View metadata, citation and similar papers at core.ac.

uk brought to you by CORE

provided by University of Southern Queensland ePrints

I&S

NEW FINANCIAL TRANSACTION SECURITY

CONCERNS IN MOBILE COMMERCE

Raj GURURAJAN

Introduction
In the past, the majority of the computer security officers had difficulty in convincing
management to allocate financial resources for IT security. However, with the
emergence of electronic commerce and varied legislation, organisations appear to
have understood the necessity for computer security, especially data security.1
Currently, in most organisations, security officers focus on IT security – namely –
hardware security, software security and access security.2 The access security
involves both physical access and logical access. What appears to be missing from
these security procedures is proper integration of business transactions. Ghosh states
that while various security measures have been taken independently from business
transaction, electronic commerce and the emerging mobile commerce have changed
the perception that independent IT infrastructure security alone can protect an
organisation in terms of its business needs.3 To support Ghosh’s statement, Deise 4
has identified a shift in the focus of IT security in organisations, resulting in new
security policies to focus on reliable, available and trusted business transactions of
organisations.
In this paper, new security threats arising from mobile commerce are initially
highlighted. These threats are then linked to financial transactions in order to
highlight the potential loss or damage to organisations’ revenue. Then the
organisations’ IT requirements are assessed with a view to provide support to
financial transactions in a mobile commerce environment. Organisational support is
then formed into “architecture” and the architecture is discussed in terms of IT in an
organisation, how IT supports an organisation and what does IT do to support the
business processes of financial transactions. This architecture is then elaborated in
terms of action items so that transaction security in an organisation can be

INFORMATION & SECURITY. An International Journal, Vol. 8, No. 1, 2002, 71-86.

72 New Financial Transaction Security Concerns in Mobile Commerce

guaranteed. It is believed that these action items would then enable organisations to
tighten their security measures.

Security Threats Arising from Mobile Commerce

Security threats in mobile commerce can range from passively eavesdropping into
others’ message to actively stealing user’s data.5 In a radio frequency operated mobile
commerce, with minimum difficulty it is possible to listen to one’s conversation. This
has an impact for consumers because they are concerned about their data and voice
messages from unauthorised access. On the other end of the problem is the inherent
security risk involved in transferring information over the networks. This problem
consists of two components: identification integrity and message integrity. The
identification integrity refers to the signature elements found in the messages in order
to establish where the message is originating. The message integrity refers to details
to establish that the message is received as sent and no third party has attempted to
open, modify or alter the contents. According to Zhang and Lee, these two items
appear to cause a lot of concern to both sender and receiver.6 While the sender risks
theft or misuse of their personnel information such as account and bank details, the
receiver (usually a merchant) risks repudiation of the transaction and resultant non-
payment.
In addition to the above two, other security concerns in mobile commerce arise due to
the new development in technology itself.7 The mobile technology is envisaged in
such a way that the services offered will eventually warrant payment for the type of
services offered. This is already emerging in the domain of mobile telephones. For
instance, when mobile telephone users access other network carriers, a special charge
is levied on the users. Therefore, it is safe to assume that there will not be any “free
services” in the future. The technology is developing in such a way that the payment
for such services will be through some form of “smart cards.” The details stored in
the smart cards need to be transmitted via the networks for validation and verification
in order to determine service levels. If these networks are not fully secure, security
breaches may occur.
One major security breach that can happen in mobile commerce is when the user
details are transferred from one mobile network to another.8 When this transformation
occurs, any encrypted data needs to be decrypted for transparency. In mobile
commerce, when mobile devices make requests to web pages of a network server, a
four-stage process is followed. First, the requests arise from the originating Wireless
Transport Security Layer (WTSL) protocol. Second, the requests are translated at the
originating Wireless Application Protocol (WAP) gateway. Third, they are sent to the
standard Session Security Layer (SSL) protocol of the destination network. Fourth,
the translated information reaches the Hyper Text Transfer Protocol (HTTP) modules
 Raj Gururajan 73

in the new network in order for the requests to be processed. In the process of
translating one protocol to another, the data is decrypted and then re-encrypted. This
process is commonly known as the “WAP Gap.” If an attacker can gain access to the
mobile network at this point, then simply capturing the data when it is decrypted can
compromise the security of the session.
Data in the Mobile Commerce environment is secured using encryption technology.
According to Ghosh, it has already been proven that the technology is vulnerable to
attacks.9 Hackers have broken some of the existing algorithms for encryption. So,
there is nothing like a complete security. Further, there is no international regulatory
framework available to enforce certain security related problems. For example, in the
current climate, no individual organisation or government can guarantee security to
consumers. When the security breach appears in an international transaction, no one
country will be able to assume responsibility to prosecute the vandals. While these
problems have been recognised and solutions are being proposed, organisations tend
to loose consumer confidence. This will potentially impact organisation’s revenue.
Trust is central to any commercial transaction and more so in the case of mobile
commerce.10 Trust is normally generated through relationships between transacting
parties, familiarity with procedures, or redress mechanisms. In the case of mobile
commerce, the need for creating the trust in the consumer assumes extreme
importance because of its virtual nature. It hinges on assuring consumers and
businesses that their use of network services is secure and reliable, that their
transactions are safe, that they will be able to verify important information about
transactions and transacting parties such as origin, receipt and integrity of
information, and identification of parties dealt with. Therefore the challenge is not to
make mobile Commerce fool proof but to make the system reliable enough so that the
value greatly exceeds the risk.
Any new development in technology in today’s consumer minds creates both
curiosity as well as reluctance. The informality and lack of overall control creates the
perception that the Internet is inherently insecure.11 This inherent perception can
trigger business risks and technological risks.12 Business risks involve products and
services, inadequate legal provisions, reliability of trading partners, behaviour of staff
and demise of Internet service provider. Technological risks involve hacker attacks,
computer viruses, data interception and misrepresentation. To achieve satisfactory
levels of trust, organisations have to think about managing both business and
technological risks. Currently Mobile Commerce relies mostly on knowledge-based
trust that is useful for Business-to-Business commerce.13 However, there is a big
surge in the identification-based trust to satisfy consumer concerns about their
transaction details. In addition, current architectures for mobile communications do
not provide full security measures in terms of transaction integrity. Some of the
74 New Financial Transaction Security Concerns in Mobile Commerce

models envisaged for mobile commerce are based on smart-cards oriented approach
and hence the issue of financial transaction security needs greater examination in
mobile commerce.

Security Threats That Can Impact Financial Transactions

Security risks in a mobile commerce environment associated with financial
transactions can be categorised into traditional risks and non-traditional risks.14
Traditional risks usually involve loss or damage to tangible physical assets and
resulting economic loss. For example, loss of computer hardware may have an impact
on incomplete transaction. Alternatively, a data disk, which is not fully protected
from theft, can place an organisation into some form of risk. Treatment of traditional
risks is usually addressed in risk management policies. Protecting tangible assets from
traditional perils, even when those assets are devoted to mobile commerce, does not
involve new and different techniques. These security treats are beyond the scope of
this paper.
Non-traditional risks involve sustaining damage to organisations’ computer systems
and electronic data.15 These risks can fall under the category of stolen information,
damages to web sites by hackers, hijack of web sites and viruses. An attack may be
perpetrated for any of a number of reasons including financial gain involving credit
card fraud, curiosity with no specific intent of harm, espionage by domestic or foreign
competitors, or by foreign governments, revenge by a terminated employee with the
intent to wipe out files, disclosure of personal data to unauthorised institutions as in
health related cases, thrill seeking, disruption to stop critical activities, and extortion
for financial or political reasons. Any attack, internal or external, on a computer
system is at minimum disruptive and forces the administrator to shut down the system
resulting in revenue loss.
Non-traditional security breaches also include any unauthorised access or use of a
company’s computer system and data by an outsider or insider.16 For example, a
hacker could break into a company’s computer system and steal or destroy data.
Widespread use of mobile commerce enhances the possibility of an outsider invading
an organisation’s computer system. Due to businesses reliance on computers for their
daily operations, breaches of a company’s computer or information security system
are a risk to almost all functional components of businesses. Use of software to
encrypt and, thus, safeguard communications provides some protection, but also adds
a risk that a virus or other bug could damage equipment or data. Further, according to
Dang,17 theft of information such as critical electronic files that include financial data,
customer information, marketing and new product data, trade secrets, and personnel
data may provide competitors with a strategic advantage, criminals with the means to
commit fraud, and others the opportunity to disparage the company. Dornan states
 Raj Gururajan 75

that the use of misappropriated information may harm third parties such as customers,
employees, and business partners.18 The theft of information may undermine an
acquisition or cause a public relations problem and hence potential loss of revenue.
Security breaches may be very costly to an organisation.19 When unauthorised access
to the computer is gained for the purposes of committing a crime or fraud, reputation
is also at stake. Other security issues include the prohibition against the use of high-
level encryption technology by domestic or foreign governments so that agencies can
break the codes if necessary for defence or law enforcement, changes in international
standards, and loss of recovery of encryption key.

A Closer Look at Fraud and Crime Risks in Mobile Commerce

The scope of computer fraud and crime is immense in mobile commerce. Among the
most common crimes are malicious mischief, such as the insertion of viruses or
Trojan horses into one or more computer systems; the fraudulent transfer of money to
personal accounts; the use of forged electronic signatures; the theft of credit card
information and credit card fraud; Medicare and Medicaid fraud; the theft of
intellectual property; illegal use of software; stock and commodity market
manipulations; and similar illegal activities. Most losses are insurable, but premiums
will be relatively exorbitant if security measures are not appropriately enacted.20
A hacker may use a number of methods such as insertion of viruses, spamming and
web snatching to access computer systems and data and cause resulting damage.
Damage may occur at data centres or to transmission networks, routers, and power
sources. Virus attacks may also come from innocent parties who pass on an infection
without knowing that the system is contaminated, usually by e-mail.
Using another technique called a distributed denial of service hackers attacked some
of the most well-known and highly secured web sites in the world, including
Yahoo.com, eBay.com, and amazon.com. This technique hijacks numerous
computers on the Internet and instructs each one to flood a target site with phoney
data. The target site trying to accommodate the phoney data becomes overworked and
soon begins to lose memory. The result is effectively slowing or shutting down the
entire site to real customers.
Web snatching is a practice in which one party plants a virus in another party’s Web
site that automatically moves the viewer from the selected site to a site run by the web
snatcher. This is done without the permission of the selected Web site owner or the
site visitor. In many instances, the viewer is unable to get out of the unwanted site,
short of turning off the computer, and is held hostage to the new site. The diverted-
from and diverted-to sites usually have nothing in common with each other.
76 New Financial Transaction Security Concerns in Mobile Commerce

Financial institutions and companies that have inadequate electronic security

protection are likely to suffer losses of money, information, or other corporate assets.
Surveys have shown that most companies and institutions have incurred losses, and a
substantial number have no idea whether they have come under electronic attack or
not. Insiders or former insiders have committed most of the electronic crime and
fraud, but there are also many examples of third-party fraud and theft.
Mobile commerce can only be conducted if all parties believe there is adequate
security. The majority of those who use the Internet, on which current mobile
commerce technologies are built, are very concerned about security.21 Some forty
percent of Internet consumers give false information when they use the Web because
they do not trust the Internet’s security.22 Other users refuse to register at sites that
require what the consumer believes to be personal information.23 Many persons want
the government to legislate security on the Internet, as they are not confident
businesses will do the job on their own.24 Therefore, it is critical that businesses
enhance both their security and their security image to combat fraud and crime on the
Internet as well as to increase customer confidence and participation to realise
secured transactions.

Security Risks in Mobile Commerce Emerging from Reliance on Third Parties

Today, most organisations rely on computers for their daily operations. Traditional
risks and non-traditional security risks can interrupt a business or literally shut it
down. For example, a security breach by a hacker can severely disrupt a business and
those that depend on it. Most businesses in mobile commerce are dependent in
several ways on the continued reliability and operation of computer controlled
systems not within their control such as the telephone network managed and
controlled by computers. Businesses are dependent on their financial institutions that
are also managed and controlled by computers. In mobile commerce, to
accommodate home users, organisations are dependent on their Internet service
providers. Suppliers and customers depend on each other’s electronic data systems
and on mutual systems, such as a third-party commodity exchange. When one system
fails, it may cause the other systems to fail as well. Failure may be a slowdown in the
dependent system, also called the “brownout,” or a total denial of service, also called
the “blackout.” 25
The risks described above can result in many different types of losses.26 The losses
that arise from reliance on a third party can generally be grouped into: (1) loss or
damage to property, both tangible and intangible, (2) business interruption, and (3)
extra expense. Property losses occur when loss or damage is suffered to a firm’s own
tangible property or to property for which the firm is responsible. Traditionally, this
meant damage to a building or other business property, including computer
 Raj Gururajan 77

equipment. In the mobile commerce world, the focus is on damage to computer

networks and, more importantly, data. An important issue is whether data is
considered tangible property under a typical property insurance policy. It appears that
insurers will begin to address the issue of what is defined as covered property under
these policies. More likely, courts will have to decide this issue.
Property losses can also occur when an organisation’s intangible or intellectual
property is infringed or violated. Copyrighted materials can be copied without
permission, trademarks can be infringed upon or diluted, and patented property or
ideas can be stolen. Today, a firm’s intellectual property may be its most valuable
asset.27 Organisations need to protect their intellectual property from hackers,
crackers, competitors, and others, as well as make sure they do not infringe on the
intellectual property rights of third parties. This could potentially expose a firm to
third-party liability.
Time element losses typically include business interruption (BI) losses and service
interruption losses. BI loss is the economic loss resulting from the interruption of
business activities. Business interruption losses may result from the inability to access
data, the theft of data, or a threat to the integrity of the database. For example, a
security breach of a credit card database may cause the database owner to curtail
activity on the system until a damage assessment is completed and the system
integrity is re-established. Not only is there a disruption of the database operations,
there is also a consequential effect on all third-party users of the system.
Service interruption losses include economic losses associated with the interruption
of utilities. A service interruption incident can occur from an “off-site” exposure or
event. There have been many incidents of communication cables inadvertently being
cut. Long-distance telecommunication companies have experienced software
problems in data routing that effectively crippled their networks for several days.
In addition to the business losses and service losses, mobile commerce gives rise to
new implications about doing business and being protected from interruptions in
doing business.28 Businesses suffering losses related to server outages face the risk of
losing customers for extended periods of time. In mobile commerce, the increased
reliance on suppliers is also exposing businesses to new risks for financial losses.
These range from suppliers of goods (such as raw materials) to suppliers of services
(such as server usage, delivery services, electricity, and telephones).
Business interruption may have several consequences, e.g., loss of income; extra
expenses to recover; loss of customer, partner, and shareholder confidence; and,
ultimately, reduced market capitalisation. Third parties harmed by the denial of
service may sue, adding liability losses to first-party damages. In some cases,
business interruption may constitute a breach of contract.
78 New Financial Transaction Security Concerns in Mobile Commerce

According to Lee, service denial may cause a customer business interruption, network
suspension, or a disruption in or delay of services.29 Service denials may result in
damage claims or lawsuits for breach of contract.

Expense Incurred by Organisations Due to Business Interruptions

In the event of an interruption, a business may incur extraordinary expenses to resume
operations as quickly as possible. Extra expense coverage is for those costs incurred
by the policyholder in excess of the normal costs that would have been incurred to
conduct business during the same period had no loss or damage occurred. An
example of extra expense might be increased freight charges incurred to meet a
customer’s demand for an order due to delays in the production process associated
with a loss event.
In the mobile commerce area, there are new types of costs that may need to be
considered in the context of risk and insurance, including additional costs of
operating Web sites from alternative servers, costs of operating Web sites through
alternative providers, costs to repair Web sites damaged by hackers or equipment
failures, and costs of rebuilding other lost information.30 Thus, various security risks
arising from a combination of issues warrants a closer scrutiny for assessment of an
organisation’s IT requirements in order to facilitate a secured financial transaction.

Assessment of Organisation’s IT Requirements

In order to guarantee security of transactions in mobile commerce, initial assessment
of an organisation’s IT requirement is essential for a number of reasons.31 These
include the ever-changing customer requirements, changing hardware and software
platforms, dynamically changing user needs and user experiences gained from the
innovative IT products. Therefore, such an assessment involves four key components
of mobile commerce. These are:
(1) Embedded computers in many everyday objects;32
(2) Next generation wireless networks;33
(3) Interfacing technologies for bi-directional communications;34 and
(4) Design of application that satisfy user needs.35
The first key component arises from the need that there are going to be more wireless
devices by 2005 and the prediction is that by 2005, mobile devices will outnumber
wired devices.36 These mobile devices would consist of some form of embedded
systems in them and hence the allocation of priority. The next component follows
from the first one which highlights the need for networks to go wireless in order to
support the concept of mobility and hence mobile devices. Users communicate via a
number of different mobile devices and hence the bi-directional communication
 Raj Gururajan 79

aspect is essential for an organisation to ensure that transactions are reliable and
secure. Finally, to accommodate diversity of user needs, applications assume a key
component role in mobile commerce.
With these four key components in mind, when organisations’ IT requirements are
assessed, importance should also be given to “user experience.” In mobile commerce
environment, these user experiences typically involve cameras, music and other
emerging innovative technologies such as positioning systems and, hence,
organisations should find a way to accommodate these ever changing user
experiences. Organisations would then be tempted to add additional hardware and
software resources to their existing infrastructure but this will increase the financial
burden of an organisation. One emerging suggestion appears to be the consideration
of “interface” facilities to enable sharing other third-party resources. This requires
address and connectivity mechanisms that do not exist today. While recent newspaper
articles forecast such capabilities are emerging, the bigger challenge for organisations
is to create applications that truly have this multi-modal, multi-channel character
because it is believed that the immediacy of wireless technology is great.
With this scope in mind, if we analyse an organisations’ IT infrastructure, then we
would be able to bundle business needs to support secure transactions into four main
groups. They are:
1. Technical infrastructure that can identify what is IT made up of in an
organisation;
2. Physical components of IT that can identify how these components support
various workflow requirements in an organisation;
3. Logical components that can identify how IT components support various
business processes; and
4. Real time measurement and control of security and service levels in real
time.
While the first three points provide essential components of an application
architecture in an organisation, the fourth point provides the control and maintenance
components of the application architecture. This real time control is essential in
mobile commerce because of the difficulty in describing complete security
architecture to ensure security of transactions.

The Architecture
Figure 1 represents the proposed architecture that attempts to address various new
security concerns. The architecture consists of 10 levels, starting from level 0. Level
0 is where all security policies to ensure transaction security are dealt with. This is a
80 New Financial Transaction Security Concerns in Mobile Commerce

management component and it is independent of organisation’s IT infrastructure. This

is because in the mobile commerce environment, due to changing user needs, it is
difficult for the security officer alone to ensure reliability of transaction. Since
business managers know the various processes involved in conducting financial
transactions, it is essential that they assume the overall responsibility, while security
officers provide the necessary infrastructure. This view is quite different from the
current electronic commerce environment where security officers are responsible for
data and information security. This may be possible in a wired environment; however,
due to the importance given to the information and the origin of it in a mobile
commerce environment, the view is totally different. This new view will also enable
organisations to align their business processes with proper security policies as it will
be difficult to track users in a mobile commerce environment due to the possibility of
“roaming.”

Levels 1,2 and 3

various business drivers in the

organisation
high level applications to support
business drivers
data, functional and other
workflow models to support
business drivers

Levels 7,8 and 9

Level 0
services that are common to the
organisation organisation and its sites
middleware component used to provide
IT Infrastructure
security policies the above layer services
and procedures hardware and operating systems
including telephone network

physical modules that mimic manual

processing cycles in an organisation
allocation of various hardware and
software platform to support physical
processes
computer programs and executable
codes

Levels 4,5 and 6

Figure 1: The Architecture

Further, in mobile commerce environment, users, systems and transactions change

rapidly and unpredictably. This requires organisations to accommodate these needs
and yet provide reliable and secured transactions. The current static authentication
 Raj Gururajan 81

and authorisation is becoming out of use in mobile commerce while the new dynamic
privilege management is becoming an essential component. Therefore, risk
management associated with organisations’ IT security also needs to be dynamic and
in real time to react to incidents and also to address potential threats more pro-
actively. In essence, level 0 of the architecture will ensure that customers, business
partners, and other stakeholders of a transaction such as banks and governments
interact directly with these business applications and their IT environments,
especially mobile environments. This level 0 architecture will ensure that the
transaction environment is up and running, reliable and secure.
Levels 1 to 3 put the customer first and they are specific to business needs. At this
level, several independent business activities are integrated through IT applications in
order to ensure that data, functions and workflow modules of various business needs
in an organisation are synchronised. Due to increasing demands from customers, the
visibility and interaction across the supply chain to the customer is essential in mobile
commerce. Therefore, manual sub-transactions usually found in a traditional
transaction (including weaker electronic commerce models) need to disappear and
levels 1-3 will ensure that this happens in an organisation.
Levels 4-6 consist of the various physical modules to support the workflow. These
levels also consist of “code” needed to support workflow and integration of
workflow. These levels are of extreme importance to business because this is where
the integration of multiple segments of a business, such as Customer Relationship
Management (CRM) and Supply Chain Management (SCM), takes place. Further,
due to the physical nature of IT components, this is where the existing resources are
integrated with new resources. To establish financial security, levels 4-6 need to be
maintained properly because the transaction is split into multiple components at these
levels before the transaction is processed. Further, when the transaction is split into
component sub-transactions, each of the sub-transactions may run on varied systems
with different infrastructures. Organisations should focus their “security” at this level
for successful mobile-commerce.
The last three levels comprise of IT components in order to realise various
combinations of business needs. At this level, IT components such as a computer are
added to the existing infrastructure. While the previous levels (4-6) facilitate business
needs, levels 7-9 actually implement them. Issues such as network speed, transaction
completion time are essential characteristics at these levels. While the business
performance is measured at the previous levels, response time measurement is
conducted at the last three levels (7-9). These three levels are vulnerable to attack and
implementation of security procedures starts at these levels.
82 New Financial Transaction Security Concerns in Mobile Commerce

Discussion
When a financial transaction is facilitated in a mobile commerce environment, usually
the consumer accesses the organisation’s computer to search for appropriate details.
Once the consumer is satisfied with his/her order, an order is placed. The consumer
places an order using the infrastructure provided by the Internet storefront and using
his or her payment method of choice. Once the order reaches the organisation, the
transaction is processed. A number of security issues such as verifying the credentials
of the consumer arise at this point. Provision for real-time security and connectivity
to authorise payment via the Internet or wireless medium forms an integral
component of the transaction. The organisation involved in the transaction channels
the transaction through various financial networks such as banks, ensuring that
customers are authorised to make their purchase.
While security issues are applied onto a transaction, usually client/server architecture
is used to perform transaction processing. The client is installed on the organisation’s
merchant site by the third-party providing user authentication for financial details and
this client is integrated with mobile commerce application. The client is usually pre-
integrated with store management systems, such as those for management reporting
purposes.
For the purposes of transaction authorisation, the client software establishes a secure
link with the processing server over the Internet using an SSL connection, and
transmits the encrypted transaction request. The server, which is a multi-threaded
processing environment, receives the request and transmits it over a private network
to the appropriate financial processing network.
Depending upon the consumer’s financial status, the transaction is approved or
denied. When the authorisation response is received from the financial network, the
response is returned via the same session to the client on your site. The client
completes the transaction session by transparently sending a transaction receipt
acknowledgement to the server before disconnecting the session.
The whole transaction is accomplished in few seconds, including confirmation back
to the customer and the organisation. If the transaction is approved, funds will be
transferred to the organisation’s account. Once the transaction is confirmed, the
transaction will be securely routed and processed. As proof of a securely processed
transaction, both the customer and the organisation will receive a transaction
confirmation number.
The transaction processing cycle is presented on Figure 2.
 Raj Gururajan 83

Banks and other

Acquiring
Institutions

Organisation’s
Credit Card Financial
Internet
Processing Networks
Storefront

Consumers

Consumer’s
Issuing Bank

Figure 2: Transaction Processing Cycle

The architecture described in this paper supports almost all the elements of the
transaction that can be conducted in the organisation. The security aspects not only
involve the organisational IT infrastructure but also third-party security levels in
order to approve a financial transaction. It should be remembered that consumers
expect the organisation to facilitate a reliable and secure transaction and it is in the
interest of the organisation that third parties involved in the transaction are reliable
and capable of providing necessary security to consumer’s transactional details.
While the above diagram portrays a complete financial transaction system, the
following two diagrams portray the component that needs to be supported by an
organisation. Components such as office systems form the levels 7-9 in the
architecture outlined in this paper. Components such as databases would form the
levels 4-6 in the architecture described above. Other components such as Business
Logic Components form levels 1-3 of the architecture. The business processing for
facilitation of transaction is also highlighted in the diagram on Figure 3.
84 New Financial Transaction Security Concerns in Mobile Commerce

Databases and other

repositories

Security
Systems

Trading
Financial
Systems
Systems

Physical Office & ERP

Systems Systems

Customer
Systems

Office systems, trading

stations, other
hardware/software
components
Business Logic Components

Figure 3: Business Processing Facilitating Mobile Commerce Transaction

Conclusion
The architecture presented in this paper addresses various new security concerns in
the emerging mobile commerce. The architecture is derived in order to accommodate
various business processes as an integral component and security management
encompassing these business processes. It is believed that this architecture will assist
in avoiding issues such as loss of transaction authenticity because the business
process is integrated with the security procedures in the architecture. Further, the
business processes are kept in the centre of the architecture to enable transaction
confidentiality and integrity from an organisational point of view. Further, the
interdependence of various systems within the architecture is expected to provide
much needed real-time reaction to any causes of transaction unavailability in mobile
commerce.
While the architecture is only a conception, the inclusion of business process along
with IT security is expected to provide tight controls to management in terms of
financial transactions. This is rapidly becoming essential in the competitive world of
mobile commerce where the volume of transactions ensure healthy revenue to
 Raj Gururajan 85

organisations. Therefore, the focus was set on transaction security. It is hoped that
this architecture will help organisations to get a head start to review their security
procedures and establish a better control on financial transactions.

Notes:

1
A.V. Dang, E-Business raises transaction security concerns (Gartner Advisory, 2000).
2
Dang, E-Business raises transaction security concerns.
3
A.K. Ghosh, Security and Privacy for E-Business (New York: Wiley, 2001).
4
M.V. Deise, et al., Executive's Guide to e-Business: From Tactics to Strategy (New
York: John Wiley & Sons, Inc., 2000).
5
M. Loney, “M-Commerce safety fears,” in IT Week (2000), p. 6.
6
Y. Zhang, and W. Lee, “Intrusion detection in wireless ad-hoc networks,” in ACM/IEEE
MobiCom (2000).
7
Zhang and Lee, “Intrusion detection in wireless ad-hoc networks.”
8
G. Hulme, “Services Seeks to Bring e-Business to Small Businesses,” in
Informationweek.com (2000), p. 21.
9
Ghosh, Security and Privacy for E-Business.
10
D. Fink, “Developing trust for Electronic Commerce,” in Internet and Intranet: Security
and Management: Risks and Solutions, ed. L. Janczewski (Idea Group Publishing, 2000),
p. 44-86.
11
J. Schiller, Mobile Communications (New York: Addison-Wesley, 2000).
12
S. Shroeder, Wired for business. Risk Management, 1999(March): p. 12-22.
13
Fink, “Developing trust for Electronic Commerce.”
14
P. Judge, “Little guys still say NO to the net,” Business Week (1998): 134.
15
D. Young, “Handicapping M-Commerce: Getting ready for wireless e-commerce,”
Wireless Review (August 2000): 24-30.
16
Deise, et al., Executive's Guide to e-Business: From Tactics to Strategy.
17
A.V. Dang, Four action items for E-Business: Transaction Security (Gartner Advisory,
2000).
18
R. Dornan, The essential guide to wireless communication applications (Upper Saddle
River, NJ: Prentice Hall PTR, 2001).
19
M. Gerrard, Organising for E-Business: Getting it right (Gartner Advisory, 2000).
20
G. Hulme, “Services Seeks to Bring e-Business to Small Businesses.”
21
Ghosh, Security and Privacy for E-Business.
22
J. Craig, and D. Julta, e-Business Readyiness: A Customer Focused Framework (Boston:
Addison Wesley, 2001).
86 New Financial Transaction Security Concerns in Mobile Commerce

23
Anonymous, E-Commerce is growing, in The Australian (2000).
24
B. Stowe, “Wireless networking looks attractive, but what about the cost of keeping it
secure?,” Infoworld (May 2000): 92.
25
Ghosh, Security and Privacy for E-Business.
26
R. Dornan, The essential guide to wireless communication applications; D. Smith and
W. Andrews, Exploring Instant Messaging (Gartner Research and Advisory Services,
2001); Anonymous, Wireless technology reaches behind the firewall.
27
M.V. Deise, et al., Executive's Guide to e-Business: From Tactics to Strategy.
28
A. Arena, “Asian Internet start-ups invests heavily in dot.coms,” Australian
communications (February 2000): 15-18.
29
A. Lee, “Small firms must take Internet plunge or risk being sidelined,” The Engineer 10,
(November 2000): 10.
30
T. Lewis, “Ubinet: The ubiquitous Internet will be wireless,” IEEE Computer 32, (1999):
10.
31
N. Langley, “Get moving on m-commerce,” in Computer Weekly (2000): p. 68.
32
S. Hayward, et al., Beyond the Internet: The Supranet (Gartner Advisory, 2000).
33
M. Gerrard, Organising for E-Business: Getting it right (Gartner Advisory, 2000).
34
Dang, E-Business raises transaction security concerns.
35
Dang, Four action items for E-Business: Transaction Security.
36
L. Koller, “Banks flirting with wireless billing,” in Bank Technology News (2000), p. 25.

RAJ GURURAJAN is a Senior Lecturer in the School of IT at Murdoch University. He is the

program chair for the Bachelor of Applied Technology program at Murdoch University. He
has been appointed as the Director for the Centre for Electronic Commerce and Internet
Studies for the two-year period 2002 - 2003. He has over 12 years of academic experience and
5 years of industry experience. During his tenure in academia, he has published over 50
refereed papers, a text book in Computer Science, 7 book chapters and has conducted
management consulting in the South West Region of Western Australia. His teaching and
research interests include advance topic in electronic commerce, software costing and
management, computer security and mobile and wireless computing. Address for
correspondence: School of Information Technology, Murdoch University, South Street,
Murdoch Perth, Western Australia – 6150. E-mail: r.gururajan@murdoch.edu.au.