secure mobile commerce
DESCRIPTION
Secure Mobile Commerce. Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002 Author: S. Schwiderski-Grosche & H. Knospe Presenter: Jung-wen Lo( 駱榮問 ) Date: 2004/12/16. Outline. Introduction M-commerce - PowerPoint PPT PresentationTRANSCRIPT
Secure Mobile Commerce
Source: Electronics & Communication Engineering Journal, Vol. 14, No. 5, pp. 228-238, Oct. 2002Author: S. Schwiderski-Grosche & H. KnospePresenter: Jung-wen Lo(駱榮問 )Date: 2004/12/16
3
Introduction
M-commerce Mobile devices are used to do business on the
Internet Goal
Identify the special characteristics of m-commerce Consider some important security issues
Main area to discuss Network technology M-payment
4
Mobile Device
Kinds of devices Mobile phone Personal Digital Assistant Smart phone Laptop computer Earpiece
Characteristics Size & colour of display Input device Memory & CPU processing power Network connectivity, bandwidth capacity Support operating system Availability of internal smartcard reader
6
Disadvantages of M-commerce
Limited capability The heterogeneity of devices, operating
systems, and network technologies is a challenge for a uniform end user platform.
Mobile devices are more prone to theft and destruction.
Communication over the air interface introduces additional security threats
7
Security Challenges
Mobile device Confidential user data
Radio interface Protection of transmitted data
Network operator infrastructure Security mechanism
M-commerce application Payment system
8
Security of Network Technologies (1/2)
GSM (Global System for Mobile Communication) Authentication is one way Encryption is optional False base station perform a “man-in-middle” attack
UMTS (Universal Mobile Telecommunication System) Authentication is mutual Encryption is mandatory unless the mobile station a
nd the network agree on an unciphered connection. Integrity protection is always mandatory and protect
s against replay or modification of signaling messages.
9
Security of Network Technologies (2/2)
WLAN (Wireless Local Area Network) Not provide any security in default Attacker can modify data and CRC WEP (Wired Equivalent Privacy) key can be
recovery 802.1x port-based adopted
Bluetooth Provide link layer security No privacy requirement
Unique Bluetooth device address allows the tracing of personal devices
10
Transport Layer Security
SSL/TLS (Secure Socket Layer) HTTPS (HTTP over SSL) KSSL by Sun
Not offer client-side authentication Only implements certain commonly used cipher suites Has a very small footprint and runs on small devices
WTLS (WAP Transport Layer Security) No real end-to-end security is provided WAP gateway needs to be trusted
11
Service Security (1/2)
Intelligent network CAMEL (Customised Application for Mobile Enhanced network
Logic1) The IN architecture for GSM
Porlay/OSA (Open service Access) Provides gateway functionality M-commerce applications can then access network functionalit
y Offers authentication and encryption on the application layer The security depends on the underlying network architecture
SMS (Short Message Service) No end-to-end security, and the network operator Its infrastructure (e.g. SMSC, Short Message Service Centre)
must be trusted
12
Service Security (2/2)
USSD (GSM Unstructured Supplementary Service Data) No separate security property Relies on GSM/UMTS security mechanisms
SIM/USIM application toolkit (Subscriber Identity Module) security mechanisms
Authentication Message integrity Replay detection and sequence integrity Proof of receipt and proof of execution Message confidentiality Indication of the security mechanisms used
13
M-payment
Background on payment systems Categorisation of e-payment systems Categorisation of m-payment systems Examples of m-payment systems
14
Background on Payment Systems
Time of payment Relation between initial paymen
t and actual payment Prepaid payment system Pay-now payment system post-payment system
Payment amount Micropayments: Up to about 1 € Small payments: about 1 to 10 € Macropayment: more tha 10 €
Anonymity issues Complete Paritial
Security requirements Different on system Consider issues
Integrity Authentication Authorisation Confidentiality Availability Reliability
Online or offline validation Online
Background payment servers Trusted third party Double spending
Offline No trusted third party Additional communication over
head
16
E-payment Systems
Issuer Acquirer
MerchantCustomer
Direct-cash-like
Settlement
1.Withdrawal
2.Payment
3.Deposit
Issuer Acquirer
MerchantCustomer
Cheque-like
Settlement
Indication
1.Payment
2.Authorisation and capture
Issuer Acquirer
MerchantCustomer
Bank Transfer
2.Settlement
1Transfer request
Indication
17
Categorisation of M-payment Systems
Software electronic coins $ stored on a mobile device
ex. electronic coin Hardware electronic coins
$ stored on a secure hardware token in the mobile deviceex. smartcard
Background account $ stored remotely on an account at a trusted third
party
18
Examples of m-payment systems
Software electronic coins Potentially remain completely an
onymous Example
eCash E-commerce NetCash MilliCent
Hardware electronic coins Implement an e-purse Electronic cash on a smartcard Example
GeldKarte Mondex
Background account Hold at a network operator
The charged amount is transferred to the existmg billing solution and included in the customer bill.
E. M-pay Bill service from Vodafone and Mobilepay
Hold at a credit card institution The payment mechanism is sec
ure transmission of credit card data to the credit card company
Ex. Electronic Mobile Payment System by MeritaNordbanken, Nokia and Visa
Hold at a bank The existing banking infrastruct
ure and technology can be reused.
Ex. Paybox and MobiPay by BBVA and Telefonica
19
Standardisation and forums
PayCircle (http://www.paycircle.org) MoSign (http://www.mosign.de) Mobile Payment Forum (http://www.mobilepay
ment forum.org) mSign (www.msign.org mwif (http://www.mwif.org): Radicchio (http://www.radicchio.org) Encorus (http://www.encorus.com) Mobile electronic Transactions MeT (http://www.
mobiletransaction.org
20
Conclusion
Discussed security issues relating to network and service technologies and m-payment
Regarding m-payment, some systems are under development or already operational
One of the main future challenges will be to unify payment solutions and provide the highest possible level of security