Secure mobile commerce
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Secure Mobile Commerce PowerPoint PPT Presentation


  • 43 Views
  • Uploaded on
  • Presentation posted in: General

Secure Mobile Commerce. Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002 Author: S. Schwiderski-Grosche & H. Knospe Presenter: Jung-wen Lo( 駱榮問 ) Date: 2004/12/16. Outline. Introduction M-commerce

Download Presentation

Secure Mobile Commerce

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Secure mobile commerce

Secure Mobile Commerce

Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002

Author: S. Schwiderski-Grosche & H. KnospePresenter: Jung-wen Lo(駱榮問)

Date: 2004/12/16


Outline

Outline

  • Introduction

  • M-commerce

  • Security of Network Technologies

  • M-payment

  • Conclusion

  • Comment


Introduction

Introduction

  • M-commerce

    • Mobile devices are used to do business on the Internet

  • Goal

    • Identify the special characteristics of m-commerce

    • Consider some important security issues

  • Main area to discuss

    • Network technology

    • M-payment


Mobile device

Mobile Device

  • Kinds of devices

    • Mobile phone

    • Personal Digital Assistant

    • Smart phone

    • Laptop computer

    • Earpiece

  • Characteristics

    • Size & colour of display

    • Input device

    • Memory & CPU processing power

    • Network connectivity, bandwidth capacity

    • Support operating system

    • Availability of internal smartcard reader


Advantages of m commerce

Advantages of M-commerce

  • Ubiquity

  • Accessibility

  • Security

  • Localisation

  • Convenience

  • Personalisation


Disadvantages of m commerce

Disadvantages of M-commerce

  • Limited capability

  • The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform.

  • Mobile devices are more prone to theft and destruction.

  • Communication over the air interface introduces additional security threats


Security challenges

Security Challenges

  • Mobile device

    • Confidential user data

  • Radio interface

    • Protection of transmitted data

  • Network operator infrastructure

    • Security mechanism

  • M-commerce application

    • Payment system


Security of network technologies 1 2

Security of Network Technologies (1/2)

  • GSM (Global System for Mobile Communication)

    • Authentication is one way

    • Encryption is optional

    • False base station perform a “man-in-middle” attack

  • UMTS (Universal Mobile Telecommunication System)

    • Authentication is mutual

    • Encryption is mandatory unless the mobile station and the network agree on an unciphered connection.

    • Integrity protection is always mandatory and protects against replay or modification of signaling messages.


Security of network technologies 2 2

Security of Network Technologies (2/2)

  • WLAN (Wireless Local Area Network)

    • Not provide any security in default

    • Attacker can modify data and CRC

    • WEP (Wired Equivalent Privacy) key can be recovery

    • 802.1x port-based adopted

  • Bluetooth

    • Provide link layer security

    • No privacy requirement

      • Unique Bluetooth device address allows the tracing of personal devices


Transport layer security

Transport Layer Security

  • SSL/TLS (Secure Socket Layer)

    • HTTPS (HTTP over SSL)

    • KSSL by Sun

      • Not offer client-side authentication

      • Only implements certain commonly used cipher suites

      • Has a very small footprint and runs on small devices

  • WTLS (WAP Transport Layer Security)

    • No real end-to-end security is provided

    • WAP gateway needs to be trusted


Service security 1 2

Service Security (1/2)

  • Intelligent network

    • CAMEL (Customised Application for Mobile Enhanced network Logic1)

    • The IN architecture for GSM

  • Porlay/OSA (Open service Access)

    • Provides gateway functionality

    • M-commerce applications can then access network functionality

    • Offers authentication and encryption on the application layer

    • The security depends on the underlying network architecture

  • SMS (Short Message Service)

    • No end-to-end security, and the network operator

    • Its infrastructure (e.g. SMSC, Short Message Service Centre) must be trusted


Service security 2 2

Service Security (2/2)

  • USSD (GSM Unstructured Supplementary Service Data)

    • No separate security property

    • Relies on GSM/UMTS security mechanisms

  • SIM/USIM application toolkit (Subscriber Identity Module)

    • security mechanisms

      • Authentication

      • Message integrity

      • Replay detection and sequence integrity

      • Proof of receipt and proof of execution

      • Message confidentiality

      • Indication of the security mechanisms used


M payment

M-payment

  • Background on payment systems

  • Categorisation of e-payment systems

  • Categorisation of m-payment systems

  • Examples of m-payment systems


Background on payment systems

Time of payment

Relation between initial payment and actual payment

Prepaid payment system

Pay-now payment system

post-payment system

Payment amount

Micropayments: Up to about 1 €

Small payments: about 1 to 10 €

Macropayment: more tha 10 €

Anonymity issues

Complete

Paritial

Security requirements

Different on system

Consider issues

Integrity

Authentication

Authorisation

Confidentiality

Availability

Reliability

Online or offline validation

Online

Background payment servers

Trusted third party

Double spending

Offline

No trusted third party

Additional communication overhead

Background on Payment Systems


Categorisation of e payment systems

Categorisation of E-payment Systems

  • Direct cash

  • Cheque

  • Credit card

  • Bank transfer

  • Debit advice


E payment systems

E-payment Systems

Direct-cash-like

Cheque-like

Issuer

Acquirer

Issuer

Acquirer

Settlement

Settlement

2.Authorisation and capture

1.Withdrawal

3.Deposit

Indication

Customer

Merchant

Customer

Merchant

2.Payment

1.Payment

Bank Transfer

Issuer

Acquirer

2.Settlement

1Transfer request

Indication

Customer

Merchant


Categorisation of m payment systems

Categorisation of M-payment Systems

  • Software electronic coins

    • $ stored on a mobile deviceex. electronic coin

  • Hardware electronic coins

    • $ stored on a secure hardware token in the mobile deviceex. smartcard

  • Background account

    • $ stored remotely on an account at a trusted third party


Examples of m payment systems

Software electronic coins

Potentially remain completely anonymous

Example

eCash

E-commerce

NetCash

MilliCent

Hardware electronic coins

Implement an e-purse

Electronic cash on a smartcard

Example

GeldKarte

Mondex

Background account

Hold at a network operator

The charged amount is transferred to the existmg billing solution and included in the customer bill.

E. M-pay Bill service from Vodafone and Mobilepay

Hold at a credit card institution

The payment mechanism is secure transmission of credit card data to the credit card company

Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa

Hold at a bank

The existing banking infrastructure and technology can be reused.

Ex. Paybox and MobiPay by BBVA and Telefonica

Examples of m-payment systems


Standardisation and forums

Standardisation and forums

  • PayCircle (http://www.paycircle.org)

  • MoSign (http://www.mosign.de)

  • Mobile Payment Forum (http://www.mobilepayment forum.org)

  • mSign (www.msign.org

  • mwif (http://www.mwif.org):

  • Radicchio (http://www.radicchio.org)

  • Encorus (http://www.encorus.com)

  • Mobile electronic Transactions MeT (http://www.mobiletransaction.org


Conclusion

Conclusion

  • Discussed security issues relating to network and service technologies and m-payment

  • Regarding m-payment, some systems are under development or already operational

  • One of the main future challenges will be to unify payment solutions and provide the highest possible level of security


Comment

Comment

  • Survey型paper


  • Login