186
Chapter 11
Overview of Mobile Payment:
Technologies and Security
Vibha Kaw Raina
Birla Institute of Technology, India
ABSTRACT
According to the Mobile Payment Forum, mobile payments are the transactions with a monetary value
that is conducted through a mobile telecommunications network through diverse mobile users devices,
such as cellular telephones, smart phones or PDAs, and mobile terminals. Mobile payment is a transfer
of funds in return for goods or services in which a mobile device is functionally involved in executing
and confirming payment. The payer can be standing at a POS or be interacting with a merchant located
somewhere else. Mobile payment systems enable customers to purchase and pay for goods or services
via mobile phones. Here, each mobile phone is used as the personal payment tool in connection with
the remote sales. Payments can take place far away from both the recipient and the bank. This chapter
gives an overview of mobile payments.
INTRODUCTION
The growth in wireless technology increases the
number of mobile device users and gives pace to
the rapid development of e-commerce conducted
with these devices. The new type of e-commerce
transactions, conducted through mobile devices
using wireless telecommunications network and
other wired e-commerce technologies, is called
mobile commerce, increasingly known as mobile
e-commerce or m-commerce. Mobile commerce
enables a new mode of information exchange and
purchases, and it presents an unexplored domain.
To customers, it represents convenience; merchants associate it with a huge earning potential;
service providers view it as a large unexplored
market; governments look it as a viable and highly
productive connection with their constituents. In
DOI: 10.4018/978-1-4666-5190-6.ch011
Copyright © 2014, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Overview of Mobile Payment
short, mobile commerce promises many more
alluring market opportunities than traditional
e-commerce. M-Commerce is an area arising
from the combination of electronic commerce
with emerging mobile and pervasive computing
technology.
The most important application of mobile
Commerce is Mobile payments. These services
makes a mobile device to act as a business tool
replacing bank, ATM, and credit cards by letting
a user conduct financial transactions with mobile
money. A mobile user attempts to purchase goods
or services from a business or service provider,
which then contacts a trusted third party, the wireless service provider, or a financial institution to
authenticate the user and amount of purchase.
Once approved, a mobile payment can be made
and the purchase is completed. The corresponding funds can then be withdrawn from user’s mwallet, charged to user’s phone bill, or subtracted
from user’s bank account. Alternatively, the user
could pay using mobile money provided to him
by another user or a third party mobile money
provider. Mobile money can be moved freely
among users either by using a local area wireless
network or by using the wireless service provider’s
network. Several groups are working on mobile
payments, including PayCircle that is established
by HP, Lucent, Oracle, Sun, and Siemens. Mobile financial transactions require a strong level
of security support. Although, security features
have been added in mobile middleware such as
WAP for financial applications, wireless PKI
(Public Key Infrastructure), a system to manage
keys and certificates, is used to authenticate and
obtain digital signatures from mobile users. The
payment system is an application responsible for
increase in competitive advantage in organizations.
Researchers are interestingly working in the area
of mobile payments as it is multidisciplinary in
nature and works in collaboration with different
areas like telecommunications, wireless networking, mobile computing and security.
1. BACKGROUND
Chen et al. (2010) described a mobile payment
system for merchant micropayments that can
be built on existing GSM and NFC architecture
components. The author’s proposal leverages the
SIM’s authentication and identification capabilities and used cryptographic primitives, which
simplifies integration into the current mobile
infrastructure. The use of NFC for short range
communication allows for possible integration
with existing Point -Of-Sale (POS) equipment
and the payment process from the customer and
merchant’s perspective remains unchanged. Liu
et al. (2010) proposed a trust model to protect the
user’s security. The billing or trust operator works
as an agent to provide a trust authentication for
all the service providers. The services are classified by sensitive calculations. With this value, the
user’s trustiness for corresponding service can be
obtained. For, decision, three ranks: high, medium
and low. The trust region tells the customer with
his calculated trust value, which rank he has got
and which authentication methods should be used
for access. Authentication history and penalty are
also involved with reasons. Yang et al. (2010) gives
a general framework of online mobile payment
and presents a new mobile payment pattern which
advocates stratified extension and cascading agent
based on stable and credible platform group. It also
proposes a cross-bank unified payment platform
to solve the difficulties of connection to banks.
As a result, the authors got the regular effective
and monitoring payment process which is of great
manoeuvrability. The mobile payment process
will be more reasonable and the transaction will
be more secure. This framework was given to
solve the problem of mobile applications that are
difficult to be connected with the banks. Asghar
et al. (2010) have surveyed five different models
in the field of mobile payment in their research;
then they were compared with MCDM evaluation
methods applications. To implement a mobile
187
Overview of Mobile Payment
payment service, there are many actors involved
such as bank, operator and service provider. As an
effective interaction role and in order to optimize
efficient parameters for implementing a mobile
payment solution a suitable business model is
necessary. Since one of the most effective parameter to select an appropriate business model is the
banks/operators structure of every country, the
proposed business model is localized based on the
Iranian banks/operators’ framework. The results
of MCDM method indicate that the collaboration
model is the most suitable mobile payment business model in Iran. Olsen et al. (2011) proposed
a design of e-wallets. Interviews and formative
usability evaluations have provided data for the
construction of first a conceptual model in the
form of low fidelity mock-ups. Chandrahas et al.
(2011) focussed on some design considerations
for Mobile Payment Architecture. For widespread
adoption, interoperability is a key concern. The
design of this architecture requires the user to know
only the beneficiary’s mobile number in order
to initiate a mobile payment. This is restrictive
in the sense that only one bank account can be
linked to a mobile number. To enhance flexibility
it would be desirable, especially for merchants, to
be able to link multiple bank accounts to a single
phone number. The authors proposed an alternate
and enhanced design that allows the flexibility to
link multiple bank accounts while also allowing
the transactions to be conducted with just the
mobile number. Evaluated and compared these
two designs on various criteria. The details of
implementation issues, advantages and limitations
are also presented. The analysis is a step towards
the evaluation process of various design choices
for mobile payment architectures.
Researchers are continuously working in the
field of mobile payments in order to increase the
competitive advantage for the organisations and
from user’s perspective as well.
188
2. PAYMENT SYSTEMS
According to the Mobile Payment Forum the mobile payments are the transactions with a monetary
value that is conducted through a mobile telecommunications network through diverse mobile users
devices, such as cellular telephones, smart phones
or PDA’s and mobile terminals. Mobile payment is
a transfer of funds in return for goods or services
in which a mobile device is functionally involved
in executing and confirming payment. The payer
can be standing at a POS or be interacting with a
merchant located somewhere else. Mobile Payment is a major component of m- commerce and
is defined as a process of two parties exchanging
financial value using a mobile device in return
for goods or services.
Mobile payment systems enables customers to
purchase and pay for goods or services via mobile
phones. Here, each mobile phone is used as the
personal payment tool in connection with the remote sales. A phone card-based payment system
has the advantage over the traditional card-based
payment in that the mobile phone replaces both
the physical card and the card terminal as well.
Payments can take place anywhere far away from
both the recipient and the bank. The basics and
example of phone-based payment systems are
described in Innopay, Mobile Payments.
Traditionally, in the real world, the most
popular modes of payments are cash, cheques,
debit cards and credit cards. With the possibilities created by the Internet, a new generation of
payments appeared, such as electronic payments,
digital payments and virtual payments. Now, with
the growing penetration of the mobile phone and
the development of m-commerce, the mobile
payment will become an uncontested mode for
paying goods.
Consumers can use a mobile device to pay for
goods and services, transportation-related items,
any merchandise in a physical merchant location.
For Goods and Services such as music, videos,
ringtones, online game subscriptions, wallpapers,
Overview of Mobile Payment
and other digital goods. For Transportation-related
items such as bus, subway, or train fares and parking at meters.
Doing financial transactions with mobile
phones eliminates the need for auxiliary payment
instruments (like POS devices), while using security features of the SIM card (as a smart card)
yield to a great level of security and dependability. A mobile payment service comprises of all
technologies that are offered to user as well as all
tasks that the payment service provider(s) perform
to commit payment transactions.
2.1. Classification of
Mobile Payments
Mobile payment methods currently in use or
under trial may be classified according to the
basis of payment. A payment transaction has been
identified on the basis of multiple dimensions. A
distinction between the different types of payments
is on the basis of location, time, size and medium.
Mobile payments are typically differentiated by
technology, transaction size, location (remote or
proximity), and funding mechanism.
On the basis of location payments are classified in two types:
•
•
Remote mobile payments
Proximity mobile payments
On the basis of Technology:
•
•
SMS, a mobile browser, or a mobile
application
Bar codes or a contactless interface to
chip-enabled payment technology, such as
NFC-enabled mobile phones, contactless
stickers, tags.
On the basis of size the payments are classified
into two types:
•
Micro payments.
•
Macro payments.
On the basis of funding mechanism the payments are categorised into following types:
•
•
•
•
•
•
•
•
•
Account Based
Real time
Pre paid
Post paid
Smart card Based
Credit card Based
M POS
Mobile wallets
P2P Payments
2.1.1. Location-Based Payments
Remote mobile payments and proximity mobile
payments are distinguished by the location of the
mobile handset in relation to the merchant’s POS,
as well as by payment account information and the
payment acceptance device or service. A remote
mobile payment is a payment in which the payer
does not interact directly with the merchant’s
physical POS system (for example, transferring
funds through a mobile phone application to a
merchant’s PayPal account). A proximity payment
is a payment in which the mobile phone interacts
in some way with a physical POS device to transfer
the consumer’s payment information and perform
the transaction.
2.1.1.1. Remote Mobile Payment
Remote mobile payments may use a variety of
mobile phone data channels to initiate a transaction. Most mobile phones are equipped with
functionality that can enable remote mobile payments. Remote mobile payments makes purchases
from a Web merchant with mobile phone, paying
a merchant who does not have traditional acceptance capabilities for physical goods, or paying a
merchant for a purchase of digital goods. Remote
189
Overview of Mobile Payment
mobile payments may be implemented using the
existing financial payments infrastructure (e.g.,
for payment at a Web merchant) or using a closed
loop mobile payments system.
A remote mobile payment process is as follows:
•
•
•
•
The consumer and merchant set up an account with a trusted third party or MPSP.
When a transaction is initiated, a SMS message is sent to the MPSP. Authentication
can be secret passwords, validation of
handset hardware information, or verification of other sender personal information.
After the transaction request is received
and authenticated, the MPSP transfers
funds from the consumer’s account into the
merchant’s account and notifies the merchant that the funds have been transferred.
In a closed loop system, the merchant may
then move the funds into a standard bank
account.
Remote mobile payments are ideal for use in
markets that require person-to-person payments
and for under-banked consumers and merchants
who are not part of the normal POS acquirer payment process, such as flea market vendors and
seasonal outside vendors.
2.1.1.2. Proximity Mobile Payments
Proximity mobile payments leverage the financial
industry’s payment infrastructure. An NFCenabled phone is provisioned with a version of
the payment application (i.e., credit or debit card)
issued by the consumer’s financial institution.
The application and payment account information are encrypted and loaded into a secure area
in the phone. The phone uses the built-in NFC
technology to communicate with the merchant’s
contactless payment-capable POS system, similar
to the contactless payment cards and devices in
use today. The payment and settlement processes
are the same processes used when the consumer
pays with a traditional contactless or magnetic
190
stripe credit or debit payment card. Proximity
mobile payments can be made at both attended
POS locations (such as stores) and unattended
locations (such as vending machines) that use the
existing merchant payments infrastructure. To pay,
the consumer simply brings the phone to within a
few inches of a contactless payment capable POS
system and the transaction occurs. The process
is the same as that used by the contactless credit
and debit cards currently being deployed in the
United States.
The most obvious differences between proximity and remote mobile payments are speed,
convenience, and the fact that NFC payments
use the existing financial payments processing
infrastructure. There is no need to set up payment
processes or accounts with a third party, and the
proximity mobile payment data is linked directly
to a payment card issued to the consumer by a
trusted financial institution.
2.1.2. Technology
Mobile payments use different technologies to
perform a transaction. Remote payments typically
rely on text messaging (SMS), a mobile browser,
or a mobile application. Proximity payments rely
on either bar codes or a contactless interface to
chip-enabled payment technology, such as NFCenabled mobile phones, contactless stickers, tags,
or fobs.
2.1.3. Transaction Size
Transaction size affects the choice of mobile
payment technology and approach. Mobile payments typically fit into one of two transaction
size categories. Micropayments (less than $10$25) are typical for paying for ring tones, music,
parking, transit, coffee, and items in convenience
stores. Micropayments’ (over $25) are typical for
all other transactions, such as person-to-person
domestic and international remittances, charitable
donations, Web site purchases, bill payment and
retail POS.
Overview of Mobile Payment
2.1.3.1. Micro Payments
2.1.3.2. Macro Payments
Remote mobile micropayments enable purchases
of mobile content and services such as news,
games, tickets, and location-based services. Mobile micropayments also provide a potential payment method for e-commerce. In Finland, Helsinki
City Transport offers a mobile subway and tram
ticket, an example of a successful mobile payment
service. Customers can order a one hour SMS
ticket via their mobile phones by sending a SMS
message to a service number. Mobile micropayments at unmanned POS include applications such
as purchase of soft drinks or items from vending
machines, and payments on self-service stations,
for example paying for gas without cash at hand.
Mobile micropayments at manned POS include
small purchases at shops, kiosks, and fast food
restaurants. The manned POS mobile payments are
often more convenient in the purchase situations.
Micropayments generally represent a payment
which is below 10 Euros and is usually supported
by cash or debit cards. Merchants accept credit card
transactions for small amounts because of transaction fees. Consequently, mobile payments are an
attractive substitute for this type of transaction,
especially since most current mobile purchases
are news alerts, logos and ringtones. However,
most companies promoting micropayments failed
because the margins on small value payments are
notoriously low, and sufficient economies of scale
are extremely difficult to attain.
Micro payments are provided by mobile
operators, with payment being made mostly via
premium SMS/WAP using mobile operators’
billing infrastructures. Such micro-payments have
proved to be an extremely lucrative source of
revenue. Since payment amounts are low and the
merchant’s fee for mobile content relatively high,
mobile operators have accepted the payment risk,
based on their basic authentication of the user and
their billing systems, without any collaboration
with the banks for online authorisation.
Mobile macro payments can be used to pay for
larger purchases both electronically (e-commerce,
mobile ticketing, gaming) and on manned and
unmanned POS (restaurants, retail shopping,
and so forth). Mobile macro payments face more
competition from well-established traditional payment instruments. However, solutions developed
for user authentication in macro payments provide
possibilities for a variety of different services such
as passage control, digital signatures, and mobile
government services. There are different research
and telecom organisations that are developing a
mobile authentication service based on a WPKI
solution. Mobile authentication can be used for
m-government services and digital signatures both
on Internet and mobile networks.
Macro payments are logically every payment
above 10 Euros and represent a real challenge for
mobile payments. They need stronger security
mechanisms because of the large amount of money
involved and the greater possibility of fraud.
For remote macro payments, the mobile is
linked to a payment card (credit/debit card) or
an account (bank account and/or store account)
through an activation/ enrolment process and is
used afterwards as an authenticator of remotelystored information. There are various opportunities
for mobile remote macro payments.
1.
2.
Topping-Up a Mobile Pre-Paid Account:
This is done with the help of handset.
Customers do not need any more to go to
the shop to purchase a voucher. For mobile
operators, this is a far less expensive topping
up method than scratch cards and represents
huge cost savings.
Mobile Shopping: Here the mobile phone
is used as a shopping and payment channel.
Shopping channels are based on IVR, SMS
or WAP/ iMODE. Access to the mobile store
can be facilitated by tag reading, whereby
191
Overview of Mobile Payment
the user swipes the mobile phone across a
tag that links them to a website to purchase
a product.
There are two kinds of tag:
3.
4.
5.
6.
7.
8.
192
Bar Code Tag: The user scans the bar-code
near his favourite product in a magazine,
using his mobile phone embedded camera.
He is then redirected to the related product
on the merchant’s WAP site, where he can
get more information on it and purchase it.
NFC Tag: The same principle as the bar
code tag, but the NFC tag is read by the
NFC-enabled mobile phone. Ticketing applications in which dematerialised tickets
are ordered, paid for and delivered on the
mobile.
Bill Payment: SMS bill delivery and payment is already being used by some mobile
operators and utility companies.
Internet Shopping: Here a user authenticates their transaction with their mobile
handset rather than having to enter their
credit card details. There is a still a significant
number of consumers that do not feel comfortable entering credit cards details online,
for whom mobile authentication could be an
acceptable alternative The mobile device are
also used as an authentication method for
3D-secure card payments online. In this case,
the user still enters their card details through
the Internet and validates the transaction on
their mobile phone
P2P (Person to Person): It refers to payment
between two persons through their GSM.
The success of P2P on the Internet is largely
driven by online auctions.
M- POS: It refers to a specific case of P2P
in which the mobile payment service is marketed to professionals and to low-segment
mobile merchants without point-of-sale
(POS) payment terminals, for which mobile
payment could prove a cheaper alternative to
9.
electronic payment. The merchant initiates
the transaction via a SIM toolkit menu entry
in his mobile device, entering the amount
due and the customer’s phone or reference
number. The customer then receives a signature request on his mobile handset and
validates it by entering his PIN. Both receive
a confirmation of the transaction via SMS.
Transactions are performed directly by debiting the customer’s bank card and crediting
the merchant account. The payment costs
including communication costs are billed
by the telecom operators using the SMS
premium infrastructure.
International Fund Transfer for Migrant
Communities: Another potentially promising application for P2P mobile payment
services is the capability to send money
abroad.
The international fund transfers via mobile
phone represent the Mobile Money Transfer
mechanism endorsed by the GSM Association
and MasterCard that leads to a faster development
of operator driven mobile fund transfer systems
worldwide. An additional new opportunity for
mobile operators is to bring financial services to
developing countries, where the number of ‘unbanked’ (or under banked’) people with mobile
phones is much higher than the banked population.
Vodafone’s M-PESA in Kenya is a good example
of those emerging opportunities, enabling mobile
subscribers to deposit or withdraw cash at a branch
of the mobile operator, top-up their prepaid account and transfer money to another customer
using their mobile phone.
2.1.4. Funding Mechanism
Mobile payments rely on multiple funding mechanisms. Transactions can be included on a telephone
bill or funded by a prepaid account associated with
the phone (typically used for text-message-based
payments). Alternatively, cash can be loaded into
Overview of Mobile Payment
a virtual account at an agent location that is then
used for payment. This is the alternate way to
maintain an account for each consumer in the form
of electronic tokens. Here, consumers typically
need to convert actual currency to their electronic
equivalent, i.e. tokens. Another source of funds
is a traditional bank account or credit, debit, or
prepaid card, accessed through a virtual wallet (a
wallet that is accessed using the mobile phone’s
browser or a mobile application). The wallet may
provide access to one or more of the above funding
sources, which are loaded into the wallet.
2.1.4.1. Account-Based Payment Systems
In account-based payment systems, each customer
is associated with a specific account maintained
by the TTP like a bank. Every consumer is associated with a specific account maintained by
an Internet Payment Provider. There are three
kinds of transactions in Account based Payment
Systems (Real time-Cash, Prepaid transactionsDebit, Post-paid transactions-Credit):
1.
2.
3.
Real-Time (Cash): Payment methods that
adopt the real-time or “cash” like payment
schedule involve some form of electronic currency that is exchanged during a transaction.
Examples of real-time payment methods are
e-Cash and beenz.
Pre-Paid: In pre-paid transactions, this
account will be directly linked to the consumer’s savings account. The consumer
maintains a positive balance of this account
which is debited when a pre-paid transaction is processed. This is the most common
charging method for MNO’s as well as
third-party service providers in order to be
able to evaluate only that the user is capable
of paying. The prepaid user is a significant
part of the current MNO customer base.
Post-Paid: If post-paid transactions are
supported, the charges from a transaction
are accrued in the consumer’s account.
The consumer is then periodically billed
and pays for the balance of the account to
the TTP. This is the most common method
used in e-/m-commerce transactions today.
Examples are:
a. Phone-Bill Based: This is the charge
method most commonly used by mobile
network operators, and it is an internal
charging method.
b. Account-Based (Bank/Credit Card):
This method is used by banks, which a
priori have an account of the user, or
the credit card industry.
2.1.4.2. Smart Card Payment Systems
A smart card, chip card, or ICC is any pocket-sized
card with embedded integrated circuits. Smart
cards are made of plastic, generally polyvinyl
chloride, but sometimes polycarbonate. Smart
cards can provide identification, authentication,
data storage and application processing. Smart
cards may provide strong security authentication
for single sign-on within large organizations.
Payment systems use a smart card, an embedded
microcircuit, which contains memory and a microprocessor together with an operating system for
memory control. These smart cards can be used
for electronic identification, electronic signature,
encryption, payment, and data storage.
Smart cards serve as credit or ATM cards, fuel
cards, mobile phone SIMs, authorization cards
for pay television, household utility pre-payment
cards, high-security identification and accesscontrol cards, and public transport and public
phone payment cards. Smart cards may also be
used as electronic wallets. The smart card chip
can be “loaded” with funds to pay parking meters
and vending machines or at various merchants.
Cryptographic protocols protect the exchange of
money between the smart card and the accepting
machine. No connection to the issuing bank is
193
Overview of Mobile Payment
necessary, so the holder of the card can use it even
if not the owner.
These are the best known payment cards (classic plastic card):
•
•
•
Visa: Visa Contactless, PayWave.
MasterCard: PayPass Magstripe, PayPass
Mchip
American Express: ExpressPay.
Smart cards are of two types: Contact smart
cards and Contactless smart cards.
1.
2.
194
Contact Smart Cards: Contact smart
cards have a contact area of approximately
1 square centimetre, comprising several
gold-plated contact pads. These pads provide
electrical connectivity when inserted into a
reader, which is used as a communications
medium between the smart card and a host
(e.g., a computer, a point of sale terminal)
or a mobile telephone. Cards do not contain
batteries; power is supplied by the card
reader. The ISO/IEC 7810 and ISO/IEC 7816
series of standards define physical shape
and characteristics, electrical connector
positions and shapes, electrical characteristics, communications protocols, including
commands sent to and responses from the
card and the basic functionality of the smart
card. Communication protocols for contact
smart cards include T=0 (character-level
transmission protocol, defined in ISO/IEC
7816-3) and T=1 (block-level transmission
protocol, defined in ISO/IEC 7816-3).
Contact-Less Smart Cards: A contactless smart card is any pocket-sized card
with embedded integrated circuits that can
process and store data, and communicate
with a terminal via radio waves. Memory
cards contain non-volatile memory storage
components, and perhaps some specific security logic. Contactless smart cards contain
a re-writeable smart card microchip that can
be transcribed via radio waves. These cards
require only proximity to an antenna to communicate. They are often used for quick or
hands-free transactions such as paying for
public transportation without removing the
card from a wallet. Like smart cards with
contacts, contactless cards do not have an
internal power source. Instead, they use an
inductor to capture some of the incident
radio-frequency interrogation signal, rectify
it, and use it to power the card’s electronics. The standard for contactless interface is
defined in ISO/IEC 14443-4.
The first contactless smart card in production
use for fare payment was the Octopus card. A
major application of this technology has been
contactless payment credit and debit cards. Some
major examples include are ExpressPay from
American Express, PayPass from MasterCard
and PayWave from Visa.
2.1.4.3. Credit Card Mobile Payment Systems
This type of mobile payment systems allow customers to make payments on mobile devices using
their credit cards. These payment systems are
developed based on the existing credit card-based
financial infrastructure by adding wireless payment capability for consumers on mobile devices.
A credit card is a payment card issued to users as
a system of payment. It allows the cardholder to
pay for goods and services based on the holder’s
promise to pay for them. The issuer of the card
creates a revolving account and grants a line of
credit to the consumer (or the user) from which
the user can borrow money for payment to a
merchant or as a cash advance to the user. Credit
cards allow the consumers a continuing balance
of debt, subject to interest being charged. The
credit cards conform to the ISO/IEC 7810 ID-1
standard. Credit cards have an embossed bank
card number complying with the ISO/IEC 7812
Overview of Mobile Payment
numbering standard. The existing SET secure
protocol, developed by Visa and MasterCard for
secure transfer of credit card transactions, has
been extended and known as 3D SET to support
mobile payment for mobile device users.
2.
2.1.4.4. Mobile POS Payment
Mobile POS payment system enables customers
to purchase products on vending machines (or in
retail stores) with mobile phones. Two popular
types of mobile POS systems are: automated
point-of-sale payments, and attended point-of-sale
payments. The first type is frequently used over
ATM machines, retail vending machines, parking meters or toll collectors, and ticket machines
to allow mobile users to purchase goods (such
as snacks, parking permits, and movie tickets)
through mobile devices. The other type of Mobile
POS systems is useful for shop counters and taxis.
They allow mobile users to make payments using
mobile devices with the assistance from a service
party, such as a taxi driver, or a counter clerk etc.
A typical example of mobile POS payment system
is Ultra’s M-Pay.
2.1.4.5. Mobile Wallets
Mobile wallets are the most popular type of mobile
payment option for transactions. Like e-wallets,
they allow a user to store the billing and shopping
information that the user can recall with one-click
while shopping using a mobile device. The primary
types of mobile wallet schemes in the market are
client wallet and hosted wallet.
1.
Client Wallets: These are stored on a user’s
device in the form of a SIM Application
Toolkit card that resides in a mobile phone.
Since the wallet is based on hardware, it is
difficult to update, and potentially the user’s
sensitive financial information is compromised if the device is lost or stolen.
Hosted Wallets: These are the digital wallets
hosted on a server. This gives the service
provider much greater control over the
functionality it delivers and the security of
the data and transactions. Hosted wallets can
be self- hosted wallets or third party hosted
wallets.
In addition, server based mobile e-wallets using
SET technology are already being used, providing secure transaction capability for merchants
and cardholders.
2.1.4.6. P2P Mobile Payment
P2P payment allows individuals to pay one another
through a third party. P2P payment services, which
are offered by many banks and third parties, can
also allow business owners to transfer money to a
customer or supplier account (and vice versa) using
an e-mail address or mobile phone number. Users
can conduct transactions using funds from a bank,
credit, debit or prepaid account, or the payment can
be funded through the mobile phone bill. PayPal
is the leader in the P2P category, with the largest
global Internet-based payment network. PayPal
offers a mobile phone app that allows consumers
to send and request money using an e-mail address
or phone number and a service based on SMS.
PayPal has a P2P payments solution for Android
NFC phones that allows money to be transferred
by tapping two NFC phones together.
Other examples of P2P mobile payment solutions include the following (Figure 1):
•
In 2010, Visa announced a new P2P payment service that gives its U.S. customers
the ability to receive and send money from
their Visa accounts. Visa’s service includes
a partnership with CashEdge and Fiserv;
two P2P financial transaction companies
that now have access to VisaNet, the company’s payment processing network.
195
Overview of Mobile Payment
Figure 1. Mobile payment overview
•
•
MasterCard MoneySend uses the mobile
browser, SMS, or a mobile app to enable
customers to transfer money from person
to person using a mobile phone.
ZashPay, a service provided by Fiserv, offers a public Web site that allows people
to transfer money using e-mail addresses
or mobile phone numbers. The banks involved determine the sender’s fee.
2.2. Mobile Payments Stakeholders
Mobile payments implementations are still in
their infancy, with business models still being
defined and tested through numerous pilots in
the market. The business case mobile payment
is complicated especially in proximity payments.
There are concerns about the rate at which both
consumers and merchants adopt payment type.
However, the fundamental barrier to widespread
adoption of mobile payments is the requirement
that multiple players cooperate. Many of these
players claim both a relationship with the customer
and a share of transaction revenue. During the
next several years, thousands more merchants in
196
the United States are expected to be able to accept
contactless payments. However, certain critical
requirements must be met by all stakeholders
before high volumes of consumers can actually
start using mobile phones for payment especially
at a physical POS.
There are a wide variety of stakeholders in a
mobile payments system (Figure 2). Depending on
the implementation scenario, stakeholders change
and additional stakeholders with varying degrees
of involvement may also be involved.
Stakeholders may include:
1.
2.
3.
4.
Consumers are the stakeholders who use
the mobile payment devices for conducting
mobile payment transaction.
Issuers are the stakeholders who issue mobile payment capabilities and support easy
management of mobile payments.
Merchants are the stakeholders who accept
mobile payments whether contactless or
contacted payments.
Acquirers are the trusted third parties who
support mobile payments.
Overview of Mobile Payment
Figure 2. Mobile payment stakeholders
Mobile operators are the stakeholders who
ensure a supply of mobile phones with NFC
technology and support payment services on
their networks for proximity payments.
6. Payment networks are the stakeholders
who set standards and promote acceptance
by all parties throughout the network.
7. Chip and Handset Manufacturers are the
stakeholders who support branded financial
applications.
8. SIM/payment Software Developers are
the stakeholders who develop and support
branded financial applications for chip and
handset manufacturers.
9. Trusted service manager are the stakeholders including OTA personalization bureaus
who provision the payment application to
the memory of the phone.
10. Issuing and Acquiring Payment Processors
are the stakeholders who process payments
acting on behalf of acquiring and issuing
banks and who are involved in almost every
case
11. Proprietary payment application providers are the stakeholders who offer payment applications for specific services (for
example, transit agencies’ fare payment
systems).
12. Specialty Application Providers is the
stakeholders who can add additional value
to proximity mobile payments (e.g., PayPal
enabling person-to-person payments)
5.
2.3. Mobile Payment
Business Models
There are four potential mobile payments business
model scenarios. These models are used by different stake holders, depending on their needs and
value propositions. They are described as follows:
2.3.1. Operator-Centric Model
In this model, the mobile operator acts independently to deploy mobile payment applications
to NFC-enabled mobile devices (Figure 3). The
mobile operator loads the mobile payment application on its customer’s NFC mobile devices.
The customer may prepay, or the operator may
add charges to the customer’s existing wireless
bill. This acts in two ways.
Operator provides the merchant with a wireless
POS system.
•
•
Operator enables the proximity payment
application on the merchant’s NFC mobile
device.
Operator enables the proximity payment
application on the merchant’s NFC mobile
device.
2.3.2. Bank-Centric Model
A bank deploys mobile payment applications or
devices to customers and ensures merchants have
197
Overview of Mobile Payment
Figure 3. Operator centric model
the required point-of-sale (POS) acceptance capability (Figure 4). Payments are processed over
the existing financial networks with credits and
debits to the appropriate accounts. An issuing bank
owns the relationship with the customer and is
responsible for getting the payment token. In this
case an NFC-enabled phone is given to customers
in the same way as bank cards are distributed.
The responsibility of the bank for this role could
vary. At one extreme the bank could actually give
(or sell) its clients a fully-featured NFC phone,
while at the other extreme the bank could simply
provision an existing NFC phone with a suitable
payment application. The merchant relationship
is owned by the acquiring bank. In many cases
the acquirer provides the merchant with the appropriate acceptance device for the Point -Of-Sale.
2.3.3. Peer-to-Peer Model
The Peer-to-Peer Model is an innovation created
by payments industries who are trying to find
ways to process payments without using existing
wire transfer and bank card processing networks
(Figure 5). The ability to send money from one
198
person to another, even across great distances,
has existed for many years through providers such
as Western Union. While the Internet has made
this service even more convenient, the high fees
associated with the transfers can make them cost
prohibitive and not for every-day use. Internet bill
payment services provided by most banks have
made remote payments to merchants convenient,
but cannot be used for real-time purchases. Mobile
phones with Peer-to-Peer capabilities overcome
these obstacles. An independent peer-to-peer
service provider provides secure mobile payments
between customers or between customers and
merchants. This entire process can have following scenarios:
Scenario 1: Provider deploys contactless cards/
devices to customers and POS equipment to
merchants in a closed loop model.
Scenario 2: Provider deploys a mobile payment
application for the NFC-enabled mobile
device.
Scenario 3: Peer-to-Peer service provider uses
an existing online application (e.g., PayPal
Mobile). No POS equipment is required.
Overview of Mobile Payment
Figure 4. Bank centric model
2.3.4. Collaboration Model
This model involves collaboration among banks,
mobile operators and other actors in the mobile
payments value chain (Figure 6). This also includes
a potential trusted third party that manages the
deployment of mobile applications. Payments
in this model are processed over the existing
financial networks with credits and debits to the
appropriate accounts.
This model includes two possible scenarios:
Scenario 1: A mobile operator partners with one
bank to offer a bank-specific mobile payments service.
Scenario 2: Industry associations representing
mobile operators and financial institutions
negotiate and set standards for applications
that reside on secure elements in mobile
devices, allowing multiple card types from
different banks to be used.
In the above mentioned cases, NFC-enabled
mobile devices and compatible POS devices
are deployed that meet the standards set by the
partner bank or industry associations. Potential
sources of revenue include merchant commissions,
merchant and consumer trans-action fees, new
customer acquisition fees, and marketing fees.
The amount paid and collected by each actor is
the source of considerable contention. Generally
it is expected that merchant fees are split between
banks, mobile operators, and perhaps third-party
TSMs. Comparable models exist in the credit card
industry for customer acquisition and marketing
fees between partners.
3. MOBILE PAYMENT PROCESS
Payment transaction process in a mobile environment is similar to typical payment card transaction (Figure 7). The only difference is that the
transport of payment details involves wireless
service provider. WAP/HTML based browser
protocol might be used or payment details might
be used or payment details might be transported
using technologies such as Bluetooth and infrared.
Mobile payment process has the following
steps:
3.1. Registration
Customer opens an account with payment service
provider for payment service through a particular payment method. During this phase the PSP
199
Overview of Mobile Payment
Figure 5. Peer-to-peer model
Figure 6. Collaboration model
200
Overview of Mobile Payment
Figure 7. Payment process
requires confirmation from the TTP that handles
the relationship with the customer. This phase can
be seamless for the consumer according to the
functional choices made by the TTP and the PSP.
3.2. Transaction
It is accompanied by the four steps.
•
•
•
•
Customer indicates the desire to purchase a
content using a mobile phone.
Content provider forwards the request to
the payment service provider.
Payment Service Provider then requests the TTP for the authentication and
authorization.
Payment Service Provider informs content
provider about the status of the authentication and authorization. If customer is
successfully authenticated and authorised,
content provider will deliver the purchased
content.
3.3. Payment Settlement
It can take place during real time prepaid or postpaid mode. A real time payment method involves
the exchange of some form of electronic currency,
e.g. payment settlement directly through a bank
account. In a prepaid type of settlement customers
pay in advance using smart cards or electronic
wallets. In the post paid mode, the payment service
provider sends billing information to the TTP.
The TTP sends the bill to the customer receives
the money back and then sends the revenue to
the payment service provider. The PSP is then
responsible for computing the revenues of each
entity and distributing the funds accordingly.
4. SET
SET stands for Secure Electronic Transactions
and is a proposed standard for performing credit
card transactions over the Internet. SET, is an open
network payment-card protocol. It is primarily
designed to enable the user to securely employ
their credit card payment infrastructure on the open
network, such as the Internet. It is developed jointly
by Visa and MasterCard, with technical assistance
from various Internet, information systems, and
cryptology companies such as IBM, Microsoft,
Netscape, RSA, and VeriSign.(VeriSign is the
world’s largest Internet trust services provider,
which has taken over the Cyber Cash’s Internet
payments business.) With these names behind
it, in the future SET may very well become the
dominant method for paying by credit card over
the Internet.
201
Overview of Mobile Payment
4.1. Features of SET
•
•
•
•
•
•
•
Provide confidentiality of payment information and enable confidentiality of order
information that is transmitted along with
the payment information.
Ensure the integrity of all transmitted data.
Provide authentication that a cardholder
is a legitimate user of a branded payment
card account.
Provide authentication that a merchant can
accept branded payment card transactions
through its relationship with an acquiring
financial institution.
Ensure the use of the best security practices and system design techniques to protect
all legitimate parties in an electronic commerce transaction.
Create a protocol that neither depends on
transport security mechanisms nor prevents their use.
Facilitate and encourage interoperability
among software and network providers.
4.2. SET Security
SET is a very comprehensive security protocol,
which utilizes cryptography to provide confidentiality of information, ensure payment integrity,
and enable identity authentication.
For authentication purposes, cardholders, merchants, and acquirers are issued digital certificates
by their sponsoring organizations. It relies on
cryptography and digital certificate to ensure message confidentiality and security. Digital envelop
is widely used in this protocol. Message data is
encrypted using a randomly generated key that
is further encrypted using the recipient’s public
key. This is referred to as the “digital envelope”
of the message and is sent to the recipient with
the encrypted message. The recipient decrypts
the digital envelope using a private key and then
uses the symmetric key to unlock the original
202
message. Digital certificates are also called
electronic credentials or digital IDs, are digital
documents attesting to the binding of a public
key to an individual or entity. Both cardholders
and merchants have to register with a CA before
they can engage in transactions. The cardholder
thereby obtains electronic credentials to prove
that he is trustworthy. The merchant similarly
registers and obtains credentials. These credentials
do not contain sensitive details such as credit card
numbers. Later, when the customer wants to make
purchases, he and the merchant exchange their
credentials. If both parties are satisfied then they
can proceed with the transaction. Credentials must
be renewed every few years, and presumably are
not available to known fraudsters.
SET uses both methods in its encryption process. The secret-key cryptography used in SET
is the well-known Data Encryption Standard,
which is used by financial institutions to encrypt
PINs. And the public-key cryptography used in
SET is RSA.
4.3. SET Process
The SET protocol utilizes cryptography to provide
confidentiality of information, ensure payment
integrity, and enable identity authentication (Figure 8). For authentication purposes, cardholders,
merchants, and acquirers will be issued digital
certificates by their sponsoring organizations. It
also use dual signature that hides the customer’s
credit card information from merchants, and also
hides the order information to banks, to protect
privacy.
•
Before the parties perform a successful
SET payment, they must do some steps:
The consumer obtains a credit card account
from the bank, which supports the SET payment.
•
The consumer receives a certificate from
the cardholder certificate authority.
Overview of Mobile Payment
Figure 8. A SET payment transaction
•
The merchants obtain their own certificates, and the merchant also needs a copy
of the payment gateway’s public-key
certificate.
To effect a successful SET payment, a cardholder invokes software on his device that initiates
the following sequence:
1.
2.
3.
4.
The cardholder clicks the SET Paying Button
after he/she chooses the items and determines
the prices.
The merchant responses the order information along with a copy of its certificate, so that
the consumer can ensure that the merchant
is a valid seller;
After the verification, the cardholder sends
the order and the payment information to
the merchant, together with a copy of his/
her certificate. The order information confirms the purchased items and the payment
information contains the account details.
The payment information is encrypted by
the public-key certificate of the payment
gateway, so that the merchant can’t read
it. The consumer’s certificate enables the
merchant to verify the buyer.
The merchant forwards the payment information to the payment-processing organization (the payment gateway or acquirer), r
equesting the authorization that the consumer’s credit is sufficient for this purchase.
5. The authorization is handled by the paymentprocessing organization using existing
financial networks;
6. The merchant receives the authorization
result;
7. The merchant sends the cardholder confirmation that the payment has been accepted;
8. After collecting some authorization response,
the merchant sends a settlement request to
the payment-processing organization;
9. The clearing and settlement is processed by
the payment-processing organization just as
the normal payment card transaction.
10. The merchant receives confirmation that the
transaction has been finished.
4.4. Entities Involved in SET
There are mainly five entities involved in SET.
4.4.1. SET Payment Gateway
The payment gateway is the bridge between SET
and the existing payment network. The payment
gateway translates SET messages for the existing payment system to complete an electronic
transaction.
203
Overview of Mobile Payment
4.4.2. SET Merchant
Point of Sale Server
A merchant offers goods or services for sale in
the Internet and accepts electronic credit card payments. Merchant that accepts payment cards must
have a relationship with an acquirer. The merchant
Point of Sale Server provides an interface between
the cardholder and the acquirer payment gateway.
4.4.3. Cardholder and Electronic Wallet
Cardholder is an authorized holder of a payment
card supported and issued by an issuing bank.
Cardholders use electronic wallets to store digital
representations of credit cards and make purchases
with them. SET ensures that the interactions the
cardholder has with a merchant keep the payment
card account information confidential.
•
•
•
•
4.4.4. Acquiring Bank
An acquirer is the financial institution that establishes an account with a merchant and processes
payment card authorizations and payments.
4.4.5. Issuing Bank
The issuing bank establishes an account for a
cardholder and issues the payment card to the
cardholder. The issuer guarantees payment for
authorized transactions using the payment card.
4.5. Disadvantages of SET
SET is a protocol that is not completely secure
in user authentication. SSL-based methods are
ignoring essential security necessities. Some
disadvantages of SET are:
•
204
SET is designed for wired networks and
does not meet all the challenges of wireless
network.
•
As the SET protocol was designed to
maintain the traditional flow of payment
data Customer Agent to Merchant Agent
to Merchant’s Bank. There is a need of an
end-to-end security mechanism.
The third element is the direction of the
transaction flow. In SET, transactions are
carried out between the Customer Agent
and the Merchant. So it is vulnerable to
various attacks like merchant can modify
transactions data by altering the balance.
Transaction flow is from Customer to
Merchant so all the details of users credit
cards/debit cards must flow via merchant’s
side. It increases the user’s risk, since data
can be copied and used later to access customer account without authorization.
There is no notification to the Customer
from the customer’s Bank after the successful transfer. The user has to check his/
her balance after logging on bank website
again.
SET is only for card based (credit or debit)
transactions. Account based transactions
are not included in SET.
5. SECURITY REQUIREMENTS
FOR MOBILE PAYMENTS
For the utilization of Internet and mobile communications there is a requirement for security
services to provide communications integrity and
privacy. Mobile communications is the capacity
and capability to perform transactions at any
time irrespective of geographical locations. All
mobile subscribers use mobile devices to access
all these resources. Mobile payment transactions
are carried out with the help of mobile devices. A
common feature of these devices is that they are
small and portable. At every stage they require
security services. There are different securities
which provide the completeness of information.
General requirements for mobile transactions
Overview of Mobile Payment
are to provide Integrity, Confidentiality, Non
repudiation, Authentication, Authorization. In addition to these mobile transactions are confronted
additional security issues in its implementation.
Such problems are Hostility, Information Security
and Vulnerability. These are described as under:
•
•
•
•
•
•
•
•
Authentication
Authorization
Confidentiality
Integrity
Non-repudiation
Hostility
Information Security
Vulnerability
5.1. Authentication
According to the Federal Information Processing
Standards, authentication verifies “the identity of
a user, process, or device, often as a prerequisite
allowing access to resources in an information
system”. Authentication is a simple process
where the user enters a set of credentials to the
system. If the credentials match the existing set
in the system, then the user is given authorization
otherwise, not. The purpose of authentication is
to verify the specific set of information presented
which represents that the request is authentic from
a specified entity. This is important, for verifying
the identity of an entity which is basis for all the
rights and privileges granted to the entity. Whether
the presenting entity is the computer program or
a user makes no difference to the authentication
process.
Authentication is the assurance that the communicating person is the one who it claims it to
be. A system authenticates the user to determine
if the user is authorised to perform any electronic
transaction or access the system.
To perform any electronic transaction the
authentication process begins with the request.
The client requests for the services which require
authentication. The service providers asks for the
unique token which acts as a means of providing
authentication to the user and which proves the
identity of the user. This unique token binds a
user’s identity together with a secret and is given
to user during registration. When the user presents his unique token during authentication the
authenticating party verifies user’s identity since
unique token is unique to everybody.
Token can be classified as:
•
•
•
Something you know i.e. Passwords.
Something you have i.e. Hardware Tokens.
Something you are i.e. Biometrics.
Today, these methods are called the three factors of authentication. ISC2 also adds a fourth
category called someplace you are, which is based
on your location and typically uses GPS (global
positioning system).
Authentications such as fixed passwords are
considered to be weak authentication process
and single factor authentication, which is based
on something you know. It is prone to many attacks like eavesdropping, dictionary attack, and
replay attack. Strong authentication schemes rely
on more than one factor that means it combines
the use of something you know (passwords) with
something you have (hardware devices). Authentication strategies can be divided into single-factor
authentication and multi-factor authentication.
5.1.1. Single Factor
Authentication (SFA)
Single-factor authentication is the traditional
security process that requires a user name and
password before granting access to the user.
SFA security relies on the diligence of the
user, who should take additional precautions - for
example, creating a strong password and ensuring that no one can access it. For applications
that require greater security, it may be advisable
to implement more complex systems, such as
multifactor authentication.
205
Overview of Mobile Payment
5.1.1.1. Passwords
5.1.1.2. Hardware Tokens
Most commonly, computers use passwords, the
“something you know” factor, for basic authentication. The most common way to maintain security
is the use of passwords and usernames. This is
the weak authentication mechanism which can be
broken down by eavesdropping on the network
connection or by sloppy handling of the users.
Since more and more services are available on
Internet, and many of these services require authentication mechanisms. It is difficult to manage
different combinations of keys acting as username
and password.
Passwords are the simplest authentication
model to implement, and that is why password
models are so common. Unfortunately, password
models are also the weakest authentication model
because passwords are guessed or stolen relatively
easily. It can also make any password model
vulnerable. Even if passwords are made complex
by adding special characters to it, these measures
can force users to write passwords down, which
limits the value of the password because it can
be more easily stolen.
Four types of attack on the passwords:
Some authentication systems commonly use
tokens, which is any device or object that can
authenticate a user. Common examples include
physical keys, proximity cards, credit cards, or
ATM cards. Tokens are good because they’re
simple. Physical keys, for example, are widely
supported and cheap to produce and use. In computer authentication, cryptographic keys may be
used, particularly in remote protocols such as SSH
(secure shell). The advantage of cryptographic
keys for remote protocols is that they may not
only be used for user authentication, but also for
message authentication and encryption of data
in transit. Tokens have their own weaknesses,
however. Because tokens are simple and cheap
to produce, they are also simple and cheap to
reproduce. This makes them vulnerable to being
counterfeiting. Also, because they are typically a
physical object or device, they can be stolen more
easily than passwords. For this reason, tokens are
typically used with another method, such as a PIN
code, to reduce their usefulness if stolen.
Dictionary Attack: Simply use different
dictionary files to crack passwords.
Permutation of Words and Numbers:
For each word from a dictionary file, permute with 0, 1, 2 and 3 digit(s) to construct
possible password candidates. Also make
common number substitutions, such a 1 for
I, 5 for S etc. 3. User information attack:
Use user information collected from password files, e.g., user id, user full name, initial substring of name, to crack passwords.
Brute Force Attack: We made this attack
on any passwords that were only 6 characters long.
Software tokens are similar to hardware tokens. It
is software implementations of hardware tokens.
Software tokens run on the PC or on a separate
multi-purpose device but hardware tokens are
stored on an external device away from the PC.
Software tokens support authentication of both
parties and protect the used communication
channel to transmit data for authentication. The
disadvantage of software tokens is that it can be
copied easily without the knowledge of the user.
•
•
•
206
5.1.1.3. Software Tokens
5.1.1.4. Biometrics
Biometrics is automatic methodologies which
use to identify a person on the basis of some
biological or behavioural characteristic. Many
Overview of Mobile Payment
biological characteristics, such as fingerprints,
DNA (deoxyribonucleic acid) information etc. and
behavioural characteristics, such as voice patterns,
signature are distinctive to each person. Hence,
biometrics is more capable and more reliable in
distinguishing different individuals than any other
techniques based on an ID document or a password.
A biometric system is a pattern-recognition system
that makes personal identification possible.
Biometric systems come in many varieties, with
each variety measuring a physical characteristic
found to be relatively unique to a specific individual, within a reasonable scale of individuals.
A user enrols in a biometric system by providing
a sample of the physical characteristic measured
by the system. The system then converts this
“analog” characteristic into digital form to create
a template. The template is then stored on a central authentication server. The user authenticates
to the system by providing a fresh sample of the
characteristic to the system, which then compares
the digitized fresh sample to the stored template.
If the two digitized samples are similar within
certain tolerances, the user is accepted.
Biometric approaches are divided into two
categories: physiological and behavioural. Physiological biometric is based on bodily characteristics, such as fingerprints, iris scanning and facial
recognition. Behavioural biometric is based on the
way people do things, such as keystroke dynamics,
mouse movement and speech recognition.
The different types of biometric technologies
are as follows:
•
•
Facial Recognition is the technology that
identifies people from still or video photograph images of their faces.
Fingerprint Identification is the technology that make authentication through
fingerprint. A fingerprint is the pattern
of ridges and furrows on the surface of a
fingertip. No two persons have exactly
the same arrangement of patterns, and the
patterns of any one individual remain unchanged throughout life.
•
•
•
•
Retinal Pattern Recognition is the technology to authenticate people through
scanning their eyes. The retina is the innermost layer of the eye. The pattern formed
by veins beneath the surface of the retina is
unique to each individual.
Iris-Based Identification is the technology that makes Iris-Based Identification
is the technology that make authentication
through iris scanning. The iris is the coloured part of the eye. It lies at the front of
the eye, surrounding the pupil.
Signature Recognition system is based
that each person has a unique style of handwriting. This system can identify different
individual through their signature characteristics. Voice Recognition and speaker
recognition technology is a kind of biometric technology that through using a microphone to record the voice of a person and
based on different voice and speech to identify different individual Voice Recognition
and speaker recognition technology is a
kind of biometric technology that through
using a microphone to record the voice of
a person and based on different voice and
speech to identify different individual.
Voice
Recognition
or
Speaker
Recognition is a technology through which
voice of a person is recorded. The biometric technology uses the acoustic features of
speech that have been found to differ between individuals. These acoustic patterns
reflect both anatomy (i.e. shape and size of
throat and mouth) and learned behavioural
patterns (i.e. voice pitch, speaking style).
5.1.2. Multi Factor Authentication (MFA)
Multi-factor authentication is a method of user
identification that combines a number of single
factor authentications. It is used for priority
customer information and high-risk financial
transactions. The strength of an authentication
207
Overview of Mobile Payment
mechanism can be judged on how many things it
depends on. Using two types of the same factor
is not multi-factor authentication. For example,
a password and personal information are both
what you know, so using them together would
still be single-factor authentication. The strength
of authentication keys can vary even within a factor category. Mother’s maiden name, a four-digit
code and a random eight-character alphanumeric
password are all examples of authentication keys
based on what you know, but they each provide
different protection against discovery attacks.
Consequently, the security of the authentication
process is affected by the actual solution used.
However, it is generally held that multi-factor
authentication improves security. Multi-factor
authentication is either two-factor or three-factor.
•
•
Two-Factor Authentication: This uses
two of the three factors of authentication.
Accessing your account through an ATM
is based on two factors of authentication:
the PIN (something you know) and the
ATM card (something you have).
Three-Factor Authentication: This uses
all three of the factors of authentication.
For example, to access a secure site you
might need to pass a guard who checks
your face against a stored image (something you are), swipe an access card (something you have), and enter a four-digit code
(something you know).
5.1.2.1. One Time Password (OTP)
One-time passwords are passwords that are only
valid for a single or small number of transactions.
This contrasts with conventional passwords which
are valid for many transactions as users are reluctant to voluntarily change passwords frequently.
Since OTP’s are only valid for a limited number
of uses, an attacker has a smaller window of time
to gain access to resources guarded by such a
208
password because any previously stolen passwords
will likely have become invalid. As with traditional
passwords, one-time passwords are vulnerable
to man-in-the-middle attacks. By observing the
OTP before it is successfully received by the
authenticator, an attacker has a valid password.
Because of this undesirable property, both OTP’s
and conventional passwords must travel securely.
Typically, the one-time password is generated by
a hardware device that the person desiring to be
authenticated carries to promote use across many
physically distant domains. The hardware implements an algorithm that generates passwords in
a specific manner that the authenticator knows.
The hardware device will often display the password on a small screen for a user to type into the
authenticator. In this hardware based approach,
if the hardware or computer that generates the
passwords were stolen, the thief would be able to
authenticate himself just by reading the numbers
on the display. Because of this reason, one-time
passwords are often one part of a multi-factor
authentication (MFA) system where two or more
independent factors of authentication are used to
identify a user.
Algorithms generating temporary passwords
can be time-based or mathematical-based. Timebased algorithms generate passwords that are
valid for a set period of time before automatically
updated by the algorithm (often a hardware device). Technically, a one-time is a misnomer as a
password can be used multiple times as long as it
is within one time period. A hardware device of
this type typically always displays a password, and
the password is constantly changing. The length of
time that an OTP is valid is an important security
parameter in these schemes because one password
is valid until the time period expires and then
updated. If a password is infrequently updated,
an attacker has a longer window for exploitation.
As the period length grows, the security of OTP’s
approaches that of conventional passwords. For
example, an eavesdropper could capture the OTP
that has just been generated as it travels across
Overview of Mobile Payment
a network. Once captured, the attacker has the
entire lifetime of the password for unauthorized
access. SecurID is a proprietary commercial system by RSA Security that uses hardware devices
to generate passwords that change every thirty or
sixty seconds.
5.1.3. Authorization
Authorization is the process by which it is determined if a person has right or permission to
conduct a particular action. It is the mechanism by
which a system determines what level of access a
particular authenticated user should have to secure
resources controlled by the system. Authorization
information, for example, an access-control list,
is stored and managed by the service. Internet
services evolve rapidly and thus the set of potential
actions and the users who may request them are
not known in advance; this implies that authorization information is created, stored, and managed
in a dynamic, distributed fashion. Users are often
expected to gather credentials needed to authorize
an action and present them along with the request.
Because these credentials are not always under the
control of the service that makes the authorization decision, there is a danger that they could be
altered or stolen. Thus, a public-key signature is
must to be part of the authorization framework.
In traditional authentication and access control,
the notion of identity plays an important role. In
a traditional system, an identity often means an
existing user account. User accounts are established with the system prior to the issue of any
request. Earlier PKI proposals try to establish a
similar global “user account” system that gives
a unique name to every entity in the system and
then binds each public key to a globally unique
“identity.” In Internet applications, the very notion
of identity becomes problematic.
The term identity originally meant sameness
or oneness. When we meet a previously unknown
person for the first time, we cannot really identify
that person with anything. In a scenario in which
an authorizer and a requester have no prior relationship, knowing the requester’s name or identity
may not help the authorizer make a decision. The
real property one needs for identity is that one
can verify that a request or a credential is issued
by a particular identity and that one can link the
particular identity to its credentials.
5.1.4. Confidentiality
Confidentiality means preserving authorized restrictions on information access and disclosure. It
includes means for protecting personal privacy and
proprietary information. A loss of confidentiality
is the unauthorized disclosure of information.
Confidentiality is defined as the property that
ensures that information is not made available or
disclosed to unauthorized users. Confidentiality
mechanisms are intended to prevent information
dissemination to users who are not authorized to
receive it.
A confidentiality mechanism may prevent access to the information or may conceal or alter the
information to all but those who have privileges.
Confidentiality of information can be determined by its impact level i.e. low, moderate, or
high. It indicates the potential harm that could
result to the subject individuals and/or the organization were inappropriately accessed, used, or
disclosed.
Confidentiality of transmission can be protected by encrypting the communications or by
encrypting the information before it is transmitted.
5.1.5. Integrity
Integrity is defined as the property that information is not altered or destroyed by unauthorised
user. It is defined as precise, accurate, unmodified,
and consistent. Precise means modified only in
acceptable ways. Accurate means modified only by
authorized people. To unmodify means to modify
only by authorized processes. Consistent means
meaningful and correct. Integrity policies seek
209
Overview of Mobile Payment
to prevent accidental or malicious destruction of
information. Traditionally, information integrity
has been supported by security models based on
access control mechanisms. These mechanisms
mainly provide the authorization component of
integrity requirements.
There are two categories that prevent the
integrity threat.
•
•
Preventing access to information through
secure channels and routing control i.e. access control and stored data respectively.
Detecting unauthorised modification by
cryptography and digital signatures.
Electronic solutions are based on hash-algorithms, MAC (Message Authentication Codes)
values and digital signatures.
5.1.6. Non Repudiation
It refers to illegal denial of request. Non-repudiation makes it impossible for someone to deny
that he or she carried out a particular action. For
example, a credit card purchase in which the bill
of sale is signed by the cardholder is an example
of a non-repudiable transaction. Neither the seller
nor the buyer can deny that the transaction took
place. A service that is used to provide assurance
of the integrity and origin of data in such a way
that the integrity and origin can be verified and
validated by a third party as having originated from
a specific entity in possession of the private key.
A contract is usually accepted by signing it.
Every party gets its own copy of the contract. If
the content becomes disputable, nobody can deny
that the contract was signed since everybody has
an identical copy (this assumes, of course, that
the authenticity of the signatures can be verified).
In distributing computing non-repudiation means
that the sender should not be able to deny later that
he has sent a message or that the receiver cannot
deny that he has received the message. Typically,
in electronic commerce, a client should not be able
210
to deny that he has ordered a product. In telecommunication services, a client should not be able
to deny that he has ordered to use a service like
video-on-demand or to use network resources to
make a phone call. There is no particular threat
against non-repudiation apart from denial. In the
computer world, non-repudiation is carried out
with digital signatures conceptually similar to
ones in the real world.
5.1.7. Hostility
It is the trustworthiness of users, customers,
merchants and other players in mobile environment. The systems should provide enough stored
information to detect the fraudulent later. Since
we cannot assume that all participants in mobile
transactions are honest, the mobile commerce
system should provide enough mediated and
stored information so that dishonest merchants,
customers or other players can be found later
with all aspects and is a general requirement for
electronic transactions.
5.1.8. Information Security
In mobile transactions the information is transformed over wireless access network and is thus
receivable by external parties more easily than
wire line network. Information security prevents
the external people to listen in or change the message content without it to be noticed by parties.
The general way to maintain information security
is encryption technology and Public Key Infrastructure. (PKI)
5.1.9. Vulnerability
Vulnerability is a flaw or weakness in a system’s
design, implementation or operation that could be
exploited to violate the system’s security. Security
vulnerability is not a risk, a threat, or an attack.
Vulnerabilities can be of four types.
Overview of Mobile Payment
•
•
•
•
Threat Model vulnerabilities originate
from the difficulty to fore see future threats.
(E.g. Signalling System).
Design & Specification vulnerabilities
come from errors or oversights in the design of the protocol that make it inherently
vulnerable (e.g. Wi-Fi).
Implementation vulnerabilities are vulnerabilities that are introduced by errors in a
protocol implementation.
Operation and Configuration vulnerabilities originate from improper usage of options in implementations. Not enforcing
use of encryption in a Wi-Fi network, or
selection of a weak stream cipher by the
network administrator.
According to X.800, a security threat is a potential violation of security, which can be active
(when the state of a system can be changed), or
passive (unauthorized disclosure of information
without changing the state of the system). A security risk originates when security vulnerability
is combined with a security threat.
In general, there is a flow of information from
a source to a destination. In normal message flow,
the information passes from source to destination
without any hindrance (Figure 9).
5.2.1. Interruption
Interruption is the action of preventing a message
from reaching its intended recipient (Figure 10).
It can also occur when an ass asset of the
system is destroyed or becomes unavailable. This
is an attack on availability. This attack can easily
be detected by single party or both the parties.
Some examples of this type are as under:
•
•
•
•
•
•
5.2.1.1. Mitigate the Attack
5.2. Security Attacks
•
An attacker might want to gain access to an electronic message for numerous reasons:
Gaining unauthorised access to information in
order to violate someone’s privacy, impersonating
user in order to shift the responsibility or originate
a fraudulent activity are some of the reasons an
attacker might want to access the information.
There are four general categories of attacks on a
transmitted message apart from a normal transaction flow.
•
•
•
•
•
Interruption
Interception
Modification
Fabrication
Destruction of hardware.
Physical damage to communication links.
Introduction of Noise.
Removal of routing.
Disabling of file or a program
DoS attack.
•
Use Firewalls - Firewalls have simple rules
such as to allow or deny protocols, ports
or IP addresses. Modern stateful firewalls
like Check Point FW1 NGX and Cisco PIX
have a built-in capability to differentiate
good traffic from DoS attack traffic.
Keeping backups of system configuration
data properly.
Replication
5.2.2. Interception
Interception is where an unauthorised party gains
access to information (Figure 11). This is an attack
on confidentiality. The unauthorised party might
be a person, program, or a computing system. A
loss due to this kind of attack might be noticed
211
Overview of Mobile Payment
Figure 9. Normal flow
quickly, but the interceptor might leave no trace
by which the interception can be detected. This
attack cannot be avoided in wireless communications. Some examples of this type are as under:
•
•
•
•
•
•
Wiretapping to capture data in a network.
Illicit copying of files.
Eavesdropping.
Link monitoring.
Packet capturing.
System Compromisation.
5.2.2.1. Mitigate the Attack
Using Encryption - SSL, VPN, 3DES, BPI+ are
deployed to encrypt the flow of information from
source to destination so that if someone is able to
snoop in on the flow of traffic, all the person will
see is ciphered text.
•
Traffic Padding: It is a function that produces cipher text output continuously, even
in the absence of plain text. A continuous
random data stream is generated. When
Figure 10. Interruption of a message
212
plaintext is available, it is encrypted and
transmitted. When input plaintext is not
present, the random data are encrypted and
transmitted. This makes it impossible for
an attacker to distinguish between tree data
flow and noise and therefore impossible to
deduce the amount of traffic.
5.2.3. Modification
Modification is where an unauthorised party not
only gains access to an asset, but tampers with it
(Figure 12). This is an attack on the integrity of the
message. It can be detected if proper measures are
taken. Some examples of this type are as under:
•
•
•
•
Changing of values in a database for personal gain.
Altering of a program.
Modifying the contents of the message
transmitted on a network.
Making use of delays in communications.
Overview of Mobile Payment
Figure 11. Interception of a message
5.2.3.1. Mitigate the Attack
5.2.4.1. Mitigate the Attack
•
•
•
•
•
•
Introduction of intrusion detection systems
(IDS) which could look for different signatures which represent an attack.
Using Encryption mechanisms.
Traffic padding.
Keeping backups.
Use messaging techniques such as checksums, sequence numbers, digests, and authentication codes.
5.2.4. Fabrication
Fabrication occurs when an unauthorised party inserts counterfeit objects into the computing system
(Figure 13). This is an attack on the authenticity
of the message. These insertions can sometimes
be detected as forgeries, but if done skilfully they
are virtually indistinguishable from the real thing.
It also relates to non-repudiation. Some examples
of this type are as under:
•
•
Adding additional records to an existing
file or a database.
Insertion of spurious information into the
network communication systems.
•
•
Use of Authentication and authorization
mechanisms
Using Firewalls
Use Digital Signatures - Digital signature
scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document.
5.3. Security Mechanisms
(Cryptography Overview)
Cryptography is the science of encryption and
decryption. Modern encryption also includes
the concept of a key, which is used by an algorithm to encrypt or decrypt a message. Security
in cryptography comes from both the algorithm
and the key. If the algorithm allows easy attacks,
the system will be weak. A system is secure if it
is computationally infeasible to recover the key
or the plaintext from the cipher text. As time
progresses, processes that were computationally
infeasible become feasible with increased computing power. Some cryptographic algorithms may
therefore become outdated extremely quickly. A
cryptosystem consists of an algorithm that is used
to secure communications and the keys that are
used for encryption and decryption. All plaintexts
and cipher text belong also to the cryptosystem. A
213
Overview of Mobile Payment
Figure 12. Modification of message
cryptographic algorithm is a mathematical function that is used for encryption and decryption. A
synonym for cryptographic algorithm is a cipher.
A key is a series of data, a string of numbers and/
or characters. It has a certain length, which is
usually given in bits. Typically, a key length can
range from 56 bits up to several kilo bytes. It can
be stored in a file or in a chip. A key can be sent
to somebody through the network. A key can have
a lifetime depending of the cryptosystem and the
agreement for the use of the key. The main threat
against the concept of key is the brute force attack
i.e. trying all possible keys.
Figure 13. Fabrication of a message
214
5.3.1. Symmetric Encryption
Symmetric encryption (or private-key encryption) uses the same key to encrypt and decrypt
a message (Figure 14). The length of the key is
exponentially proportional to the strength of the
encryption. Symmetric encryption usually uses
short keys (less or equal to 128 bits). To ensure the
best security, the key should be as random as possible. A totally random key that is only used once
is the ideal form of symmetric encryption, and such
a scheme is called a One-Time Pad. The common
standard for symmetric encryption is DES (Data
Encryption Standard) which uses a 56-bit key. It
is being phased out in favour of AES (Advanced
Encryption Standard) recently defined by the NIST
(National Institute of Standards and Technology).
Overview of Mobile Payment
Figure 14. (Symmetric) secret key encryption [359]
DES security can be expanded through the repeated encryption of a message with two or three
different keys. This process is called Triple DES.
Symmetric encryption provides confidentiality.
The strength of such ciphers cannot generally be
proved mathematically. They make use of a few
cryptographic functions (permutation, substitution, XOR, addition and multiplication modulo a
number) that are combined together to form the
algorithm. Private-key cryptosystems enable to
cipher roughly around 1000 times faster than the
public-key ones. There are numerous symmetric
algorithms. The main standard algorithms are
DES, 3-DES, Blowfish, IDEA, CAST and AES.
The main problem with Symmetric-key cryptography is that the sender and receiver have to
share the same secret key. If they are in separate
physical locations, they must trust a courier, or a
phone system, or some other transmission medium to protect the secret key. Anyone who
overhears or intercepts the secret key in transition
can read, modify, or falsify messages encrypted
with that key. Key management is in charge of
the generation, transmission and storage of keys.
Because all keys in a Symmetric-key cryptography
algorithm must be kept secret, it is essential to
also provide secure key management for a Symmetric-key cryptography approach.
5.3.2. Asymmetric Encryption
Asymmetric (or public-key) encryption uses two
different keys during the encryption and decryption processes (Figure 15). The keys have certain
mathematical qualities, which allow one key to be
used to decrypt what the other key has encrypted.
Figure 15. (Asymmetric) public key encryption
215
Overview of Mobile Payment
The keys have to be large enough in order to prevent one key being calculated from the other key.
Because of these factors one key can be publicly
distributed (the public key usually noted KU).
Alice knowing Bob’s public key can send an
encrypted message to the Bob who owns the
private key (usually noted KR). In this use, asymmetric encryption provides confidentiality. If Bob
encrypts a message with his private key, asymmetric encryption provides both authentication
and confidentiality. Public keys are made available
to applications, hosts and services. The public key
authenticity can be certified by a Certificate Authority in order for a community of users to trust
that a public key really belongs to a principal.
Another approach is to keep public keys in a
public repository managed by a trusted party or
to let each user decide the keys he trusts. A private
key belongs to an entity and is never revealed to
anyone. It is used by the entity to decrypt incoming messages that are encrypted with the principal’s public key. It is also used to sign an outgoing
message sent by the principal to anyone else. This
provides non-repudiation and authentication, as
anyone can use the principal’s public key to
verify the signature, to be sure that the message
originated from that principal. Public key technology is commonly used to secure short messages
or very important messages where real-time encryption and decryption is not an issue. The main
public-key algorithm standards are RSA (RivestShamir-Adelman) and ECC (Elliptic Curve
Cryptography).
5.3.3. Key Escrow and
Perfect Forward Secrecy
A key escrow system uses public key cryptography
to encrypt and decrypt messages. The difference
between the standard public key implementation
and a key escrow system is that with key escrow,
copies of the private key are split into pieces and
stored by a trusted third party. In the case of the
Clipper Chip an 80-bit key was to be split into
216
two 40-bit keys that were to be stored with two
independent agencies. The benefit of a key escrow
system is that if the private key is ever lost, it can
be recovered from the independent agencies. The
down side of this mechanism, from the perspective
of privacy advocates that the government can also
recover the private keys with a justice court order.
The fact that key recovery encryption technology,
has kept it one of the most hotly debated subjects
in the cryptography field today. Perfect forward
secrecy (PFS) in a key establishment protocol is
the condition in which the compromise of a session key or long-term private key after a given
session does not cause the compromise of any
earlier session.
5.3.4. Hash Functions
Hash functions are employed in conjunction with
Public-key cryptography algorithms to produce
digital signatures. When implementing a digital
signature, it is unusual to encrypt a whole message for security and performance reasons. A hash
function works on a message with an arbitrary
length, and returns a fixed-size hash value. This
hash value is sometimes called message digest
or digital fingerprint. The ideal cryptography
hash function should be simple to calculate the
message digest for any given message. It should
be computationally impractical to find a message
with a given message digest, computationally impractical to alter a message without modifying its
message digest, and it should be computationally
impractical to find two different messages with
the same message digest.
Hash functions are widely used currently. The
message digest can be used in creating digital
signature schemes. For security and performance
reasons, most digital signature algorithms specify
only to sign the digest of the message, not the
entire message. In addition, a hash function can
be used to control the integrity of a message.
Determining whether any changes have been
made to a message (or a file), for example, can
Overview of Mobile Payment
be accomplished by comparing message digests
calculated before, and after, transmission or any
other event. A widespread hashing algorithm is
called MD5 (Message Digest version 5). It generates a 128-bit (16-byte) hash, and is considered
reasonably secure. Other common used standard
algorithms are SHA-1 and RIPEMD-160 (20-byte
output). An added digest (or hash-value) provides
integrity. The Secure Hash Algorithm (SHA) is the
most widely used hash function. It was developed
by NIST and its revised version is generally called
SHA-1 or Secure Hash Standard in the standards
document. SHA-1 is the most established of the
SHA hash functions, and has been employed in
widely used security applications and protocols.
SHA-1 calculates a condensed representation
of a message. When a message of any length <
264 bits is input, the SHA-1 produces a 160-bit
message digest.
5.3.5. Digital Signature
Digital signature is a combination of several
of the above technologies (public key and hash
algorithms). A digital signature is the digest of a
document encrypted with a private key. A digital
signature is not only used to protect data integrity
but also used to achieve authentication and nonrepudiation. A digital signature mechanism can
be employed to authenticate the identity of the
sender of a message, and sometimes to ensure that
the original content of the message that has been
sent is unchanged. Digital signatures can protect
the two parties against each other, because there
is no complete trust between sender and receiver.
A digital signature includes three process steps:
a key generation process, a signature signing process, and a signature verifying process (Figure 16).
A conventional signature is included in the
document; it is a part of the document. Whenever we write a check, the signature is on the
check; it is not a Separate document. But when
we sign the document digitally, we send a signature as a separate document. The sender sends
two documents: the message and the signature.
The receiver also receives two documents but he
verifies the signature. If the signature is proven
the message is kept otherwise it is rejected.
Digital signatures like physical signatures, can
verify that a specific user affixed their signature
to a document and they can also verify that the
document is the same as when the user affixed
the digital signature. Digital signature systems
(DSS) use public key cryptography methods to
create digital signatures. The integrity of the
digital signature is tied to the security of the user’s
private key. As long as the user’s private key is
secure, then only the user can affix their digital
Figure 16. Creating and validating a digital signature
217
Overview of Mobile Payment
signature to a document. Digital signature can be
represented as a secure base in applications of
mobile environment or mobile communications
because it provides authentication, data integrity
and non-repudiation cryptographic services. The
digital signatures can be classified into two general categories: message digest based schemes
and recovery based schemes. In message digest
based digital signature scheme, the original message is first mapped to a checksum by a one way
function then this checksum is used to generate
digital signature. The checksum used here is to
provide data integrity. In message recovery based
scheme, the receiver can recover the original
message from the received signature.
6. FUTURE RESEARCH DIRECTIONS
Further work could be done to add and use wireless protocols to increase the speed of the transactions and to further improve the security aspect
at transport layer and network layer in addition to
the usability. It would be very interesting to add
extra hardware on mobile phones for easy installation of new technologies in mobile payments.
Clearly wireless networks and mobile device
technologies are still in rapid development. The
growth of 3G/4G network technology and the
Smartphone brings more and more opportunities
to mobile applications. The applications can be
implemented in financial sector not only by the
traditional commercial banks but by Internet payment agents, for example, PayPal.
7. CONCLUSION
The goal of this chapter is to research the area of
mobile payment and to understand the concepts
and emerging technologies that can benefit the
mobile payments with respect mobile payment
usability and security. This topic covers full mobility, telephony, financial interaction and security
218
on the Internet. Mobile payments are the killer
application of mobile commerce. As an important
application it converges with different actors or
players like Mobile network operator, Mobile
telecommunications, Payment service providers
and handset manufacturers. A mobile payment
also acts as an important financial application
and is attracting wide attention from researchers,
developers, bankers, merchandisers and clients.
However, it has not yet become a mainstream
approach for making payments. Non-secured
mobile payments are simply not acceptable.
Although the technologies in the development
of mobile payments have improved and are experiencing a significant development, mobile devices
and wireless networks are still “resource-limited”
compared to PCs and fixed-line network? The
difficulty in building mobile payment systems
lies in how to provide payment transactions with
security and practicality.
The contribution of this chapter is as follows:
The security mechanism is understood thoroughly
and is concluded that these systems provide security at transaction, network level and application
level. The Payment Systems developed should
provide the security at each and every level to
improve the customer satisfaction as well as value
chain of an organization.
REFERENCES
Advanced Encryption Standard (AES) Federal Information Processing Standards Publication 197.
(2001, November 26). Retrieved from http://csrc.
nist.gov/publications/fips/fips197/fips-197.pdf
AlShaali & Varshney. (2005). On the usability of
mobile commerce. International Journal of Mobile Communications, 3(1), 29–37. doi:10.1504/
IJMC.2005.005872
Barkan, et al. (2003). Instant ciphertext-only
cryptanalysis of GSM encrypted communication.
In Proceedings of CRYPTO 2003. Academic Press.
Overview of Mobile Payment
Biryukov, et al. (2000). Real time cryptanalysis
of A5/1 on a PC. In Proceedings of Fast Software
Encryption Workshop. Academic Press.
Bocan, et al. (2006). Mitigating denial of service
threats in GSM networks. In Proceedings of 1st
IEEE International Conference on Availability,
Reliability and Security (ARES’06). IEEE.
Breakthroughs in the European Mobile Payment
Market. (n.d.). Retrieved from http://www.atos.
net/nr/rdonlyres/5d50edc1-4e05.../wp_mobile_
payment.pdf
Buhan., et al. (n.d.). Mobile payments in mcommerce. Telecom Media Networks. Retrieved
from www.citeseerx.ist.psu.edu/viewdoc/
download?doi=10.1.1.5.1804...
Chandra. (2005). Bulletproof wireless security,
GSM, UMTS, 802.11 and ad hoc security. London: Elsevier.
Delfs, H., & Knebl, H. (2002). Introduction to
cryptography: Principles and applications. New
York, NY: Springer. doi:10.1007/978-3-64287126-9
Fourat., et al. (2002). A SET based approach to
secure the payment in mobile commerce. In Proceedings of the 27th Annual IEEE Conference on
Local Computer Networks. IEEE.
Innopay. (n.d.). Mobile payments 2010. Retrieved
from http://admin.nacha.org/userfiles/File/
The_Internet_Council/Resources/Mobile%20
payments%202010%20-%20Innopay.pdf
ISO/IEC7810. (n.d.). Retr ieve d f ro m
http://webstore.iec.ch/preview/info_
isoiec7810%7Bed3.0%7Den.pdf
ISO/IEC7816. (n.d.). Retrieved from www.iso.org/
iso/iso_catalogue/catalogue_tc/catalogue_detail.
html
Karnouskos., et al. (2004). The European perspective on mobile payments. In Proceedings of
IEEE Symposium on Trends in Communications
(SympoTIC ’04). Bratislava, Slovakia: IEEE.
Lee., et al. (2006). A payment & receipt business
model in u-commerce environment. In Proceedings of ACM International Conference on Electronic Commerce. ACM.
Leger., et al. (2004). Determinants of the adoption
of customer-oriented mobile commerce initiatives.
In Proceedings of International Association of
Management of Technology (IAMOT), Virtual Organizations and Partnerships/Ecommerce
Track. IAMOT.
Li & Wang. (n.d.). Secure electronic transaction
(SET protocol). Retrieved from http://people.dsv.
su.se/~matei/courses/IK2001_SJE/li-wang_SET.
pdf
Lin, et al. (2000). Mobile prepaid phone services.
IEEE Personal Communications, 7(3), 6–14.
doi:10.1109/98.847918
Mallat, et al. (2004). Mobile banking services.
Communications of the ACM, 47(5), 42–46.
doi:10.1145/986213.986236
Me, et al. (2006). Mobile local micropayments:
Security and prototyping. IEEE Pervasive Computing / IEEE Computer Society [and] IEEE
Communications Society, 94–100. Retrieved
from www.computer.org/pervasive doi:10.1109/
MPRV.2006.78
Mobile Payment Forum. (n.d.). Retrieved from
www.mpf.org
Models of Mobile Payments. (n.d.). Retrieved from
www.techrepublic.com/whitepapers/.../mobile.../
mobile+payments
Nambiar., et al. (2004). Analysis of payment
transaction security in mobile commerce. In
Proceedings of the International Conference on
Information Reuse and Integration. IEEE.
219
Overview of Mobile Payment
Pallikondan. (n.d.). Infrastructure support for mobile computing. Retrieved from http://pdf.aminer.
org/000/296/084/specifying_a_mobile_computing_infrastructure_and_services.pdf
PayPal Web Site. (n.d.). Retrieved from http://
www.paypal.com
Research Online. (n.d.). Retrieved from http://
www.ro.uow.edu.au/infopapers/728
RSA Algorithm. (n.d.). Retrieved from http://www.
rsa.com/rsalabs/node.asp?id=2146
Scenarios, P. M. P. B. Research Report on Stakeholder Perspectives. (2008). A smart card alliance
contactless payments council white paper. Author.
Schneier. (1996). Applied cryptography (2 ed.).
New York: Wiley Publication.
nd
Security of Smart Phones. (n.d.). Retrieved from
www.mulliner.org/mobilesecurity/2006_mulliner_MSThesis.pdf
SET. (n.d.a). Retrieved from http://mitglied.multimania.de/lenord/Arbeiten/SET/SET.pdf
Van der Merwe. (2003). Mobile commerce over
GSM: A banking perspective on security. Author.
Varshney & Vetter. (2002). Mobile commerce: Framework, applications and networking support. Retrieved from http://
docis.info/docis/lib/goti/rclis/dbl/monetm/
(2002)%253C185%253AFAANS%253E/www.
cis.gsu.edu%252F~uvarshne%252Fpapers%252
FMONET1.pdf
Varshney. (2003). Location management for
mobile commerce applications in wireless internet environment. ACM Transactions on Internet
Technology, 3(3), 236–255.
Varshney, Vetter, & Kalakota. (n.d.). Mobile
commerce: A new frontier. Retrieved from http://
www.csee.umbc.edu/courses/graduate/666/mobile_commerce.pdf
Venkataram & Babu B. (1996). Wireless & mobile network security. New Delhi: McGraw Hill
Publications.
SET. (n.d.b). Retrieved from http://www.lyle.smu.
edu/~nair/courses/7349/SET.ppt
ADDITIONAL READING
SET Protocol. (n.d.). Retrieved from http://www.
isaca.org/Journal/Past-Issues/2000/Volume-6/
Pages/Secure-Electronic-Transaction-SETProtocol.aspx
Andreou, S., Chrysostomou, C., Leonidou, C.,
Mavromoustakos, S., & Pitsillides, A. Mobile
Commerce Applications and Services: A Design
and Development Approach. http://seacorn.cs.ucy.
ac.cy/papers/files/m-commerce-final_revised.pdf
Smart Card Tutorial. (n.d.). Retrieved from http://
www.smartcard.co.uk/tutorials/sct-itsc.pdf
Stallings, W. (2006). Cryptography and network
security: Principles and practice (3rd ed.). Upper
Saddle River, NJ: Pearson Prentice Hall.
Stamp, M. (2006). Information security principles
and practice. New York: Wiley Publications.
Thanh., et al. (2007). Using the mobile phone as a
security token for unified authentication. In Proceedings of Second International Conference on
Systems and Networks Communications. ICSNC.
220
Kavassalis., et al. (2003). A Mobile permission
marketing: Faming the market inquiry. International Journal of Electronic Commerce, 8(1), 55–79.
Lee., et al. (2003) A System Model for Mobile
Commerce. Proceedings of the 23rd International
Conference on Distributed Computing Systems
Workshops (ICDCSW’03).
Overview of Mobile Payment
Munusamy and Leang. (2002). Characteristics of
Mobile Devices and an Integrated M-Commerce
Infrastructure for M-Commerce Deployment.
Proceedings of the Second International Workshop
on Internet Computing and E-Commerce (ICECE
2002), Florida, USA.)
Raina., et al. (2011) Technological Background
of GSM on Application of Mobile Commerce
through Mobile Payments. Proceedings of International Conference on Information Technology
and Business Intelligence, (ITBI-Nov’2011).
Stanoevska-Slabeva, K. (2003) Towards a reference model for m-commerce applications. Proceedings of ECIS 2003 Conference, Neaples, Jun,
2003. Rajnish Tiwari, Stephan Buse and Cornelius
Herstatt. From Electronic To Mobile Commerce:
Technology Convergence Enables Innovative
Business Services.http://mobileprospects.com/
publications/files/E2M-Commerce.pdf
Tarasewich, P. et al. (2002). Issues in Mobile ECommerce. Communications of the Association
for Information Systems, 8, 41–64.
Tsalgatidou and Veijalainen. (2000). Mobile
Electronic Commerce: Emerging Issues Ist
International Conference on E-Commerce and
Web Technologies, London, Greenwich, UK,
September 4-6, 2000, Lecture Notes in Computer
Science, pp. 477-486.
Zheng and Chen. (2003). Study of Mobile Payments System. Proceedings of the IEEE International Conference on E-Commerce (CEC’03).
KEY TERMS & DEFINITIONS
A3: Authentication Algorithm
A5: Ciphering Algorithm
A8: Ciphering Key generating Algorithm
ADSL: Asymmetric Digital Subscriber Line
AES: Advanced Encryption Standard
AFIS: Automated Fingerprint Identification
System
AMPS: Advanced Mobile Phone System
API: Application Programming Interface
ATM: Automated Teller Machine
AuC: Authentication Centre
CA: Certificate Authority
CDMA: Code Division Multiple Access
COMP-128: Hash Function
CPU: Central Processing Unit
DES: Data Encryption Standard
DSA: Digital Signature Authority
DSS: Digital Signature Systems
ECC: Elliptic Curve Cryptography.
ECMA: European Association for Standardizing Information and Communication Systems.
EMV: Electronic Master Visa
ICCID: Security Authentication and Ciphering Information
IES: Integrated Encryption Scheme
IMT-Advanced: International Mobile Telecommunications Advanced
ISO: International Standard Organization
ITU-R: International Telecommunication
Union Radio communication sector
IVR: Interactive Voice Response
MAC: Message Authentication Code
M-Commerce: Mobile Commerce
MD5: Message Digest
ME: Mobile Equipment
MEID: Mobile Equipment Identifier
MIDP: Mobile Information Device Profile
MIM: Mobile Inventory Management
MIMO: Multiple Input Multiple Output
MITM: Man in the Middle Attack
MMS: Multimedia Messaging Services
MNO: Mobile Network Operator
MPN: Mobile Phone Network
MPSP: Mobile Payment Service Provider
MSC: Mobile Switching Centre
MSISDN: Mobile Station ISDN number
MSRN: Mobile Station Roaming Number
OMA: Open Mobile Alliance
OTA: Over the Air
P2P: Peer to Peer
PAN: Personal Area Network
221
Overview of Mobile Payment
PCMCIA: Personal Computer Memory Card
International Association
PDA: Personal Digital Assistant
PIN: Personal Identification Number
PIN: Personal Identification Number
PKI: Public key Infrastructure
PLMN: Public Land Mobile Network
PLS: Product Location and Search
POS: Point Of Sale
POTS: Plain Old Telephone Service
PSM: Proactive Service Management
PSP: Payment Service Provider
PSTN: Public Switched Telephone Network
PT2MP: Point-to-Multipoint
PTP: Point-to-Point
PUK: Personal Unblocking Code
222
View publication stats
RAN: Radio Access Network
RAND: Random number
RC5: Ron’s Code encryption algorithm
RFID: Radio Frequency Identification
RSA: Rivest-Shamir-Adelman
SE: Secure Element
SET: Secure Electronic Transactions
SHA-1: Secure Hash Algorithm ver.1.0
SIM: Subscriber Identity Module
SMS-G: SMS Gateway
SRES: Signed Response
SSH: Secure Shell Network Protocol for Secure
Data Communication
SSL: Secure Socket Layer Protocol
SWP: Single Wire Protocol