Topic Contents

8.1 Introduction
8.2 Layered Architecture FOR M-Commerce
8.3 Mobile Communication Infrastructure
8.3.1 R
8.3.2 D
8.3.3 C
8.4 P
8.2.1 D
8.2.2 T
 Topic Contents
8.5 I
8.6 S
8.7 P
8.7.1 R
8.7.2 D
8.7.3 C
8.8 Mobile Payment Methods
8.8.1 D
8.8.2 T
8.8.3 T
E-Commerce and E- Governance
Lecture 7
M-COMMERCE
 8.1 INTRODUCTION
So far we have described e-commerce using desktop PCs and servers connected to the
Internet.

As we saw, the availability of e-commerce sites 24 x 7 allows anytime shopping from

anywhere in the world.

The desktop machines are connected to a LAN and are not portable. Nowadays people
on the move want to use e-commerce facilities when they travel.

There are two situations which arise. One is the use of a mobile laptop computer and
the other is the use of mobile hand-held devices such as mobile Personal Digital Assistants
(PDAs).

A mobile laptop is used normally when a person is stationary, e.g., while waiting in an
airport lounge for a plane or while working in a hotel room. In these cases a system called
Wi-Fi (Wireless High Fidelity) connection is used to connect a laptop wirelessly to a wireless
hotspot which is in turn connected to an ISP.

Many airports, hotels and even city streets are "Wi-Fi enabled". In other words, they
have wireless access points with a transceiver called wireless hotspots connected to the
Internet through an ISP. The laptops will also have transceivers so they can connect using
the hotspot to the Internet. (We have described these in Chapter 2).
 In this case the only additional problem requiring attention in e-commerce is the
security of wireless connection. Otherwise, there are no new problems.

The number of mobile hand-held devices such as mobile phones is much higher than
laptops.

There are several unique applications of e-commerce when mobile devices are used
which we will describe in this chapter.

Mobile phones use cellular wireless infrastructure to communicate with one another.
The wireless cellular infrastructure is connected to the Internet and this allows e-
commerce.

Currently B2C e-commerce using sophisticated mobile hand-held devices such as

PDAs is rapidly increasing. It also presents several new problems. They are:

The screen size of mobile devices is very small. Thus, designing appropriate browsers
is a challenge.

The keyboard in mobile phones has only around 16 keys and thus several key strokes
are required to send a message.

The time to transmit messages using a cellular network is much higher (>200 ms) and
is variable compared to fixed networks.
 The computing power of hand-held devices and available memory is much less
than desktops/laptops. This requires innovative programming.

Wireless systems can be easily intercepted compared to a wired system.

Security requires special attention.

Thus, the standards and method used in fixed networks are not directly
applicable in mobile systems and new systems are needed.

In this chapter, we will first present a layered architecture to logically describe

m-commerce system. We will then describe several new applications which
emerge when mobile devices are used.

We will lastly discuss the essentials of physical, logical and mobile services
layers.
 8.2 LAYERED ARCHITECTURE FOR M-COMMERCE
In Chapter 2, we described a layered architecture for e-commerce. The reason we use a
layered approach to describe e-commerce is the realization that each layer provides a service
which is reasonably self-contained.

However, the higher layers depend upon the services provided by the lower layers. Further,
each layer can be designed independently assuming that services offered by the lower layers are
available.

In m-commerce, the major difference is the use of the mobile telephone infrastructure which
permits mobility.

Once the mobile device gets connected to the Internet, the services of the Internet which
were used in e-commerce are available.

Thus, we have to have layers which are appropriate. We propose a layered architecture
which is adapted from the one proposed by Varshney et al. (See Reference 21 at end of the
book). In this model there are four layers shown in Table 8.1.

We will discuss in the rest of this section various applications. We broadly classify the
applications as those using:

Mobile phone infrastructure and primarily based on Short Messaging Service (SMS)
available on all mobile phones.
 Those which use mobile laptop computers using Wi-Fi connection to LAN.
There are portable light weight mobile laptops which are available now with 7-
inch screen and pen drives which are useful for mobile applications.

Global Positioning System (GPS) along with WAP-enabled mobile phones.

Each of these has services which are unique and are in various states of
maturity. We will now describe applications in each of these categories.
8.2.1 Mobile Phone-SMS System

This is quite mature and is used extensively. Applications include downloading

ring tones by sending an SMS, SMS confirmation of airline ticket booking, SMS
alerts on delayed flights.

SMS alerts on traffic jams, SMS messages on cricket scores and many similar
services offered by mobile phone operators. The main limitation is 160 characters
per message.

Charges are debited from prepaid SIM cards in the mobile phone or billed if it is a
post-paid service.
 8.2.2 Laptops using Wi-Fi LAN Systems

As laptops accessing the Internet have large screens and reasonable computing
power, they can be used for several applications .

One of the major applications of this mobile system is that it enables a

businessman while he or she is travelling to download e-mail, obtain information on
latest inventory levels before committing a delivery deadline, get access to catalogues
and price lists and generally to keep in touch with his or her, reporting office.

Wi-Fi security is however a problem.

Another application of a mobile laptop is in hospitals which are Wi-Fi enabled. A

doctor treating a patient can retrieve the medical data of the patient from a patient's
database. He or she may use it to prescribe appropriate medications which can be
entered using the laptop. This will update the patient`s database and keep the medical
history of a patient up to date.
 8.2.3 WAP-Enabled Mobile Hand-held Systems

Nowadays one can purchase mobile phones which are useful to send digital data besides
being used for normal voice services. These phones have software which is incorporated in
them called Wireless Application Protocol (WAP).

WAP is the analog of TCP/IP protocol stack of the Internet. Thus, WAP enabled phones,
which have more CPU power and memory, compared to voice phones, may be used to create
a mobile Internet.

With the mobile Internet m-commerce can be realized in the mobile domain. This is not as
useful as being able to use traditional Internet-based web services which have matured over
years.

Thus, the mobile Internet is connected to the Internet by mobile network operators. We will
describe how this is done later in this chapter. We are, however, assuming that this connection
exists when we describe applications.

There are several novel applications of WAP-enabled mobile hand-held systems using the
cellular infrastructure besides the normal B2C e-commerce.

In B2C e-commerce a customer can use the browser on the hand-held device to log on to
the web sites of several stores in the vicinity where he or she is currently located and find out
about availability and cost of items he or she wants to buy.
 A customer can participate in auctions using his or her mobile device and bid for
goods while on the move.

Another useful application is mobile banking. Customers may log on to their

account statements maintained by the bank (with a password in addition to the mobile
phone number) and download their account details.
Standing instructions such as debiting the account to pay installments for a
purchase or credit card payment or stop payment of a cheque may also be issued by
a customer from the mobile device.

On-line trading in shares while on the move is another popular application.

Salespersons can use their mobile devices to find out about items available in
stock, negotiate discounts and record the sales with their company to enable the
company to fulfill the order expeditiously.

A service engineer while repairing a machine can log on to the company to get a
trouble-shooting manual on-line using his or her mobile device and may also get
expert advice if there is a difficult problem.

Mobility provides access from anywhere while on move in the coverage area of
the cellular infrastructure. This unique advantage will lead to many innovative
applications not described in this section.
WAP- Wireless Application Protocol
An open, global specification that empowers
mobile users with wireless devices to easily
access and interact with internet information
and services instantly.

The wireless industry came up with the idea of

WAP. The point of this standard was to show
internet contents on wireless clients, like
mobile phones.
 World-Wide Web Model

Web Server

Client
Request CGI,
(URL) Scripts,
Etc.
Web
Browser
Response
(Content)
Content
 WAP Programming Model

Gateway Web Server

Client Encoded Request

CGI,
Request (URL)
Encoders Scripts,
WAE And Etc.
User Decoders
Agent Encoded Response
Response (Content)
Conte
nt
8.2.4 Location Dependent Services

A mobile unit's location may be approximately found by using the location of the Base
Station of the cell which relays signals to it. When this Base Station's-location is overlaid
on a map of a city, the approximate position of the mobile device in a city can be found.

This can be used to find, e.g., restaurants in the vicinity of the mobile phone with their
menus and price and customer feedback (if available in the restaurant's web site) to
select an appropriate restaurant.

A shopper may find availability of goods he or she wants to purchase by logging on to

the web sites of shops in the vicinity from the map, compare prices and visit the
selected shop.

There are several other applications which are location dependant and require more
accurate location information.

In these cases a mobile device may be enabled with a built-in receiver of Global
Positioning System (GPS) and find the exact longitude and latitude of the device. By
overlaying this on a map, the exact location of a mobile device may be found. These
applications are:

An empty taxi in a fleet may send location information to a dispatch centre using a
mobile hand-held device. The dispatch centre can then send the nearest empty taxi to a
customer.
A request may come to a company to ship urgently spare parts for a machine. The company,
knowing the location and contents of a moving truck with the required spare parts can send a
message to the truck driver to deliver the items to the customer.

8.3 MOBILE COMMUNICATION INFRASTRUCTURE

While describing the layered architecture we saw that the bottommost layer which is called
the physical layer provides the infrastructure for mobile communication. Among these we have
described Wi-Fi based LAN and satellite-based system in Chapter 2.

In this section, we will very briefly describe the mobile phone infrastructure which supports
mobile hand-held devices. The primary objective of a cellular wireless communication system
is to allow customers to use their own personal mobile devices while they are on the move.

The handset is small enough to go in their pocket and a customer will be connected to a
communication system anywhere any time (if he or she chooses to).

Even though the cellular communication system was intended for voice communication it is
currently a digital system and is capable of digital communication. Handsets have also evolved
which can compute as well as communicate.

There are two cellular communication technologies which are both popular and coexist.
A system called Global System for Mobile Communication (GSM).

The other system called Code Division Multiple Access (CDMA).

Both GSM and CDMA use cellular wireless technology but the modulation
methods are different.

As the modulation systems are different, the hand-held devices use different
technologies and they are not interchangeable.

In this section, we will first explain the overall architecture of a cellular

communication system and how mobility is ensured by using inter-meshing
hexagonal cells to provide wireless coverage for whole regions.
 Definitions
TDMA Time Division Multiple Access

FDMA Frequency Division Multiple Access

CDMA Code Division Multiple Access

TDMA+FDMA
FDMA divides the given spectrum into channels by the frequency domain. Each
phone call is allocated one channel for the entire duration of the call. In the figure
above, each band represents one call.

TDMA enhances FDMA by further dividing the spectrum into channels by the time domain
as well. A channel in the frequency domain is divided among multiple users. Each phone call
is allocated a spot in the channel for a small amount of time, and "takes turns" being
transmitted.

Unlike FDMA and TDMA, CDMA transmission does not work by allocating channels for
each phone call. Instead, CDMA utilizes the entire spectrum for transmisson of each call.
Each phone call is uniquely encoded and transmitted across the entire spectrum, in a
manner known as spread spectrum transmission.
 FDMA Large room divided up into small rooms.
Each pair of people takes turns speaking.
TDMA Large room divided up into small rooms.
Three pairs of people per room, however, each pair
gets 20 seconds to speak.
CDMA No small rooms. Everyone is speaking in
different languages. If voice volume is minimized,
the number of people is maximized.
 CDMA Operation
Spread Spectrum Multiple Access Technologies
 8.3.1 Architecture of GSM Cellular Mobile Wireless System
In GSM mobile systems the region to be covered by the service is divided into
hexagonal cells which are typically 5 km in diameter (See Figure 8.1).

The size depends on the density of traffic and would be larger in sparsely populated
areas.
At the centre of each hexagonal cell is a base transceiver station (BS) which sends and
receives signals to/from mobile devices within its range.

The cell shape is hexagonal as the distance between the centre of neighboring
hexagons is constant.

This property is useful, to ensure easy handoff, i.e., transfer of control of a mobile device
(phone, PDA, etc.) from one cell to an appropriate adjacent cell when the user of the mobile
device moves.

The base station has several antennas, a controller and a set of transceivers, one
transceiver for each channel assigned to that cell. The base stations are all connected to a
Mobile Telecommunication Switching Office (MTSO) usually by landlines. If the terrain is
unsuitable BS may be connected to MTSO by wireless. The MTSO is also connected to a
PSTN by a landline (See Figure 8.2).
 The major functions of MTSO are to:

Establish connection between a fixed phone connected to PSTN and mobile device
via BS and vice versa.
Establish connection between two mobile devices by using respective base
stations.
Allocate appropriate channels to mobile devices to communicate by informing
concerned BS.
Manage handoff of mobile devices from a BS to an appropriate one when a mobile
user moves.
Monitor the calls in progress for facilitating charging for use.

Before describing how the connection is established between mobile devices and
fixed phones as well as between two mobile devices, we will have to understand how
channels are allocated to mobile devices when they want to communicate.

The most expensive resource in the mobile system is the electromagnetic

spectrum allocated for this purpose.

A specific band of frequencies is allocated to a mobile network operator by the

government which has to be used judiciously by the operator to support as many
mobile subscribers as possible.
 In a GSM system, this band is divided into a set of sub-bands and one
set is allocated to each cell for communication within that cell.

As mobile devices have a limited power (due to their small size and need
to conserve battery life) the cell sizes are small (few km) and their
transmission has a limited range.

Thus, a sub-band of frequencies allocated to a cell can be reused in

other cells which are not in their immediate vicinity. This frequency reuse is a
very important feature of the cellular communication system.

We will now explain how a connection is established in a cellular system.

We will first describe connection establishment between a fixed phone and
mobile phone and vice versa. The following steps are followed:

Step 1: A request to contact a mobile device is received by MTSO and is

relayed to all base stations (BSs) connected to it.

Step 2: The BSs send out a paging signal in their respective bands
seeking an acknowledgement from the called mobile device.
 Step 3: The called mobile unit recognizes its number in the cell in which it is
currently located and sends an acknowledgement to the BS of the cell. The BS in
turn sends this information to MTSO. MTSO establishes connection of this BS with
the fixed phone via PSTN. It also allocates a free channel to the BS to
communicate with the mobile device. Connection is established between a fixed
phone and the mobile device via MTSO and BS.

Step 4: If the mobile device moves away from the cell whose BS established
the connection, it picks up a new signal from the BS into whose domain it has
shifted. This BS now allocates a channel to the mobile device and connects it to
MTSO. This is called handoff from one BS to another.

The above procedure is for a call from fixed to a mobile device. If a mobile
device wants to call a fixed phone, it establishes connection with the BS whose
signal is strongest and connects to MTSO via this BS. MTSO assigns a channel
after it finds that the fixed phone is free to receive a call. Now the call can proceed.
Handoff is the same as in step 4 above.

The steps followed for calls from a mobile device to another mobile device are
as follows:

Step 1: A mobile device wanting to call is turned on and senses wireless signals
available on various frequencies and picks the one which is strongest. It then
selects the BS sending this frequency as its base.
 Step 2: The BS forwards the called mobile number to MTSO. MTSO relays
this to all the base stations. The BSs in turn send paging signals in their
respective bands seeking an acknowledgement from the called mobile
number.

Step 3: If the called mobile number is ON, it picks up the paging signal and
sends an acknowledgement to the BS in whose cell it is currently located.

Step 4: The BS sends this information to MTSO which connects the BSs of
the two mobiles so that conversation or a digital transaction between them
can proceed. If in step 3 no acknowledgement is received by any BS due to
the called mobile being switched off or busy or out of range, this information is
sent to MTSO which relays this information to the calling mobile via its BS.

Step 5: If any or both of the mobile units move from the current cell, a
procedure similar to that described in step 4 of fixed to mobile unit is followed.
All the above steps take place fast and once a connection is established, it is
maintained regardless of movement of the mobile phone and without any
obvious disruption of the ongoing conversation.
 Cellular communications systems used nowadays, namely GSM and
CDMA are both digital systems and thus all thee steps described above are
for digital data communications. The frequency spectrum used in cellular
systems in India is in the 900 MHz band.

In the above description, we have described the cellular phone system

which has been designed primarily for phone conversations. In m-
commerce, the cellular system is used by mobile devices as the "bearer
network" of signals to access the Internet.

In this case there are two alternatives. One is for the mobile network
operator to provide Internet services from MTSO and the other is to let
another independent Internet service provider to connect via MTSO to a
gateway which does protocol conversion of the mobile Internet to the
Internet on landlines. We will discuss the various alternatives available with
other types of "bearers
8.3.2 General Packet Radio Service (GPRS)

A packet data-oriented mobile data service is available in GSM systems and is called GPRS.
General Packet Radio Services (GPRS) is a packet-based wireless communication service that
promises data rates from 56 up to 114 Kbps and continuous connection to the Internet for mobile
phone and computer users. GPRS (General Packet Radio Service) was the first technology that
was successfully implemented into the 2G mobile phone systems to send and receive data
between mobile phones and transmission towers. But by itself, GPRS does not provide the
mechanisms for user to browse the internet. For that, WAP or the Wireless Application
Protocol, was developed.

This is popular as the cost of a mobile device with added GPRS is in the medium price range
compared to higher cost of WAP-enabled mobile systems.

GPRS connectivity can also be provided on laptops enabling them to use the mobile telephone
network. The transmission rate of GPRS is in the range of 56 to 114 Kbps (the speed is increasing).

GPRS can be used with WAP but can also be used independently to avail of Internet services such
as e-mail and access to World Wide Web.

This is to be contrasted with mobile phone use which is usually charged for connection time. For
several applications GPRS is preferable. An improved GPRS called EDGE (Enhanced Data rate
GSM Environment) is now being offered by some operators and delivers data at rates of up to 384
Kbps.

The next generation mobile communication system called 3G is expected to give data at rates up
to 2 Mbps for packet communication.
 8.3.4 Short Message Service (SMS)
This is a communication protocol which enables the interchange of short text
messages between mobile phones/devices.

It is an extremely popular service. Messages are sent to a Short Message Service

Centre (SMSC) which stores it and forwards it to the intended recipient's phone.

The service is best effort, i.e., delivery is not guaranteed but normally messages are
not dropped. SMSCs store and forward the message to a recipient's phone if it is not
reachable or is switched off.

The maximum length of a message is 160, 7-bit character or 140 bytes: If unicode is
used (e.g., to send non-English characters), then the message length is limited to 70
characters.

SMS gateways provide value-added services in cooperation with mobile network

operators to businesses (such as TV voting). These operators route messages between
different networks and provide faster SMS delivery.
8.4 WIRELESS APPLICATION PROTOCOL

The Internet was enabled by the adoption of a common standard called TCP/IP (Internet
Protocol Stack) by manufacturers of all computers.

In the early days, a mobile communication system was mainly intended and designed
for audio phone conversations.

When mobile devices became more sophisticated and the networks became all digital, it
was realized that digital data-oriented services could be offered.

All the applications, we described in Section 8.2 require the mobile hand-held device to
avail the services of the Internet. In order for the mobile devices of different manufacturers
connected by the wireless network to communicate with one another seamlessly, we need
a protocol similar to TCP/IP.

TCP/IP cannot be adopted without change due to several reasons, the most important
one being the high and variable time (>500 ms) needed to transmit messages among
mobile devices and from mobile devices to the fixed network. Packet losses are also
higher in wireless networks.

Thus, another protocol called Wireless Application Protocol (WAP) has been adopted by
manufacturers of mobile devices. With the adoption of this standard, we have a "Wireless
Internet" in the wireless world to communicate among wireless devices.
For wireless devices to communicate with services connected to the Internet,
we need a protocol conversion from WAP to TCP/IP and vice versa. This
conversion is performed by a device called WAP gateway. Before describing the
functions of a WAP gateway, we will briefly describe the WAP protocol stack.

WAP stack is also a layered protocol similar to TCP/IP of the Internet-The-

advantages of layering are:

Layering allows the design of each layer independently of the other layers.

Layering allows subsets of the standard to be implemented by equipment

manufacturers.

Layering permits easy bridging to the Internet.

Layering separates concerns of functions to be provided by each layer.

WWW Protocol Stack

HTML
Java Script

HTTP

TLS - SSL

TCP/IP
UDP/IP
 WAP Stack
Runs on top of WDP
Provided lightweight X-oriented service
Unreliable 1-way request
MicroBrowser (WML,
Reliable 1-way/2-way req./response
WMLScript, WTA, WTAI)

Lightweight SSL
Uses WIM/PKI-Cards

Datagram service on different

bearers
Convergence between bearer
services

Different Wireless Tech.

Source: WAP Forum

8.4.1 Mobile Network Operators

There are several mobile network operators in each country. The technology
used also differs. We pointed out that GSM and CDMA are two different systems.
Their original purpose was as voice carriers.

Now they are evolving as data carriers as there are many more , value-added
services they can provide.
 8.4.3 Service Provider

Service providers provide several application services to mobile users. They

cooperate with content providers, e.g., banks, e-shop, etc. Several services have
already attained maturity in the fixed client-based Internet.

They have to adapt them to mobile clients who have handsets which have much
less capacity. The effort will be worthwhile only if the subscriber base is large.

The Wireless Application Protocol has been designed primarily cooperatively

between network operators and mobile handset manufacturers. The layering idea
allows each stakeholder to independently design layers.

The design would be optimized for their specific device technology. However,. as
the interfaces are clearly defined, they can mesh and depend on services provided
by the lower layers. The services provided by each layer of WAP is summarized in
Table 8.2: In Table 8.3, we compare WAP with Internet Protocol. Observe the close
correspondence between the two protocols.
 Looking at the application layer the main component is WML which is
defined as XML 1.0 application.

As the size of the screen in most mobile hand-held devices is small

the design of WML should recognize this. The microbrowser also is for a
small screen.

The most apt applications for hand-held mobile devices are simple
ones requiring a small output which can be accommodated in a small
screen such as train/airline departure/ arrival information, looking- at
stock prices, looking up addresses and phone numbers of shops in the
vicinity of a user, traffic information, etc.

WAP was originally developed as a cooperative effort of mobile

network operators and mobile phone vendors. A group called WAP
Forum did this. Now WAP Forum has been succeeded by a company
called Open Mobile Alliance (OMA) which will continue 'to improve WAP
as new networks (3G, for example) emerge and better hand-held devices
are built.
 8.5 WAP GATEWAY

We saw in the last section that the mobile hand-held devices use WAP; protocol to
communicate with one another seamlessly regardless of the technology used by
mobile network providers (CDMA or GSM).

In other words, WAP is the analogue of TCP/IP of the fixed networks. If all
services were available on mobile networks, it would be a self-contained system. A
mobile system cannot however work in isolation.

It has to communicate with the Internet with fixed clients and servers. WAP-
enabled mobile clients would require services offered by servers connected to the
Internet.

In order, to achieve this, the WAP transaction/session has to map to IP

transaction/session which uses http. This is done by WAP gateway which transforms
WSP requests received via the wireless network into http request and sends it over
the Internet.

In the reverse direction, it transforms http responses received from the Internet to
WSP responses to the requesting WAP device via the wireless network (See Figure
8.3).
 WAP network model

November 20th, 2001

 Mobile hand-held WAP-enabled devices cannot handle HTML which is the
most common language used to write pages in the World Wide Web.

As the screen size is small, memory capacity is low and CPU power is
limited only 3 or 4 lines can be displayed on a hand-held mobile device. The
language used for display is called Wireless Markup Language (WML) which
is defined as an XML 1.0 application.

Besides WAP gateway, a WAP proxy server is required to connect and

present HTML pages from a web site to WML formats.

The WAP gateway recognizes the fact that wireless networks have low
bandwidth and high latency. It thus encodes the information optimally to cater
to this constraint.

A mobile device supports a micro browser which is a software that

requires a small memory, low computing power and a small screen size.
They use WML. Thus, WAP proxy must act as a WML server to a mobile
client using the information retrieved from the specified URL as HTML pages.
 Each MTSO in the physical system would usually have a WAP
gateway and WAP proxy to cater to Internet service request from WAP-
enabled mobile devices in its network.
8.7 SECURE WIRELESS CONNECTIVITY

Wireless security requirements are the same as in wired network. We require authentication
of who is calling, protect the data from eavesdroppers while it is in transit and ensure that it is
not altered while it is transmitted.

There are some unique problems in wireless: eavesdropping is easy; bandwidth is limited,
latency is high and connections are unstable. In WAP devices security is provided by Wireless
Transport Level Security (WTLS) which works in a manner similar to SSL (Secure Sockets
Layer) of Internet Protocol.

The simplest authentication is server authentication in which a server provides to a client a

public key certificate. Once a client is assured that the server is genuine, the client can use a
name/password based transaction with a server connected to it by the mobile network.

Even though in theory, encryption using either RSA, Diffie-Hellman session key exchange
or RSA/3DES combination should work, in practice there are the following problems:

CPU power of mobile devices is low. Thus, encryption using RSA or Diffie-Hellman is slow as
they are compute intensive requiring long integers to be raised to a large power. Elliptic key
cryptography is a new entrant which is expected to be less compute intensive.
Network is slow. Key exchange and encryption may take several seconds.
With 3G networks this would be reduced.

WTLS is applicable within the mobile network only. If a mobile client has to
access a server on the Internet, WTLS has to be converted to TLS at the WAP
gateway and new problems arise which we will discuss next.

In WAP protocol stack WTLS is optional and need not be used if not
considered essential.
8.7.1 Security of Mobile Network-Internet Connection

WTLS applies only within the mobile network. If a mobile client wants to connect to a
server on the Internet, protocol conversion from WAP to IP is performed by the WAP
gateway.

In order to convert data encrypted by WTLS to SSL/TLS encryption, WAP gateway has
to first obtain the plain text of the WTLS encrypted data and re-encrypt it in SSL/TLS.

Thus, there is no end to end security between a mobile WAP client and a server
connected to the Internet.

Normally, the plain text is available only for a few milliseconds and that too only in the
main memory of the WAP gateway (WAP gateway will never put the plain text on disk).
Thus, a hacker has to get the privileges of a super user to enter main memory.

Further, the WAP gateway normally protects itself with .a good firewall which makes it
difficult to access it. Thus, this problem should not unduly perturb a user. However, if
sensitive financial transactions are involved there are other methods of connecting mobile
client to the Internet which we discuss next.
8.7.2 WAP Gateway Managed by Sensitive Content Providers

In this case a service provider can cooperate with the mobile network operator to
connect another WAP gateway entirely under its control ensuring security. Payment
gateways of some banks which provide mobile banking (See Figure 8.9) use this solution.
 8.7.3 WAP Gateway at Server End

Another method is to use a"tunnelling gateway" at the mobile network rather than a
WAP gateway.

This tunnelling gateway takes the full WAP session, transport and security protocols
in the WAP stack of the mobile network and encapsulates them as WDP packets. WDP
packets are transmitted as SSL encrypted UDP packets on the Internet (See Figure
8.10) to the server and a WAP gateway converts WAP protocol to IP and processes the
mobile client's request.

This solution ensures end to end security of WAP packets.

This solution, however, places a huge burden on the server as it has to maintain
WAP gateway software and also provide contents in wml.
To ensure end to end security between a mobile client and a server and for mutual
authentication, public key certificates should be exchanged between the two parties. The
certificates are too long and transmission is slow.
 However, in most cases the users are casual users (usually in B2C e-
commerce) and do not have a public key certificate. In such cases Diffie-
Hellman session key exchange (See Section 5.3) and 3DES encryption of the
messages is used.

There are attempts to provide VPN connectivity from a mobile client to the
web server on the Internet. At present this is difficult as VPN implementation
needs computing power which many low cost mobile hand-held devices do not
have.
8.8 MOBILE PAYMENT METHODS

Mobile payment may be defined as "Any payment which uses a mobile hand-held
device (such as mobile phone, PDA) to initiate, authorize and confirm payment in
return for goods or services.

As the use of mobile phones increases, consumers demand the use of mobile
phones to enable payment. This is a growth area in e-commerce and several
innovative solutions will emerge.

All mobile payment systems must have the same properties as e-payment system
(See Section 6.2). They are confidentiality, integrity, authenticity and non-
repudiability. There are several types of mobile payment systems. They are:

SIM (Subscriber Identity Module) card enabled

Payment using Short Messaging Services

Payment using WAP enabled mobile hand-held device

Using Smart card (See Section 6.6.3) along with the mobile hand-held device.
8.8.1 SIM Card-enabled Payments

Mobile network operators sell valueadded services such as ring tones and access to
cricket scores by deducting the amount payable for the service from the amount in the
prepaid SIM card.

A customer sends an SMS to a specified number to get this service. The network
operator's server using the mobile number of the subscriber and the SIM card identity,
deducts the amount by sending a debit instruction to the identified SIM card. SIM card is
a smart card with processing power and storage.

The storage is used to store prepaid amount. After debiting an SMS is sent to the
subscriber intimating the debit. SIM cards are also topped up, that is, more amount is
credited to it by paying an amount to a franchisee of the operator.
 8.8.2 Payments based on SMS

Network operators cooperate with providers of services for enabling SMS-

based payment. In this model a consumer registers his or her mobile number with
the service provider and sends an SMS request for a service. Using the mobile
number as unique identification, the service: provider bills the customer after
providing the service.

In case of dispute authentication of the mobile number is provided by the

network operator. Normally, these types of SMS-based payments are
micropayments.

SMS security depends on encryption provided by the Mobile Network Operator.

This is good enough for small payments. The main disadvantage of SMS is that the
message length must be below 160 characters.

Some merchants find it attractive as transaction charges with mobile phones

are normally lower than with credit cards.
 Unfortunately, currently there are no accepted standards for this type of
payment. One model for mobile phone payments for goods purchased from
a merchant would have the following steps.

Step 1: A merchant accepting mobile phone payments has to register

with a payment service provider giving his or her bank details and will be
assigned a unique ID and his or her mobile phone number will be registered
for payment confirmation. Similarly, an individual wanting to use mobile
payment has to register his or her mobile phone number and bank account
details with the same service provider. The service provider will assign a
mobile personal identification number (mpin) to the customer.

Step 2: The merchant requests a customer wishing to pay using a

mobile phone for his or her number and sends an SMS to him or her giving:
<merchant id><Transaction id><amount>

Step 3: The customer appends to this SMS his or her mpin and
forwards it to the payment service provider authorizing payment.

Step 4: The payment service provider forwards it to the customer's bank

for authorization. The bank will authorize and give authorization ID if this
amount is within limits. It will debit customer's account.
 Step 5: On receipt of authorization from the bank, the payment service
provider will credit merchant's bank and forward SMS to both the merchant and
the customer with following details:

<merchant id><Transaction id><amount><payment confirmation id>

Step 6: Merchant will now deliver the goods to the customer.

The security of the entire transactions depends on the encryption of SMS

done by mobile operators which is reasonably secure for small payments.
Dispute resolutions will be based on transaction details given in the last SMS of
the payment service provider.
 8.8.3 Payment using WAP-enabled Mobile Hand-held Device

We will describe credit card payment using WTLS (Wireless Transport Layer Security)
which is the analogue of Transport Layer Security (TLS) of Internet (See Section 6.3.1).

There are several parties involved in enabling credit card payment. They are:

Customer using mobile hand-held device

The mobile network operator

WAP gateway and proxy which is at the edge of the mobile network

Land line (Internet) connecting WAP gateway to the merchant's server

Acquirer's server connected to the merchant's server by the Internet

Customer's bank (card issuer) connected to the acquirer by Internet

In Figure 8.11 we give a block diagram of the credit card payment system in
m-commerce.
 The payment method proceeds as follows:

Step 1: A mobile client accesses the web site of a merchant using his
mobile device in which he enters the URL of the merchant.

Step 2: The merchant's website can be viewed. using the mobile

user's micro browser. The main problem is the small size of mobile
screen. Thus, viewing can be painfully slow. If the merchant's server
provides content using WML optimized for viewing by mobile user, it will
be advantageous to the client. A few content providers cooperate with
Network operators and provide such services.

Step 3: The mobile client now places selected items in his "shopping
cart" with merchant and orders these.

Step 4: The merchant's server now prepares the invoice and sends it
to the mobile client's device.

Step 5: The mobile client views it using WML. If he approves, he OKs

the transaction. Now he has to send his payment. Normally, it will be by
credit card. Credit card number has to be sent only on a secure channel.
In the wired world TLS provides the necessary security. In WAP enabled
 hand-held device the equivalent is WTLS which we described in the
last section. WTLS uses either RSA/3DES encryption or Diffie Hellman
secure key exchange algorithm for security. Thus, the credit card details
are sent securely to WAP gateways using WTLS. From WAP gateway to
the merchant's server TLS security will be used. Along with encrypted
credit card number the shipping address is also encrypted and sent to the
merchant's server.

Step 6: The merchant's server decrypts the data. The credit card
number and the amount are sent encrypted using TLS to the acquirer's
server.

Step 7: The acquirer forwards the credit card details and amount to
the appropriate customer's bank server using TLS.

Step 8: The customer's bank server validates card number and

amount of order and informs the acquirer's server which forwards the
approval to the merchant.

Step 9: The merchant ships the goods ordered to the customer. The
customer's credit card company mails the bill for payment to the
customer. After the receipt of the bill in due course of time the customer
remits the amount to his bank.
 In summary, the credit card payment method is very similar to the
system used when an order is placed from a desktop client given in
Section 6.3.1 where security was ensured by using Diffie-Hellman session
key exchange for secure transmission.

The only difference is the transaction between the mobile client and the
merchant which uses WTLS instead of TLS. Even this security is difficult to
implement unless the mobile client has reasonable CPU power to
implement the Diffie-Hellman session key calculation algorithm.

Due to the low bandwidth of wireless network coupled with low CPU
power of mobile devices, the entire payment process is quite slow (tens of
seconds). All transactions between the merchant, acquirer and the card
issuing bank use TLS as they are all connected by the Internet.

SET protocol for credit card transactions presented in Section 6.3.2 is

practically difficult to implement-when a customer uses a mobile hand-held
device.
 In a payment system involving merchants and customers mutual
authentication of the two parties is desirable. This is often provided by third
parties maintaining trust/ validation directories which can be referred to by the
two parties before commencing transaction. These directories must be in
encrypted form to avoid hacking and allow access only to approved clients
using a password system.
 8.9 MOBILE BANKING

Banks have started offering information based services like balance enquiry, record of
last five transactions, instruction to stop payment of cheques, location of nearest
branch/ATM, etc., for customers using mobile hand-held devices.

They are also starting funds transfer instructions such as bill payment, transfer to
other accounts, etc., provided customers pre-register their mobile numbers with the bank.
Each customer is assigned an individual mobile personal identification number (mpin).

We will now give the gist of the method to be used by banks for carrying out banking
transactions such as debit/credit to customer's account on the basis of funds transfer
instructions received from hand-held mobile devices.

We will define mobile banking as: "Any banking transaction such as funds transfer
which is initiated by a customer using hand-held mobile devices and wireless
telecommunication infrastructure".

In mobile banking, besides a customer, there are normally three more parties. They
are the bank, mobile network operators and mobile payment service providers (also
known as mobile payment gateway operators).
 Mobile network operators provide wireless infrastructure whereas mobile
payment gateways provide technical support services to banks. Banks guarantee
settlement of funds and ensure compliance with rules enforced by regulators in a
country.

By definition of mobile banking, we have excluded services which only use

mobile phones with attached devices such as smart cards and Radio Frequency
Identification Devices (RFID).

The reason is that they do not present any new technical problems compared to
payment devices using the Internet. The security issues when using mobile devices
which employ wireless transmission and mobile network operators are unique.

As we pointed out in the beginning of this section, SMS-based services from

registered mobile phones are normally restricted to providing information and do not
entail any special security problem. They are not secure for money transactions.

However, for small payments SMS is allowed. For transactions above this
amount special security precautions are to be taken. We depict in Figure 8.12 the
parties involved in the following type of services in which high end WAP-enabled
mobile phones are used.
 Debit an account and credit another account based on instructions by a customer.

Stop payment instruction for large amounts.

Any other standing instructions affecting the balance in one's account.

In WAP-based services, the customer must first give an account number and
password registered with the bank through its proxy, namely, mobile payment gateway
service operator appointed by a bank.

Besides this to access any service a separate mobile personal identification number
(mpin) has to be registered. This is a second factor in authenticating a customer.

Normally, a table of mpins and corresponding account numbers must be stored in a

hardware module (a Read Only Memory which cannot be hacked) by the Payment
Gateway's server.

Observe that several banks may operate mobile payment services and each bank
may have its own proxy gateway. For inter-bank funds transfer the banks must have an
arrangement so that these gateway operators cooperate or they may identify a single
clearing service to handle inter-bank payments and reconciliation.
 It would be ideal to use a public key certification-based service between the mobile
customer and the bank which will guarantee authentication and non-repudiation but
given the restricted CPU power of mobile devices this is not feasible.

The Diffie-Hellman session key and AES or 3DES encryption is normally used. The
communication between WAP/Mobile Payment Gateway servers and Bank' servers
must however be based on digital signature, public key certificates, as they use
landlines.

The communication channels connecting them should preferably be VPN and TLS
encryption should be used for all communication. As we pointed out in Section 8.7.1 to
ensure end to end security payment gateways must have agreements with mobile
network operators to allow them to operate their own WAP gateways integrated with
their servers (See Figure 8.12).

Observe that there may be several network operators with payment gateways with
WAP gateway which could be connected to the servers of their subscriber banks by
VPN/ TLS.

A transaction will originate from a customer using his or her password to gain entry
to the gateway server followed by mpin to initiate banking transaction. All transactions
between a mobile customer and the WAP gateway uses WTLS security. Beyond this
point SSL/VPN is used
 . Needless to say that WAP servers, payment gateway servers and bank
servers must all have firewalls and take all precautions to prevent intrusion by third
parties.

This is not possible in a literal sense as at the payment gateway there is

protocol conversion from WAP to IP and this requires plain text availability for a few
milliseconds as explained in Section 8.7.1. Thus, there must be trusted relationship
between payment gateway and the bank covered by appropriate legal contract.
THANKS

75