The existing banking infrastructure and technology can be reused. Ex. Paybox and MobiPay by BBVA and Telefonica
19
Standardisation and forums
PayCircle ( MoSign ( Mobile Payment Forum ( forum.org) mSign ( mwif ( Radicchio ( Encorus ( Mobile electronic Transactions MeT (
20
Conclusion Discussed security issues relating to network and service technologies and m-payment Regarding m-payment, some systems are under development or already operational One of the main future challenges will be to unify payment solutions and provide the highest possible level of security
21
Comment Survey型paper
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.