SlideShare a Scribd company logo

Security issues in_mobile_payment

Prof. Dr. K. Adisesha, profile picture
Prof. Dr. K. Adisesha

This document discusses security issues related to mobile payment systems. It begins by defining mobile payment and m-commerce. It then outlines some key technologies used in mobile payments like SMS, GPRS, and wireless protocols. It identifies several security problems with these technologies, such as the vulnerability of encryption algorithms used in GSM networks. Finally, it discusses other mobile payment technologies and their security challenges, like threats to near-field communication systems if not implemented securely. Understanding and addressing these security risks is important for gaining user adoption of mobile banking and payments.

Technology
1 of 11
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 1 Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET HOD, Dept., of Computer Science Bangalore City College Bangalore. E-mail: adisesha1@rediffmail.com Phone No.:9449081542 Abstract: Mobile e-commerce (or m-commerce) is considered a natural extension of e-commerce and represents a new way for conducting commerce. M-commerce refers to e-commerce transactions conducted through a mobile device via wireless networks. The electronic payment performed in wireless environments leads to the term mobile payment (or m-payment), which is defined as any payment transaction involving the purchase of goods or services that is completed with a wireless device. M-payments facilitate m-commerce because they let users make online purchases from their mobile devices remotely at any time. A key challenge with gaining user adoption of mobile banking and payments is the customer’s lack of confidence in security of the services. Understanding the mobile banking and payments market and ecosystem is critical in addressing the security challenges. There are new security risks introduced with mobile banking and payments that must be identified and mitigated. There are risks that have both an existing mitigation method as well as those that do not have a clear risk mitigation solution. We also here present the major security issues that must be taken into consideration when designing, implementing, and deploying secure m-payment systems. In particular, we focus on threats, vulnerabilities, and risks associated with such systems as well as corresponding protection solutions to mitigate these risks. We also discuss some of the challenges that need to be addressed in the future as m-payment systems become fully integrated with other emerging technologies such as fifth-generation mobile networks (5G) and cloud computing. Keywords: m-commerce, m-payment systems, m-payment Threats, Security 1. Introduction There doesn’t seem to be a week that something relative to mobile and/or mobile payments is not in the news. Mobile and everything mobile is the current hot area where new investments and new ideas are blossoming in the hopes of being part of the next “big thing” that generates healthy returns and wealth. Consumers are embracing mobile in their day to day lives and are more likely to forget their wallet at home than their mobile phone. With all this energy and momentum around mobile, as with any new next big thing, there are some areas of concern to consider. A key area of concern for consumers and financial service providers is the security of mobile banking and payments. There are new technologies and new entrants as well as a complex supply chain that will increase the security risks. There is no real standard for technology that has captured the market and regulations relative some of the new entrants are non-existent. Customers have increased control of their device in terms of application downloads, OS updates and personalization of their
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 2 devices. This will lead to new challenges relative to privacy and will take some time before the younger generation realizes the implications of privacy violations. Compounding the challenge is the fact that traditional security controls such as AV, firewalls, and encryption have not reached the level of maturity needed in the mobile space. As with any emerging market area, these challenges will resolve over time. Until this are matures, there are measures that can be taken relative to customer education, service process rigor, payments technology and fraud preventive and detective controls that can mitigate the security risks. 2. Definition of Mobile Payment System A mobile payment system (MPS) can be defined as any payment system that enables financial transactions to be made securely from one organization or individual to another over a mobile network (using a mobile device). While the key phases of the generic mobile payment procedure is applicable to almost all transactions, they can be categorized into several different groups or procedures based. Mobile payment procedures are categorized as location-based(remote and proximity Transactions), value-based (micro-payments, mini-payments and macro-payments), charge-based (post-paid, pre-paid and pay-now), validation-based (online mobile payment, offline mobile payment) and technology-based (single chip, dual chip, dual slot), token-based (eco in) and account-based (wireless wallets). . 3. Key Technologies 3.1. Mobile Elements In understanding the security risks of mobile banking, it is useful to understand the general hardware and system software of a mobile device. The most prevalent technology relative to mobile devices and the associate wireless carriers today is based on 2G technology (GSM/EDGE) and 3G technology (UMTS/HSPA) standards. The latest technology currently being rolled out by major carriers is Long Term Evolution (LTE) which doesn’t currently meet the requirements to be considered 4G (speeds of up to 100Mbps for a moving user and 1Gbps for a stationary user) but is being marketed as 4G. The basic components of a wireless network include the spectrum for the wireless interface, the antennas and radio processing equipment located at the base station or cell sites, and the connectivity (T1, microwave) from the cell site back to the mobile switching center that contains the voice and data processing equipment. The security elements for 3G technology include encryption on the air interface and mutual authentication between the user and the network (involving the HLR and USIM). 3.2. GSM AND GPRS SECURITY ARCHITECTURE Global System for Mobile Communications (GSM) is the most popular standard for mobile phones in the world. Figure 1 shows the basic structure of the GSM architecture; GSM provides SMS and GPRS (General Packet Radio Service) services.
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 3 Figure 1. GSM Architecture The GPRS Core network is an integrated part of the GSM network; it is layered over the underlying GSM network, with added nodes to cater for packet switching. GPRS also uses some of the existing GSM network elements; some of these include existing Base Station Subsystems (BSS), Mobile Switching Centers (MSC), Authentication Centers (AUC), and Home Location Registers (HLR). Some of the added GPRS network elements to the existing GSM network include; GPRS Support Nodes (GSN), GPRS tunneling protocol (GTP), Access points, and the (Packet Data Protocol) PDP Context. 3.2.1 Security mechanisms in the GSM network The GSM network has some security mechanism to prevent activities like Subscriber Interface Module (SIM) cloning, and stop illegally used handsets. GSM has methods to authenticate and encrypt data exchanged on the network. The GSM authentication center is used to authenticate each SIM card that attempts to connect to
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 4 the GSM network. The SIM card authentication takes place when a mobile station initially attempts to connect to the network, i.e. when a terminal is switched on. If authentication fails then no services are offered by the network operator, otherwise the (Serving GPRS Support Node) SGSN and HLR is allowed to manage the services associated with the SIM card. The authentication of the SIM depends on a shared secret key between SIM card and the AUC called Ki. This secret key is embedded into the SIM card during manufacture, and it is also securely replicated into the AUC. When the AUC authenticates a SIM, it generates a random number known as the RAND. It sends this RAND number to the subscriber. Both the AUC and SIM feed the Ki and RAND values into the A3/A8 (or operator proprietary algorithm (COMP128)) and a number known as Signed RESponse (SRES) is generated by both parties. If the SIM SRES matches the AUC SRES the SIM is successfully authenticated. Both the AUC and SIM can calculate a second secret key called Kc by feeding the Ki and the RAND value into the A5 algorithm. This would be used to encrypt and decrypt the session communications. After the SIM authentication the SGSN or HLR requests the mobile identity, this is done to make sure that the mobile station being used by the user is not black listed. The mobile returns the IMEI (International Mobile Equipment Identity) number; this number is forwarded to the EIR (Equipment Identity Register). The EIR authorizes the subscriber and responds back to the SIM with the status, if the mobile is authorized the SGSN informs the HLR and PDP Context activation begins. 3.2.3 Problems with GSM Network Problems with the A3/A8 authentication algorithm -A3 and A8 are not actually encryption algorithms, but placeholders used in algorithm COMP128 [2].COMP128 was broken by Wagner and Goldberg in less than a day. Problems with A5 algorithm: The A5 algorithm is used to prevent casual eavesdropping by encrypting communications between mobile station (handset) and BSS. Kc is the Ki and RAND value fed into the A5 algorithm. This Kc value is the secret key used with the A5 algorithm for encryption between the mobile station and BSS. There are at least three flavours of the A5 algorithm. These include A5/1 which is commonly used in western countries. The A5/1 is deemed strong encryption [3] but it was reverse engineered some time ago. A5/2 has been cracked by Wagner and Goldberg, the methodology they used required five clock cycles making A5/2 almost useless. Finally A5/0 is a form of A5 that does not encrypt data at all. All these problems with the A5 encryption algorithms prove that eavesdropping between mobile station and BSS is still possible, making GPRS over the GSM core network very insecure for mobile banking. Attack on the RAND value: When the AUC attempts to authenticate a SIM card, the RAND value sent to the SIM card can be modified by an intruder failing the authentication. This may cause a denial of service attack. 3.3 Short Message Service This service allows mobile systems and other networked devices to exchange short text messages with a maximum length of 160 characters. SMS uses the popular text-messaging standard to enable mobile application based banking. The way this works is that the customer requests for information by sending an SMS containing a service command to a pre-specified number. The
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 5 bank responds with a reply SMS containing the specific information. One of the major reasons that transaction based services have not taken off on SMS is because of concerns about security. 3.3.1 Security Problems with SMS The initial idea for SMS usage was intended for the subscribers to send non-sensitive messages across the open GSM network. Mutual authentication, text encryption, end-to-end security, nonrepudiation were omitted during the design of GSM architecture. In this section we discuss some of the security problems of using SMS. Forging Originators Address: SMS spoofing is an attack that involves a third party sending out SMS messages that appear to be from a legal sender. It is possible to alter the originator s address field in the SMS header to another alpha-numerical string. It hides the original senders address and the sender can send out hoax messages and performs masquerading attacks. SMS Encryption: The default data format for SMS messages is in plaintext. The only encryption involved during transmission is the encryption between the base transceiver station and the mobile station. End-to- end encryption is currently not available. The encryption algorithm used is A5 which is proven to be vulnerable. Therefore a more secure algorithm is needed. 3.4 Wireless application protocol/GPRS. GPRS is a mobile data service available to GSM users that enables WAP-enabled devices such as mobile phones to support services such as Internet browsing, multimedia messaging service, and Internet based communication services such as email and World Wide Web access. Mobile phones or terminals can access the internet using WAP browsers; WAP browsers can only access WAP sites. Instead of the traditional HTML, XML or XHTML, WAP sites are written in WML (Wireless Markup Language). The WAP protocol is only persistent from the client to the WAP gateway, the connection from the WAP Gateway to the Bank Server is secured by either SSL or TLS. WAP provides security of communications using the WTLS (WAP Transport Layer Security) protocol and the WIM (WAP Identity Module). WTLS provides a public-key based security mechanism similar to TLS and the WIM stores the secret keys. In order to allow the interoperability of WAP equipment and software with many different technologies WAP uses the WAP protocol suite. Figure 2 illustrates the different layers of the WAP protocol. Figure 2. WAP Protocol Suite Source from [6]
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 6 3.4.1 Security problems with Current GPRS Implementations Security issues with present implementations that use WAP: The present mobile banking implementations that are using WAP have proven to be very secure, but there exist some loopholes which could lead to insecure communications. Some of these loopholes include:  There is no end-to-end encryption between client and bank server.  There is end-to-end to encryption between the client and the Gateway and between the Gateway and the Bank server.  To resolve this, the bank server could have its own Access Point Name (APN) in any of the GPRS networks. This APN would serve as the WAP Gateway for the bank. Therefore the client would be connected directly to the bank without third parties in the middle of the communication.  Public key cryptosystems key sizes offered by the WTLS standard are not strong enough to meet today’s WAP applications security requirements. Considering the low processing power of the handheld devices, the key sizes have been restricted.  Anonymous key exchange suites offered by the WTLS handshake are not considered secure. Neither client nor the server is authenticated. Banks should provide functionality to disallow this option of handshaking. Security issues associated with using the plain GPRS network: The GPRS core network is too general; it does not cater for some banking security requirements. Some of these requirements include:  Lack of account holder or bank authentication. The Bank can provide a unique APN to access the Bank server, but without this or some other authentication mechanism anyone can masquerade as the Bank. All these issues raise concerns of fabrication of either bank information or account holder information Provision of functions to avoid modification of data and ensure the integrity of data for both the account holder and the Bank.  The methods to cater for confidentiality of data between the mobile station and the bank server have proven to be weak, and the network operator can view account holder s information. This raises security issues for both the bank and account holder.  The bank cannot prove that the account holder performed a specific action and the account holder cannot prove that the bank performed a specific action.  GPRS provides session handling facilities, but does not handle Bank specific sessions; this may cause inconsistencies on the banks side raising security issues. 3.5 Other Technologies Phone-based application. The m-payment client application (residing on the consumer’s mobile phone) can be developed using the Java 2 Platform, Micro Edition for GSM-based mobile phones and the Binary Runtime Environment for Wireless for mobile phones based on code division multiple access. SIM-based application. The Subscriber Identity Module (SIM) used in GSM mobile phones is a smart card whose information can be protected using cryptographic algorithms and keys. (Smart
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 7 cards are microcomputers small enough to fit in a wallet or even a mobile phone. They have their own processors and memory for storage.) SIM applications are relatively more secure than client applications that reside on the mobile phone. RFID. This technology uses radio frequency (RF) signals to exchange data between a reader and an electronic tag attached to an object, for the purpose of ID and tracking. Voice-based payment transactions. These can be done by making a phone call to a special number and providing a credit card number. Dual chip. Dual-chip phones have two slots: one for a SIM card (telephony) and another for a payment chip card. This solution allows an m-payment application provider to develop an m-payment application in the payment chip card without collaborating with the telecommunications operator (the owner of the SIM card). Near-field communication. This short-range wireless communication standard results from the fusion of the contactless smart card (RFID) and the mobile phone. NFC does not have native encryption capabilities and therefore is vulnerable to security exploits if not properly implemented. RF signal which NFC works from has the potential to be read or intercepted up to several meters away with the proper equipment without needing line of sight. Appropriate encryption will provide adequate protection against eavesdropping. Mobile wallet. This m-payment application software on the mobile phone contains details of the customer (including bank account details and/or credit card information) that enable the customer to make payments using the mobile phone. A possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet. This is in contrast to plastic cards, where each card can be set to use a different pin. Mobile wallets could thus present greater exposure to loss in the event that a mobile wallet device and its single pin are compromised 3.5.1. Security Vulnerabilities and Solutions As mentioned earlier, m-payment systems rely on underlying communication technologies (such as GSM, Bluetooth, and RFID) whose security vulnerabilities are often ignored when the security aspects of the m-payment systems are analyzed. Therefore, m-payment system designers should take a holistic view when performing a security analysis during design and implementation.18 In general, to counter potential threats, a secure m-payment system must satisfy the following transaction security properties: authentication, confidentiality, integrity, authorization, availability, nonrepudiation (ensuring that users can’t claim that a transaction occurred without their knowledge), and accountability (defined as the ability to show that the parties who engage in the system are responsible for the transaction related to them). Table 1 summarizes the types of vulnerabilities and threats and their corresponding risks in an m-payment system environment together with relevant protection solutions.
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 8 Table 1. Vulnerabilities, threats, risks, and protection solutions in m-payment systems.[1] 4. 4G Transmission in security of mobile payment. 4G fourth-generation wireless defines the stage of broadband mobile communications that supersede the third generation 3G, 4G used orthogonal frequency-division multiplexing - OFDM instead of time division multiple access - TDMA or code division multiple access – CDMA. ISP’s are increasingly marketing their services as being 4G, even when their data speeds are not as fast as the International Telecommunication Union (ITU) specifies. According to the ITU, a 4G network requires a mobile device to be able to exchange data at 100 Mbit/sec. A 3G network, on the other hand, can offer data speeds as slow as 3.84 Mbit/sec. OFDM is a type of digital modulation in which a signal is split into several narrowband channels at different frequencies. This is more
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 9 competent than TDMA, which divides channels into time slots and has multiple users take turns transmitting CDMA, which simultaneously transmits multiple signals on the same channel. Thus it pays way to support efficient encryption mechanisms in securing the mobile payment. 4.1 Cryptography – Vulnerabilities in Mobile Payment Cryptography techniques play an important role in satisfying the transaction security properties mentioned earlier. They’re essential in securing m-payments over open networks that have little or no physical security. Symmetric cryptography shares a secret between two parties (a sender and a receiver) who want to communicate safely without revealing details of the message. Symmetric cryptographic methods are suitable because of their low computational requirements. However, key management in symmetric-key operations is complex. To solve this complexity, public-key cryptography uses a pair of keys for every party: a public key (that is published) and a private key (that remains secret). Thus, it is not necessary to share a secret key between the sender and the receiver before communicating securely. However, traditional asymmetric signature schemes make the signature computations expensive and aren’t suitable or mobile devices. Moreover, to avoid impersonation attacks, for every public key, a certificate is required and must be verified by a certification authority, causing an additional information exchange (and increased delays) during each transaction. 5. Upcoming Opportunities and Challenges Mobile communication continues to evolve and improve, and new technologies offering attractive business opportunities are emerging. Solutions provided by m-payment vendors must evolve in order to support increasingly sophisticated client applications running on mobile devices. At the same time, designers must continuously adapt existing m-payment systems to allow clients to take advantage of the benefits associated with emerging technologies while simultaneously ensuring secure and reliable payment transactions. We have identified several upcoming opportunities that may provide an effective solution to the existing security issues in m-payment. 5.1 5G Technology The 5G mobile communications technology is the next generation of the existing 4G Long-Term Evolution network technology. It will enable users to transmit massive data files including high-quality digital movies practically without limitation, allowing subscribers to enjoy a wide range of services, such as 3D movies and games, real-time streaming of ultra-high-definition content, and remote medical services. 5G will enable software-defined radio and flexibility in encryption method used. Furthermore, 5G will improve latency, battery consumption, cost, and reliability, which will reduce the cost of communications over wireless networks when performing payment transactions. Heterogeneous wireless networking technologies will continue to play a fundamental role in the deployment of 5G networks. However, the disparity of security solutions used by different wireless, mobile, cellular networks makes end-to-end security solutions still a significant challenge that must be addressed to support future secure m-payment systems and applications.
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 10 5.2 Cloud Computing A cloud-based m-payment system is a type of proximity payment that stores payment credentials (used to authenticate the payment transaction) on a remote server rather than at the mobile device. To use this solution, both the consumer and the merchant must download the cloud-based application and subscribe to the service. The physical mobile phone might not be needed to complete the payment, depending on the exact solution. Consumers can access their account information in the cloud via mobile devices. In addition, payment notification can be communicated via email or SMS text messages once a cloud payment is completed. Despite the benefits offered by cloud-based m-payment systems, some security issues remain unsolved. For example, payment data and stored payment credentials in the cloud could be compromised if the cloud server is attacked. Also, payment data should not be transmitted via SMS or email because cloud platforms aren’t encrypted. Finally, data privacy remains a key concern for payment data stored in the cloud, which could share this information with other businesses without the consumer’s explicit approval. 5.3Encryption Technology Elliptic curve cryptography (ECC) is an alternative approach to public-key cryptography. It relies on the elliptic curve logarithm, which dramatically decreases the key size needed to achieve the same level of security offered in conventional public key cryptographic schemes. This allows ECC to provide similar security as RSA but using much smaller key sizes (approximately one-eighth of the key size used by RSA), which in turn significantly reduces processing overhead. Therefore, faster computations, lower power consumption and memory, and bandwidth savings are properties offered by ECC that are useful for implementing encryption on resource-constrained mobile devices. In the future, system designers should explore the possibility of incorporating ECC algorithms in existing or new m-payment systems to reap many of the benefits of ECC in mobile devices. Self-certified public-key schemes (where public-key authentication can be achieved implicitly with signature verification) are an alternative security solution for m-payment systems based on restricted communication scenarios, where an engaging party has connectivity restrictions that prevent communication with a certification authority for validating a certificate during a transaction. In those schemes, the user’s public key is derived from the signature of his or her secret key along with his or her identity, and is signed by the system authority using the system’s secret key. However, the expiration of this kind of certificate isn’t defined in all the schemes proposed in the literature and is an open problem that still must be solved. 6. Conclusion The aim of this paper is to focus on mobile payments to analyze the different factors as Negative and Positive that impact adoption of mobile payments, and to introduce the mobile payment emerging technologies and services. The key finding based on the analysis is while consumers continue to express concern over using their mobile phone to conduct banking and financial services transactions, it is a fear born more of perception than reality. There are threats, but the security controls available to mitigate risk at this level are substantial and effective. However, security practices will need to continue to evolve as more and more smart phones and technologies
Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 11 enter the market running more and more applications, creating an ever growing opportunity for security threats. References [1]Mobile Payments: Risk, Security and Assurance Issues, white paper, ISACA, Nov. 2011; www.isaca.org/Groups/Professional-English/pci-compliance/GroupDocuments/MobilePayments WP.pdf. [2] Systematic Literature Review: Security Challenges of Mobile Banking and Payments System. Md. Shoriful Islam International Journal of u- and e- Service, Science and Technology Vol. 7, No. 6 (2014), pp. 107-116 http://dx.doi.org/10.14257/ijunesst. [3] 4G and Its Future Impact: Indian Scenario -Butchi Babu Muvva, Rajkumar Maipaksana, and M. Narasimha Reddy International Journal of Information and Electronics Engineering, Vol. 2, No. 4, July 2012 [4] Determining New Security Challenges for Mobile Banking- Dr. Syed Nisar Osman International Journal of Research in Advent Technology (E-ISSN: 2321-9637) Special Issue1st International Conference on Advent Trends in Engineering, Science and Technology“ICATEST 2015”, 08 March 2015 [5]http://warse.org/pdfs/ijatcse03122012.pdf [6] A Secure Cloud-Based Nfc Mobile Payment Protocol. (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 5, No. 10, 2014 [7] Cloud Backup: Cloud Backup - FAQs, April 2010, Version 1.6, https://backup.eu.businessitondemand.com [8] Security of Mobile Banking-Kelvin Chikomo, Ming Ki Chong, Alapan Arnab, Andrew Hutchison

More Related Content

PDF
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
IJECEIAES
 
PDF
ISACA Mobile Payments Forum presentation
Marc Vael
 
PPT
M Commerce
Ram Dutt Shukla
 
PDF
Pay-Cloak:Biometric
ijtsrd
 
PPT
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
PDF
Mobile payment
Software Park Thailand
 
PPTX
Best Practices in Risk Management for Mobile Payments - MRC 2011
Hill Ferguson
 
PDF
Report
Massimo Salvato
 
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
IJECEIAES
 
ISACA Mobile Payments Forum presentation
Marc Vael
 
M Commerce
Ram Dutt Shukla
 
Pay-Cloak:Biometric
ijtsrd
 
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Mobile payment
Software Park Thailand
 
Best Practices in Risk Management for Mobile Payments - MRC 2011
Hill Ferguson
 
Report
Massimo Salvato
 

What's hot (18)

PDF
Location Based Services in M-Commerce: Customer Trust and Transaction Securit...
CSCJournals
 
PPTX
Secure mobile payment
Ahmed Kamel Taha
 
PDF
V4I5201553
krishan8018
 
PDF
IoTcloud-cybersecurity-securityofthings
Ed Pimentel
 
PDF
Two aspect authentication system using secure mobile
Uvaraj Shan
 
PPTX
Management Summary of Onderzoek Flexibel Gebruik van MNC's
Raindeer
 
PPT
Overview of Mobile Payment Systems
Amit Naik
 
PDF
Mobile payment-security-risk-and-response
DESMOND YUEN
 
PDF
A011140104
IOSR Journals
 
PDF
Design of a gsm based biometric access control system
Alexander Decker
 
PDF
Sbvlc secure barcode based visible light communication for smartphones
LeMeniz Infotech
 
PDF
CPP contactless and mobile payments white paper 2011
CPPGroup Plc
 
PDF
Using Geographical Location as an Authentication Factor to Enhance mCommerce ...
CSCJournals
 
PDF
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Knowledge Group
 
PDF
Sbvlc secure barcode based visible light communication for smartphones
LeMeniz Infotech
 
PDF
Two aspect authentication system using secure
Uvaraj Shan
 
DOCX
Report demo(1)
Flora Sharmin
 
PDF
Retail Stores and Wireless Security—Recommendations
AirTight Networks
 
Location Based Services in M-Commerce: Customer Trust and Transaction Securit...
CSCJournals
 
Secure mobile payment
Ahmed Kamel Taha
 
V4I5201553
krishan8018
 
IoTcloud-cybersecurity-securityofthings
Ed Pimentel
 
Two aspect authentication system using secure mobile
Uvaraj Shan
 
Management Summary of Onderzoek Flexibel Gebruik van MNC's
Raindeer
 
Overview of Mobile Payment Systems
Amit Naik
 
Mobile payment-security-risk-and-response
DESMOND YUEN
 
A011140104
IOSR Journals
 
Design of a gsm based biometric access control system
Alexander Decker
 
Sbvlc secure barcode based visible light communication for smartphones
LeMeniz Infotech
 
CPP contactless and mobile payments white paper 2011
CPPGroup Plc
 
Using Geographical Location as an Authentication Factor to Enhance mCommerce ...
CSCJournals
 
Managing & Securing the Online and Mobile banking - Chew Chee Seng
Knowledge Group
 
Sbvlc secure barcode based visible light communication for smartphones
LeMeniz Infotech
 
Two aspect authentication system using secure
Uvaraj Shan
 
Report demo(1)
Flora Sharmin
 
Retail Stores and Wireless Security—Recommendations
AirTight Networks
 
Ad

Viewers also liked (20)

PDF
Banking and Modern Payments System Security Analysis
CSCJournals
 
PDF
Mobile Payment Security Trends for the Future
First American Payment Systems
 
PDF
The Top Issues in Mobile Payments Fraud
Vivastream
 
PPTX
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
PPTX
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
 
DOCX
Introduction of boeing Autosaved)
Mostafa ElGhamrawy
 
PDF
Utilization of intestines as animal casings
Dr. IRSHAD A
 
PPTX
Cloud based payments: the future of mobile payments?
Thales e-Security
 
PPT
Cloud computing-security-issues
Aleem Mohammed
 
PPS
Cloud Computing
Arwa
 
PPTX
Mobile Cloud Computing
Simeon Oriko
 
PDF
Mobile Payments Framework
Lakshmana Kattula
 
PPTX
Mobile Cloud Computing
Vikas Kottari
 
PPTX
Mobile Payments - How is it done?
Parag Arjunwadkar
 
PPTX
Mobile Cloud Computing Challenges and Security
John Paul Prassanna
 
PPT
Survey Research Methodology
irshad narejo
 
PPT
Ppt 1
shanmugamsara
 
PPTX
Factors affecting quality and quantity of milk in dairy cattle
Dr. IRSHAD A
 
PPTX
Mobile Banking
Sanjoy Suthar
 
PPTX
IGCSE Business Studeies Unit 1 understanding business activity ppt
Irshad Tunio
 
Banking and Modern Payments System Security Analysis
CSCJournals
 
Mobile Payment Security Trends for the Future
First American Payment Systems
 
The Top Issues in Mobile Payments Fraud
Vivastream
 
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
 
Introduction of boeing Autosaved)
Mostafa ElGhamrawy
 
Utilization of intestines as animal casings
Dr. IRSHAD A
 
Cloud based payments: the future of mobile payments?
Thales e-Security
 
Cloud computing-security-issues
Aleem Mohammed
 
Cloud Computing
Arwa
 
Mobile Cloud Computing
Simeon Oriko
 
Mobile Payments Framework
Lakshmana Kattula
 
Mobile Cloud Computing
Vikas Kottari
 
Mobile Payments - How is it done?
Parag Arjunwadkar
 
Mobile Cloud Computing Challenges and Security
John Paul Prassanna
 
Survey Research Methodology
irshad narejo
 
Ppt 1
shanmugamsara
 
Factors affecting quality and quantity of milk in dairy cattle
Dr. IRSHAD A
 
Mobile Banking
Sanjoy Suthar
 
IGCSE Business Studeies Unit 1 understanding business activity ppt
Irshad Tunio
 
Ad

Similar to Security issues in_mobile_payment (20)

PDF
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
IJCSES Journal
 
PPTX
Mobile security trends
Ken Huang
 
PPT
6. mr. sastry vns idrbt
EthioTelecom_Getahun Biratu
 
PDF
A study of security in wireless and mobile payments
Jamal Meselmani
 
PDF
GSM Security 101 by Sushil Singh and Dheeraj Verma
OWASP Delhi
 
PDF
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
PPT
Gsm security final
Sanket Yavalkar
 
PPTX
Mobile security in Cyber Security
Geo Marian
 
PPTX
Session810 ken huang
Ken Huang
 
PDF
B010331019
IOSR Journals
 
PPT
Gsm security
Ali Kamil
 
PPTX
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
HackIT Ukraine
 
PPT
Security in bluetooth, cdma and umts
Ankit Gupta
 
PPT
Security in bluetooth, cdma and umts
Ankit Gupta
 
PPTX
Mobile Commerce: A Security Perspective
Pragati Rai
 
PPTX
CS_UNIT 2(P3).pptx
GaytriDhingra1
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PDF
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
PPTX
Mobile security
dilipdubey5
 
PPTX
Mobile protection
preetpatel72
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
IJCSES Journal
 
Mobile security trends
Ken Huang
 
6. mr. sastry vns idrbt
EthioTelecom_Getahun Biratu
 
A study of security in wireless and mobile payments
Jamal Meselmani
 
GSM Security 101 by Sushil Singh and Dheeraj Verma
OWASP Delhi
 
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
Gsm security final
Sanket Yavalkar
 
Mobile security in Cyber Security
Geo Marian
 
Session810 ken huang
Ken Huang
 
B010331019
IOSR Journals
 
Gsm security
Ali Kamil
 
"Preventing Loss of Personal Data on a Mobile Network", Oleksii Lukin
HackIT Ukraine
 
Security in bluetooth, cdma and umts
Ankit Gupta
 
Security in bluetooth, cdma and umts
Ankit Gupta
 
Mobile Commerce: A Security Perspective
Pragati Rai
 
CS_UNIT 2(P3).pptx
GaytriDhingra1
 
CNIT 128 8: Mobile development security
Sam Bowne
 
2010: Mobile Security - Intense overview
Fabio Pietrosanti
 
Mobile security
dilipdubey5
 
Mobile protection
preetpatel72
 

More from Prof. Dr. K. Adisesha (20)

PDF
MACHINE LEARNING Notes by Dr. K. Adisesha
Prof. Dr. K. Adisesha
 
PDF
Probabilistic and Stochastic Models Unit-3-Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Genetic Algorithm in Machine Learning PPT by-Adi
Prof. Dr. K. Adisesha
 
PDF
Unsupervised Machine Learning PPT Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Supervised Machine Learning PPT by K. Adisesha
Prof. Dr. K. Adisesha
 
PDF
Introduction to Machine Learning PPT by K. Adisesha
Prof. Dr. K. Adisesha
 
PPSX
Design and Analysis of Algorithms ppt by K. Adi
Prof. Dr. K. Adisesha
 
PPSX
Data Structure using C by Dr. K Adisesha .ppsx
Prof. Dr. K. Adisesha
 
PDF
Operating System-4 "File Management" by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Operating System-3 "Memory Management" by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Operating System Concepts Part-1 by_Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Operating System-2_Process Managementby_Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering notes by K. Adisesha.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering-Unit 1 by Adisesha.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering-Unit 2 "Requirement Engineering" by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering-Unit 3 "System Modelling" by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering-Unit 4 "Architectural Design" by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Software Engineering-Unit 5 "Software Testing"by Adi.pdf
Prof. Dr. K. Adisesha
 
PDF
Computer Networks Notes by -Dr. K. Adisesha
Prof. Dr. K. Adisesha
 
PDF
CCN Unit-1&2 Data Communication &Networking by K. Adiaesha
Prof. Dr. K. Adisesha
 
MACHINE LEARNING Notes by Dr. K. Adisesha
Prof. Dr. K. Adisesha
 
Probabilistic and Stochastic Models Unit-3-Adi.pdf
Prof. Dr. K. Adisesha
 
Genetic Algorithm in Machine Learning PPT by-Adi
Prof. Dr. K. Adisesha
 
Unsupervised Machine Learning PPT Adi.pdf
Prof. Dr. K. Adisesha
 
Supervised Machine Learning PPT by K. Adisesha
Prof. Dr. K. Adisesha
 
Introduction to Machine Learning PPT by K. Adisesha
Prof. Dr. K. Adisesha
 
Design and Analysis of Algorithms ppt by K. Adi
Prof. Dr. K. Adisesha
 
Data Structure using C by Dr. K Adisesha .ppsx
Prof. Dr. K. Adisesha
 
Operating System-4 "File Management" by Adi.pdf
Prof. Dr. K. Adisesha
 
Operating System-3 "Memory Management" by Adi.pdf
Prof. Dr. K. Adisesha
 
Operating System Concepts Part-1 by_Adi.pdf
Prof. Dr. K. Adisesha
 
Operating System-2_Process Managementby_Adi.pdf
Prof. Dr. K. Adisesha
 
Software Engineering notes by K. Adisesha.pdf
Prof. Dr. K. Adisesha
 
Software Engineering-Unit 1 by Adisesha.pdf
Prof. Dr. K. Adisesha
 
Software Engineering-Unit 2 "Requirement Engineering" by Adi.pdf
Prof. Dr. K. Adisesha
 
Software Engineering-Unit 3 "System Modelling" by Adi.pdf
Prof. Dr. K. Adisesha
 
Software Engineering-Unit 4 "Architectural Design" by Adi.pdf
Prof. Dr. K. Adisesha
 
Software Engineering-Unit 5 "Software Testing"by Adi.pdf
Prof. Dr. K. Adisesha
 
Computer Networks Notes by -Dr. K. Adisesha
Prof. Dr. K. Adisesha
 
CCN Unit-1&2 Data Communication &Networking by K. Adiaesha
Prof. Dr. K. Adisesha
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Teaching material agriculture food technology
LiaRayya
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Cloud computing and distributed systems.
kkkkkhan
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Security issues in_mobile_payment

  • 1. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 1 Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET HOD, Dept., of Computer Science Bangalore City College Bangalore. E-mail: adisesha1@rediffmail.com Phone No.:9449081542 Abstract: Mobile e-commerce (or m-commerce) is considered a natural extension of e-commerce and represents a new way for conducting commerce. M-commerce refers to e-commerce transactions conducted through a mobile device via wireless networks. The electronic payment performed in wireless environments leads to the term mobile payment (or m-payment), which is defined as any payment transaction involving the purchase of goods or services that is completed with a wireless device. M-payments facilitate m-commerce because they let users make online purchases from their mobile devices remotely at any time. A key challenge with gaining user adoption of mobile banking and payments is the customer’s lack of confidence in security of the services. Understanding the mobile banking and payments market and ecosystem is critical in addressing the security challenges. There are new security risks introduced with mobile banking and payments that must be identified and mitigated. There are risks that have both an existing mitigation method as well as those that do not have a clear risk mitigation solution. We also here present the major security issues that must be taken into consideration when designing, implementing, and deploying secure m-payment systems. In particular, we focus on threats, vulnerabilities, and risks associated with such systems as well as corresponding protection solutions to mitigate these risks. We also discuss some of the challenges that need to be addressed in the future as m-payment systems become fully integrated with other emerging technologies such as fifth-generation mobile networks (5G) and cloud computing. Keywords: m-commerce, m-payment systems, m-payment Threats, Security 1. Introduction There doesn’t seem to be a week that something relative to mobile and/or mobile payments is not in the news. Mobile and everything mobile is the current hot area where new investments and new ideas are blossoming in the hopes of being part of the next “big thing” that generates healthy returns and wealth. Consumers are embracing mobile in their day to day lives and are more likely to forget their wallet at home than their mobile phone. With all this energy and momentum around mobile, as with any new next big thing, there are some areas of concern to consider. A key area of concern for consumers and financial service providers is the security of mobile banking and payments. There are new technologies and new entrants as well as a complex supply chain that will increase the security risks. There is no real standard for technology that has captured the market and regulations relative some of the new entrants are non-existent. Customers have increased control of their device in terms of application downloads, OS updates and personalization of their
  • 2. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 2 devices. This will lead to new challenges relative to privacy and will take some time before the younger generation realizes the implications of privacy violations. Compounding the challenge is the fact that traditional security controls such as AV, firewalls, and encryption have not reached the level of maturity needed in the mobile space. As with any emerging market area, these challenges will resolve over time. Until this are matures, there are measures that can be taken relative to customer education, service process rigor, payments technology and fraud preventive and detective controls that can mitigate the security risks. 2. Definition of Mobile Payment System A mobile payment system (MPS) can be defined as any payment system that enables financial transactions to be made securely from one organization or individual to another over a mobile network (using a mobile device). While the key phases of the generic mobile payment procedure is applicable to almost all transactions, they can be categorized into several different groups or procedures based. Mobile payment procedures are categorized as location-based(remote and proximity Transactions), value-based (micro-payments, mini-payments and macro-payments), charge-based (post-paid, pre-paid and pay-now), validation-based (online mobile payment, offline mobile payment) and technology-based (single chip, dual chip, dual slot), token-based (eco in) and account-based (wireless wallets). . 3. Key Technologies 3.1. Mobile Elements In understanding the security risks of mobile banking, it is useful to understand the general hardware and system software of a mobile device. The most prevalent technology relative to mobile devices and the associate wireless carriers today is based on 2G technology (GSM/EDGE) and 3G technology (UMTS/HSPA) standards. The latest technology currently being rolled out by major carriers is Long Term Evolution (LTE) which doesn’t currently meet the requirements to be considered 4G (speeds of up to 100Mbps for a moving user and 1Gbps for a stationary user) but is being marketed as 4G. The basic components of a wireless network include the spectrum for the wireless interface, the antennas and radio processing equipment located at the base station or cell sites, and the connectivity (T1, microwave) from the cell site back to the mobile switching center that contains the voice and data processing equipment. The security elements for 3G technology include encryption on the air interface and mutual authentication between the user and the network (involving the HLR and USIM). 3.2. GSM AND GPRS SECURITY ARCHITECTURE Global System for Mobile Communications (GSM) is the most popular standard for mobile phones in the world. Figure 1 shows the basic structure of the GSM architecture; GSM provides SMS and GPRS (General Packet Radio Service) services.
  • 3. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 3 Figure 1. GSM Architecture The GPRS Core network is an integrated part of the GSM network; it is layered over the underlying GSM network, with added nodes to cater for packet switching. GPRS also uses some of the existing GSM network elements; some of these include existing Base Station Subsystems (BSS), Mobile Switching Centers (MSC), Authentication Centers (AUC), and Home Location Registers (HLR). Some of the added GPRS network elements to the existing GSM network include; GPRS Support Nodes (GSN), GPRS tunneling protocol (GTP), Access points, and the (Packet Data Protocol) PDP Context. 3.2.1 Security mechanisms in the GSM network The GSM network has some security mechanism to prevent activities like Subscriber Interface Module (SIM) cloning, and stop illegally used handsets. GSM has methods to authenticate and encrypt data exchanged on the network. The GSM authentication center is used to authenticate each SIM card that attempts to connect to
  • 4. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 4 the GSM network. The SIM card authentication takes place when a mobile station initially attempts to connect to the network, i.e. when a terminal is switched on. If authentication fails then no services are offered by the network operator, otherwise the (Serving GPRS Support Node) SGSN and HLR is allowed to manage the services associated with the SIM card. The authentication of the SIM depends on a shared secret key between SIM card and the AUC called Ki. This secret key is embedded into the SIM card during manufacture, and it is also securely replicated into the AUC. When the AUC authenticates a SIM, it generates a random number known as the RAND. It sends this RAND number to the subscriber. Both the AUC and SIM feed the Ki and RAND values into the A3/A8 (or operator proprietary algorithm (COMP128)) and a number known as Signed RESponse (SRES) is generated by both parties. If the SIM SRES matches the AUC SRES the SIM is successfully authenticated. Both the AUC and SIM can calculate a second secret key called Kc by feeding the Ki and the RAND value into the A5 algorithm. This would be used to encrypt and decrypt the session communications. After the SIM authentication the SGSN or HLR requests the mobile identity, this is done to make sure that the mobile station being used by the user is not black listed. The mobile returns the IMEI (International Mobile Equipment Identity) number; this number is forwarded to the EIR (Equipment Identity Register). The EIR authorizes the subscriber and responds back to the SIM with the status, if the mobile is authorized the SGSN informs the HLR and PDP Context activation begins. 3.2.3 Problems with GSM Network Problems with the A3/A8 authentication algorithm -A3 and A8 are not actually encryption algorithms, but placeholders used in algorithm COMP128 [2].COMP128 was broken by Wagner and Goldberg in less than a day. Problems with A5 algorithm: The A5 algorithm is used to prevent casual eavesdropping by encrypting communications between mobile station (handset) and BSS. Kc is the Ki and RAND value fed into the A5 algorithm. This Kc value is the secret key used with the A5 algorithm for encryption between the mobile station and BSS. There are at least three flavours of the A5 algorithm. These include A5/1 which is commonly used in western countries. The A5/1 is deemed strong encryption [3] but it was reverse engineered some time ago. A5/2 has been cracked by Wagner and Goldberg, the methodology they used required five clock cycles making A5/2 almost useless. Finally A5/0 is a form of A5 that does not encrypt data at all. All these problems with the A5 encryption algorithms prove that eavesdropping between mobile station and BSS is still possible, making GPRS over the GSM core network very insecure for mobile banking. Attack on the RAND value: When the AUC attempts to authenticate a SIM card, the RAND value sent to the SIM card can be modified by an intruder failing the authentication. This may cause a denial of service attack. 3.3 Short Message Service This service allows mobile systems and other networked devices to exchange short text messages with a maximum length of 160 characters. SMS uses the popular text-messaging standard to enable mobile application based banking. The way this works is that the customer requests for information by sending an SMS containing a service command to a pre-specified number. The
  • 5. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 5 bank responds with a reply SMS containing the specific information. One of the major reasons that transaction based services have not taken off on SMS is because of concerns about security. 3.3.1 Security Problems with SMS The initial idea for SMS usage was intended for the subscribers to send non-sensitive messages across the open GSM network. Mutual authentication, text encryption, end-to-end security, nonrepudiation were omitted during the design of GSM architecture. In this section we discuss some of the security problems of using SMS. Forging Originators Address: SMS spoofing is an attack that involves a third party sending out SMS messages that appear to be from a legal sender. It is possible to alter the originator s address field in the SMS header to another alpha-numerical string. It hides the original senders address and the sender can send out hoax messages and performs masquerading attacks. SMS Encryption: The default data format for SMS messages is in plaintext. The only encryption involved during transmission is the encryption between the base transceiver station and the mobile station. End-to- end encryption is currently not available. The encryption algorithm used is A5 which is proven to be vulnerable. Therefore a more secure algorithm is needed. 3.4 Wireless application protocol/GPRS. GPRS is a mobile data service available to GSM users that enables WAP-enabled devices such as mobile phones to support services such as Internet browsing, multimedia messaging service, and Internet based communication services such as email and World Wide Web access. Mobile phones or terminals can access the internet using WAP browsers; WAP browsers can only access WAP sites. Instead of the traditional HTML, XML or XHTML, WAP sites are written in WML (Wireless Markup Language). The WAP protocol is only persistent from the client to the WAP gateway, the connection from the WAP Gateway to the Bank Server is secured by either SSL or TLS. WAP provides security of communications using the WTLS (WAP Transport Layer Security) protocol and the WIM (WAP Identity Module). WTLS provides a public-key based security mechanism similar to TLS and the WIM stores the secret keys. In order to allow the interoperability of WAP equipment and software with many different technologies WAP uses the WAP protocol suite. Figure 2 illustrates the different layers of the WAP protocol. Figure 2. WAP Protocol Suite Source from [6]
  • 6. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 6 3.4.1 Security problems with Current GPRS Implementations Security issues with present implementations that use WAP: The present mobile banking implementations that are using WAP have proven to be very secure, but there exist some loopholes which could lead to insecure communications. Some of these loopholes include:  There is no end-to-end encryption between client and bank server.  There is end-to-end to encryption between the client and the Gateway and between the Gateway and the Bank server.  To resolve this, the bank server could have its own Access Point Name (APN) in any of the GPRS networks. This APN would serve as the WAP Gateway for the bank. Therefore the client would be connected directly to the bank without third parties in the middle of the communication.  Public key cryptosystems key sizes offered by the WTLS standard are not strong enough to meet today’s WAP applications security requirements. Considering the low processing power of the handheld devices, the key sizes have been restricted.  Anonymous key exchange suites offered by the WTLS handshake are not considered secure. Neither client nor the server is authenticated. Banks should provide functionality to disallow this option of handshaking. Security issues associated with using the plain GPRS network: The GPRS core network is too general; it does not cater for some banking security requirements. Some of these requirements include:  Lack of account holder or bank authentication. The Bank can provide a unique APN to access the Bank server, but without this or some other authentication mechanism anyone can masquerade as the Bank. All these issues raise concerns of fabrication of either bank information or account holder information Provision of functions to avoid modification of data and ensure the integrity of data for both the account holder and the Bank.  The methods to cater for confidentiality of data between the mobile station and the bank server have proven to be weak, and the network operator can view account holder s information. This raises security issues for both the bank and account holder.  The bank cannot prove that the account holder performed a specific action and the account holder cannot prove that the bank performed a specific action.  GPRS provides session handling facilities, but does not handle Bank specific sessions; this may cause inconsistencies on the banks side raising security issues. 3.5 Other Technologies Phone-based application. The m-payment client application (residing on the consumer’s mobile phone) can be developed using the Java 2 Platform, Micro Edition for GSM-based mobile phones and the Binary Runtime Environment for Wireless for mobile phones based on code division multiple access. SIM-based application. The Subscriber Identity Module (SIM) used in GSM mobile phones is a smart card whose information can be protected using cryptographic algorithms and keys. (Smart
  • 7. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 7 cards are microcomputers small enough to fit in a wallet or even a mobile phone. They have their own processors and memory for storage.) SIM applications are relatively more secure than client applications that reside on the mobile phone. RFID. This technology uses radio frequency (RF) signals to exchange data between a reader and an electronic tag attached to an object, for the purpose of ID and tracking. Voice-based payment transactions. These can be done by making a phone call to a special number and providing a credit card number. Dual chip. Dual-chip phones have two slots: one for a SIM card (telephony) and another for a payment chip card. This solution allows an m-payment application provider to develop an m-payment application in the payment chip card without collaborating with the telecommunications operator (the owner of the SIM card). Near-field communication. This short-range wireless communication standard results from the fusion of the contactless smart card (RFID) and the mobile phone. NFC does not have native encryption capabilities and therefore is vulnerable to security exploits if not properly implemented. RF signal which NFC works from has the potential to be read or intercepted up to several meters away with the proper equipment without needing line of sight. Appropriate encryption will provide adequate protection against eavesdropping. Mobile wallet. This m-payment application software on the mobile phone contains details of the customer (including bank account details and/or credit card information) that enable the customer to make payments using the mobile phone. A possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet. This is in contrast to plastic cards, where each card can be set to use a different pin. Mobile wallets could thus present greater exposure to loss in the event that a mobile wallet device and its single pin are compromised 3.5.1. Security Vulnerabilities and Solutions As mentioned earlier, m-payment systems rely on underlying communication technologies (such as GSM, Bluetooth, and RFID) whose security vulnerabilities are often ignored when the security aspects of the m-payment systems are analyzed. Therefore, m-payment system designers should take a holistic view when performing a security analysis during design and implementation.18 In general, to counter potential threats, a secure m-payment system must satisfy the following transaction security properties: authentication, confidentiality, integrity, authorization, availability, nonrepudiation (ensuring that users can’t claim that a transaction occurred without their knowledge), and accountability (defined as the ability to show that the parties who engage in the system are responsible for the transaction related to them). Table 1 summarizes the types of vulnerabilities and threats and their corresponding risks in an m-payment system environment together with relevant protection solutions.
  • 8. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 8 Table 1. Vulnerabilities, threats, risks, and protection solutions in m-payment systems.[1] 4. 4G Transmission in security of mobile payment. 4G fourth-generation wireless defines the stage of broadband mobile communications that supersede the third generation 3G, 4G used orthogonal frequency-division multiplexing - OFDM instead of time division multiple access - TDMA or code division multiple access – CDMA. ISP’s are increasingly marketing their services as being 4G, even when their data speeds are not as fast as the International Telecommunication Union (ITU) specifies. According to the ITU, a 4G network requires a mobile device to be able to exchange data at 100 Mbit/sec. A 3G network, on the other hand, can offer data speeds as slow as 3.84 Mbit/sec. OFDM is a type of digital modulation in which a signal is split into several narrowband channels at different frequencies. This is more
  • 9. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 9 competent than TDMA, which divides channels into time slots and has multiple users take turns transmitting CDMA, which simultaneously transmits multiple signals on the same channel. Thus it pays way to support efficient encryption mechanisms in securing the mobile payment. 4.1 Cryptography – Vulnerabilities in Mobile Payment Cryptography techniques play an important role in satisfying the transaction security properties mentioned earlier. They’re essential in securing m-payments over open networks that have little or no physical security. Symmetric cryptography shares a secret between two parties (a sender and a receiver) who want to communicate safely without revealing details of the message. Symmetric cryptographic methods are suitable because of their low computational requirements. However, key management in symmetric-key operations is complex. To solve this complexity, public-key cryptography uses a pair of keys for every party: a public key (that is published) and a private key (that remains secret). Thus, it is not necessary to share a secret key between the sender and the receiver before communicating securely. However, traditional asymmetric signature schemes make the signature computations expensive and aren’t suitable or mobile devices. Moreover, to avoid impersonation attacks, for every public key, a certificate is required and must be verified by a certification authority, causing an additional information exchange (and increased delays) during each transaction. 5. Upcoming Opportunities and Challenges Mobile communication continues to evolve and improve, and new technologies offering attractive business opportunities are emerging. Solutions provided by m-payment vendors must evolve in order to support increasingly sophisticated client applications running on mobile devices. At the same time, designers must continuously adapt existing m-payment systems to allow clients to take advantage of the benefits associated with emerging technologies while simultaneously ensuring secure and reliable payment transactions. We have identified several upcoming opportunities that may provide an effective solution to the existing security issues in m-payment. 5.1 5G Technology The 5G mobile communications technology is the next generation of the existing 4G Long-Term Evolution network technology. It will enable users to transmit massive data files including high-quality digital movies practically without limitation, allowing subscribers to enjoy a wide range of services, such as 3D movies and games, real-time streaming of ultra-high-definition content, and remote medical services. 5G will enable software-defined radio and flexibility in encryption method used. Furthermore, 5G will improve latency, battery consumption, cost, and reliability, which will reduce the cost of communications over wireless networks when performing payment transactions. Heterogeneous wireless networking technologies will continue to play a fundamental role in the deployment of 5G networks. However, the disparity of security solutions used by different wireless, mobile, cellular networks makes end-to-end security solutions still a significant challenge that must be addressed to support future secure m-payment systems and applications.
  • 10. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 10 5.2 Cloud Computing A cloud-based m-payment system is a type of proximity payment that stores payment credentials (used to authenticate the payment transaction) on a remote server rather than at the mobile device. To use this solution, both the consumer and the merchant must download the cloud-based application and subscribe to the service. The physical mobile phone might not be needed to complete the payment, depending on the exact solution. Consumers can access their account information in the cloud via mobile devices. In addition, payment notification can be communicated via email or SMS text messages once a cloud payment is completed. Despite the benefits offered by cloud-based m-payment systems, some security issues remain unsolved. For example, payment data and stored payment credentials in the cloud could be compromised if the cloud server is attacked. Also, payment data should not be transmitted via SMS or email because cloud platforms aren’t encrypted. Finally, data privacy remains a key concern for payment data stored in the cloud, which could share this information with other businesses without the consumer’s explicit approval. 5.3Encryption Technology Elliptic curve cryptography (ECC) is an alternative approach to public-key cryptography. It relies on the elliptic curve logarithm, which dramatically decreases the key size needed to achieve the same level of security offered in conventional public key cryptographic schemes. This allows ECC to provide similar security as RSA but using much smaller key sizes (approximately one-eighth of the key size used by RSA), which in turn significantly reduces processing overhead. Therefore, faster computations, lower power consumption and memory, and bandwidth savings are properties offered by ECC that are useful for implementing encryption on resource-constrained mobile devices. In the future, system designers should explore the possibility of incorporating ECC algorithms in existing or new m-payment systems to reap many of the benefits of ECC in mobile devices. Self-certified public-key schemes (where public-key authentication can be achieved implicitly with signature verification) are an alternative security solution for m-payment systems based on restricted communication scenarios, where an engaging party has connectivity restrictions that prevent communication with a certification authority for validating a certificate during a transaction. In those schemes, the user’s public key is derived from the signature of his or her secret key along with his or her identity, and is signed by the system authority using the system’s secret key. However, the expiration of this kind of certificate isn’t defined in all the schemes proposed in the literature and is an open problem that still must be solved. 6. Conclusion The aim of this paper is to focus on mobile payments to analyze the different factors as Negative and Positive that impact adoption of mobile payments, and to introduce the mobile payment emerging technologies and services. The key finding based on the analysis is while consumers continue to express concern over using their mobile phone to conduct banking and financial services transactions, it is a fear born more of perception than reality. There are threats, but the security controls available to mitigate risk at this level are substantial and effective. However, security practices will need to continue to evolve as more and more smart phones and technologies
  • 11. Security Issues In Mobile Payment Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 11 enter the market running more and more applications, creating an ever growing opportunity for security threats. References [1]Mobile Payments: Risk, Security and Assurance Issues, white paper, ISACA, Nov. 2011; www.isaca.org/Groups/Professional-English/pci-compliance/GroupDocuments/MobilePayments WP.pdf. [2] Systematic Literature Review: Security Challenges of Mobile Banking and Payments System. Md. Shoriful Islam International Journal of u- and e- Service, Science and Technology Vol. 7, No. 6 (2014), pp. 107-116 http://dx.doi.org/10.14257/ijunesst. [3] 4G and Its Future Impact: Indian Scenario -Butchi Babu Muvva, Rajkumar Maipaksana, and M. Narasimha Reddy International Journal of Information and Electronics Engineering, Vol. 2, No. 4, July 2012 [4] Determining New Security Challenges for Mobile Banking- Dr. Syed Nisar Osman International Journal of Research in Advent Technology (E-ISSN: 2321-9637) Special Issue1st International Conference on Advent Trends in Engineering, Science and Technology“ICATEST 2015”, 08 March 2015 [5]http://warse.org/pdfs/ijatcse03122012.pdf [6] A Secure Cloud-Based Nfc Mobile Payment Protocol. (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 5, No. 10, 2014 [7] Cloud Backup: Cloud Backup - FAQs, April 2010, Version 1.6, https://backup.eu.businessitondemand.com [8] Security of Mobile Banking-Kelvin Chikomo, Ming Ki Chong, Alapan Arnab, Andrew Hutchison