Security Issues Associated With Mobile Commerce Information Technology Essay

The report investigates the current state of the Mobile-commerce based on its security and examines the predicted future developments of the system. A brief background of the M-commerce and its applications is initially outlined. The discussion will then focus on the security issues and solutions based on the five security objectives (standards): Confidentiality, Authentication, Authorisation, Integrity and Non-repudiation. The applications of these security standards will then be applied on two M-commerce applications, both involving mobile transaction: Mobile-Payment and Mobile-Banking. It is concluded that further technological development in M-commerce system will be required, in order to improve the quality of service and ensure the user that such a system is safe to use.

Nestor Mfuamba

Introduction

The term M-commerce (mobile-commerce) derives from E-commerce (e-commerce) which denotes business transactions over the internet. The transactions could be buying and selling goods/services by accessing the internet. Both M-commerce and E-commerce are part of two districts business markets: B2B (Business to Business) and B2C (Business to Consumer), the two distinct from dealing with business for the first and dealing end consumer for the last. From these business concepts, we can see that a B2B market, is more like E-commerce, where a business / user, accessing the internet for business transactions from an unstated devices. The technology used for this system could either be wireline (home PC, end user devices) or wireless (via mobile phones, PDAs, end user devices).

In fact the term M-commerce, is all about a wireless E-commerce that is where a mobile device is used to access the internet for business transactions either in B2B or B2C markets.

With the ubiquitous availability of mobile phones (other end user devices), M-commerce services have a promising future, especially in the B2C market. Future development applications include buying over the phone, purchase and redemption of tickets and reward schemes, travel and weather information, and writing contracts on the move. However, the success of M-commerce today, very much depends on the security of the underlying technologies. For example, credit card charges for transactions on the internet are 15%, versus 1% for POS (Point-of-Sales) credit card transactions. The chargeback rates grow to 30% digital product are sold. For M-commerce to take off, fraud rates have to be reduced to an acceptable level. As much security can be regarded as an enabling factor for the success of M-commerce applications. In this report, I discuss the security issues associated with M-commerce and their solutions based on two existing M-commerce applications, namely:

Mobile Payment Systems: business transactions on the internet require the payments of either goods or services. M-payment systems have different requirements and characteristics than E-payment systems (electronic-payment).

Mobile-Banking Systems: types of execution of financial services in the course of which – within an electronic procedure – the consumer uses mobile communication techniques in conjunction with mobile devices for banking transactions.

M-commerce

Definition

The term m-commerce can be defined in many ways. From own experience and research, m-commerce is just an electronic – commerce system that is accessed from mobile phones. Both e-commerce and m-commerce are B2C (Business to Consumer) systems. According to the OECD (Organisation for Economic Co-operation Development), e-commerce follows two criteria that are:

Automation of transaction

Spatial separation of transactions and delivery

By definition m-commerce is a business commerce system using mobile device for business transactions performed over a mobile telecommunication network, possibly involving the transfer of money.

Based on research done by Kalkota Ravi and Robinson Maria, they have actually divided m-commerce into five descriptive phases:

Messaging – m-commerce (SMS)-based m-commerce)

Info – connectivity – m-commerce (web based m-commerce)

Transactions – m-commerce (strategy for organisations in order to evolve revenue generating mcommerce)

Transformation – m-commerce (m-commerce is interconnected and implemented into business processes within and between organisations)

Infusion -m-commerce (and m-commerce is a normal way to do business – this means a culture change from one, in which technology is occasionally handed over to the other one where technology is an accepted part)

Technology and Applications

The technology of M-commerce is built on several key technologies. They distinguish by their common uses.

Mobile phones have developed gradually, making significant changes to their standards, starting from the first generation (analogue phones) to the third generation (3G):

first-generation or analogue phones – good for voice calls

second-generation phones – use digital technology and are typical of the average phone in use today

2.5G digital phones – support the transmission of data using general packet radio service (GPRS)

third generation (3G) digital phones – support voice and data transmission at greatly increased speeds

3G supports services that were not possible with earlier technologies:

video calls can be made and received from other 3G users

video and other types of media can be downloaded to play on your phone

3G phones often have cameras, so you can take and transmit digital pictures

location-based services can be accessed in order to see a map of where you are, or find out the nearest garage, restaurant, bank, etc

M-commerce developments are focused very strongly on the use of 3G phone technology.

Wireless application protocol (WAP) enables mobile devices to browse the internet because the web browsers built into these devices support hypertext markup language (HTML) and extensible markup language (XML) – the key languages used for internet content.

WAP-enabled devices run microbrowsers. These are applications that suit the:

small screen and small memory size of handheld devices

low bandwidths that are a feature of wireless networks for handheld devices

Another important m-commerce technology is short message service (SMS), also known as texting. This popular service allows short text messages of up to 160 characters to be sent from and to mobile devices at a low cost. This has a wide application in m-commerce technology. Improvements to the service, such as T9 predictive text to help you type faster, have helped to improve the service, and a number of enhancements such as enhanced messaging (EMS) led to multimedia messaging service (MMS) messaging.

With an MMS-enabled phone, you can:

take digital photographs and store photographs on the internet

send and receive full color pictures

add a text message to your picture

send and receive voice clips

purchase pictures and sounds from the internet

have enhanced polyphonic ringtones

Mobile Application Types

Communications:

E-mail Clients

IM Clients

Mobile Web and Internet Browsers

News/Information Clients

On-Device Portals (Java Portals)

Social Network Clients

Games:

Puzzle/Strategy (e.g., Tetris, Sudoku, Mah-jong, Chess, Board Games)

Cards/Casino (e.g., Solitaire, Blackjack, Roulette, Poker)

Action/Adventure (e.g., Doom, Pirates of the Caribbean, Role-Playing Games)

Sports (e.g., Football, Soccer, Tennis, Basketball, Racing, Boxing, Skiing)

Leisure Sports (e.g., Bowling, Pool, Darts, Fishing, Air Hockey)

Multimedia:

Graphics/Image Viewers

Presentation Viewers

Video Players

Audio Players

Streaming Players (Audio/Video)

Productivity:

Calendars

Calculators

Diary

Notepad/Memo/Word Processors

Spreadsheets

Directory Services (e.g., yellow pages)

Banking/Finance

Travel:

City Guides

Currency Converters

Translators

GPS/Maps

Itineraries/Schedules

Weather

Mobile System Architecture

The figure bellow shows the architecture of an m-commerce system: from the design, we can clearly see that a user/client access the web via an xml server connected to a database.

Figure1. Proposed M-commerce system architecture

Mobile devices

The applications of M-commerce can be implemented on different kinds of end user devices other than only mobile phones:

Mobile phones

PDA (Personal Digital Assistant)

Smart phone – the smart phone combines mobile phone and PDA technology into one device

Laptop

Earpiece device such as Bluetooth (as part of a Personal Area Network)

The choice of devices in M-commerce is mainly based on the device features, and network technology used for transmission, the last allows the bandwidth capacity to vary and influence the kind of services the end user is able to receive. In mobile phones, the technology differs from other end user devices by their ability to have internal smart cards that determine their memory capacities. Nowadays, three solutions exist: Single SIM widely used around the world and confidential user information is stored one smart card. Dual Chip, means two smart cards in one mobile phone, as one used for user authentication to the network operator as the other, is used for value-added services such as m-payment or digital signature. Dual Slot, this type of mobile phones, has a SIM card and card slot for fully-sized external smart card. This solutions consists on using different cards one after the other. e.g. POS and ATM terminals.

M-commerce vs. E-commerce

This part of the report doesn’t compare the two business systems. However, present advantages and disadvantages of M-commerce system over and E-commerce system. As defined in part 1.1., M-commerce is subset of the E-commerce but using end user devices as transaction platforms. The following list summarises, the advantages:

Accessibility – accessibility is related to ubiquity and means that the end user is accessible anywhere at any time. Accessibility is probably the major advantage by comparison with E-commerce applications involving a wired end user device.

Ubiquity – the end user device is mobile, that is, the user can access M-commerce applications in real time at any place.

Security – depending on the specific end user device, the device offers a certain level of inherent security. For example, the SIM card commonly employed in mobile phones is a smart card that stores confidential user information, such as the user’s secret authentication key. As such, the mobile phone can be regarded as a smart card reader with smart card.

Localisation – a network operator can localise registered users by using a positioning systems, such as GPS, or via GSM or UMTS network technology, and offer location- dependent services. Those services include local information services about hotels, restaurants, and amenities, travel information, emergency calls, and mobile office facilities.

Personalisation – mobile devices are usually not shared between users. This makes it possible to adjust a mobile device to the user’s needs and wishes (starting with the mobile phone housing and ringtones). On the other hand, a mobile operator can offer personalised services to its users, depending on specified user characteristics (e.g. a user may prefer Italian food) and the user’s location (see above).

Convenience – the size and weight of mobile devices and their ubiquity and accessibility makes them an ideal tool for performing personal tasks.

Along with these advantages, we also have disadvantages, the following list summarises, the facts:

Mobile devices offer limited capabilities between mobile devices these capabilities vary so much that end user services will need to be customised accordingly.

The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. For this reason, standardisation bodies consisting of telecommunication companies, device manufacturers, and value-added service providers integrate their work (see Section 4.5). For example, many current mobile devices implement an IP stack to provide standard network connectivity. At the application level, the Java 2 Micro Edition (J2ME) offers a standardized application platform for heterogeneous devices.

Mobile devices are more prone to theft and destruction. According to a government report, more than 700000 mobile phones are stolen in the UK each year [12]. Since mobile phones are highly personalised and contain confidential user information, they need to be protected according to the highest security standards.

The communication over the air interface between mobile device and network introduces additional security threats (e.g. eavesdropping, winds etc …).

Security

Concept and Challenges

The concept of security in M-commerce is the most important aspect of a business that a mobile-system should respond to. There is no need to implement, such system without securing its environment, especially where transactions involve monetary value. Different views from participants in an M-commerce scenario, percept, security and privacy as major factors for markets breakthrough of the according system.

Moving from participant’s point of views, I have defined five security objectives / standards that a system should respond to:

Confidentiality: ensure privacy, the content of the transaction cannot be viewed by unauthorised persons and enables encryption.

Authentication: ensure that the content of the transaction originates from the presumed sender/partner.

Integrity: ensure that the content of transaction is not modified during the delivery and cannot be altered at any time. The technique used is called digital signatures.

Authorisation: ensure that anyone involved in the transaction must be recognize and verified in order to authorize/allow the transaction to take place. It is more like digital certificates.

Non-repudiation: no-one should be able to claim that any transaction on his/her behalf was made without their knowledge. The concept of digital signatures is applied.

This standards don’t just apply to end user devices, but to the whole systems involving device users, network (e.g. WAP, WEP), financial and administrative institutions (e.g. banks, governments etc.). I have identified, few security challenges related to the system:

The mobile device – confidential user data on the mobile device as well as the device itself should be protected from unauthorised use. The security mechanisms employed here include user authentication (e.g. PIN or password authentication), secure storage of confidential data (e.g. SIM card in mobile phones) and security of the operating system.

The radio interface – access to a telecommunication network requires the protection of transmitted data in terms of confidentiality, integrity, and authenticity. In particular, the user’s personal data should be protected from eavesdropping. Different security mechanisms for different mobile network technologies (i.e. in 2G, 3G, and other systems) were explained in part 2.2

The network operator infrastructure – security mechanisms for the end user often terminate in the access network. This raises questions regarding the security of the user’s data within and beyond the access network. Moreover, the user receives certain services for which he/she has to pay. This often involves the network operator and he/she will want to be assured about correct charging and billing.

The kind of M-commerce application – m-commerce applications, especially those involving payment, need to be secured to assure customers, merchants, and network operators. For example, in a payment scenario both sides will want to authenticate each other before committing to a payment. Also, the customer will want assurance about the delivery of goods or services. In addition to the authenticity, confidentiality and integrity of sent payment information, non-repudiation is important.

Threats scenarios

In this part, I am going to present major threats to security based on the M-commerce security standards and address ideal scenarios, observed during each methods.

The following list shows the threats:

Money thefts: as long as, m-commerce involves transaction, driven by monetary values. The system will always attract hackers, crackers and anyone with the knowledge of exploiting and abusing the system. They often set fake websites, in order to extract customer’s personal data, credit card details etc.

Threats to the system: mobile devices are not spared from those deceptive methods of stealing information. Viruses, Trojans, Worms are often planted by individuals for reasons known best to them alone, in order to compromise the credibility of all m-commerce system.

Threats observed during authentication:

Observation:

An adversary can download the client on a laptop/desktop and use its insecurities for malicious purposes.

An adversary can obtain the user credentials stored on the mobile phone by transferring the contents to pc/laptop from the phone or memory card.

An adversary can register with valid details of a valid bank account holder and access his/her account details or make transactions.

An adversary can access user credentials directly from the phone’s folders or from phone’s memory card.

An adversary can obtain the new PIN for transacting using the weak forgot password feature or an adversary can change the password/PIN of a valid user without authentication/authorization.

An adversary can use the auto-complete feature to access a valid user’s account.

An adversary can guess weak passwords/PIN to retrieve customer information.

Ideal scenario:

An adversary can download the client on laptop/desktop and use its insecurities for malicious purposes. An adversary can use the auto-complete feature to access a valid user’s account.

The customer has to first register with the bank. Customer details like full name, postal address, e-mail address, bank account details and mobile phone number should be provided.

The bank would inform the vendor to push the mobile client application to the mobile number provided by the customer. This can be done through a system which communicates between the server at vendor end and bank end. The vendor enters the mobile number of the customer and the client application is pushed to it. This ensures that the client is not downloaded to a pc or laptop and misused. In case the push is not possible, the customer has to be informed and the client application installed by the vendor.

The application has to ensure that during installation a few checks are done

Transfer the bank’s and vendor’s public key for encryption purposes. There can be two keys generated for the vendor; one for storage and one for data transmission.

The client files/folders are installed on the phone and not in the memory card.

The files and folders should be restricted from being transferred to a memory card or pc/laptop. The access to these files should only be through the executable and not directly.

The installer should be removed after installation.

Application should not allow auto-complete feature.

Threats observed during transactions

Observation:

Based on the services provided to the customer the following threats can be observed:

An adversary can sniff the contents of transaction and obtain confidential information.

An adversary can bypass authentication controls.

An adversary can make bogus shopping or purchase transactions for another valid customer.

An adversary can view the account details of another user.

An adversary can modify the ‘from account’ and amount field during a fund transfer process.

An adversary can predict the session id and perform transactions as a valid user.

An adversary can access a valid account using an active session which has not been terminated after a long time of inactivity.

An adversary can login using his credentials and view/modify the details of another valid customer.

Illegal/Invalid transactions can be performed without continuous authentication process for each transaction.

Ideal scenario

An adversary can sniff the contents of transaction and obtain confidential information.

All transactions should be through a secured connection. Data transmitted between the client application and the vendor server should be through HTTPS or another secured channel and also encrypted through the vendor’s transport public key. The data flowing back from vendor sever to the client should be through HTTPS or a secured channel.

The data flowing between the vendor server and bank server should be through HTTPS. Also the customer details, which are not required by the vendor, should be encrypted using the bank’s public key. The return should be through HTTPS. Any data flowing between bank/vendor to other third parties or merchants like for mobile shopping should be through a secured payment gateway.

An adversary can bypass authentication controls, Illegal/Invalid transactions can be performed without continuous authentication process for each transaction and view the account details of another user.

Each transaction or operation should be authenticated either using a single layer or a dual layer. The vendor side application should authenticate the customer using the PIN for non-critical operations. Validation checks should be in place to ensure that this authentication control is not bypassed.

For critical transactions, there can be dual authentication mechanism, one using the PIN at the vendor and other using the Internet banking ID at the bank side. Validation checks should be in place to ensure that this authentication control is not bypassed.

An adversary can make bogus shopping or purchase transactions for another valid customer. An adversary can modify the ‘from account’ and amount field during a fund transfer process.

For example, in a fund transfer operation the bank should ask for the Internet banking credentials from the customer for authentication and verification. Also checks need to be in place to ensure that the ‘from account’ field cannot be modified or the ‘amount’ field is not negative.

An adversary can predict the session id and perform transactions as a valid user. For example, an adversary can access a valid account using an active session which has not been terminated after a long time of inactivity and login using his credentials and view/modify the details of another valid customer.In mobile shopping operation, the payment should be through a secured payment gateway. Ideally, the vendor should not store the details of the shopping done by the customer. In case the vendor performs the payment for the customer for his/her purchases, then only the details need to be stored at the vendor. Then the customer authorizes the bank to transfer the amount to the vendor’s account for making the payment to the merchant for his/her item. Having a good session management mechanism ensures that attackers don’t use a valid session id for login purposes. Also the application should ensure that users are not able to change the data and view another customer’s details.

Other possible threats:

An adversary can upload malicious files to the server/application. Ideally, a mobile banking scenario would not require a customer to upload files to the server. Hence the same can be disabled for customers.

An adversary can obtain the confidential customer data and source code from the server. All customer data and application source code at the vendor server should be protected not only from the outside attackers, but from internal users/developers also.

Malicious activities are undetected. Audit trails and logging need to be maintained for the application which mentions the customer name, bank details and transaction performed with time and date for future reference.

An adversary can obtain the details of the server or error messages provide information for the adversary to perform specific attacks. The application should ensure no messages are provided to the outside world which would reveal information about the system.

An adversary can obtain the vendor private key from the server to perform man-in-the-middle attacks. The private keys should be stored securely and access should only be given to the application to use the keys during any kind of operations.

Security Technology

This part of my report focuses on the network technologies, which are relevant to a secure M-commerce system. The security itself focuses on three aspects, studied in the IST SHAMAN project: M-commerce network security, Transport layer security and Service security. The IST SHAMAN has studied the security architecture of current and potential future mobile systems. Here, they are discussed:

M-commerce Network Security

GSM (General System for Mobile Communication): established in the early 1990s, the GSM is the first generation mobile phones and major device for M-commerce. The devices presented strong limitations with respect to their capabilities other than telephony. In term of data service, the dial-in data sessions over circuit switched connections were possible but relatively slow, at 9, 6 Kbits/s and required a separate device such a computer, which reduced its mobility. As the GSM core network extended, a number of data services where established such as:

The Short Message Service (SMS)

The Wireless Application Protocol (WAP) allowing internet access

The High Speed Circuit Switched Data (HSCSD) providing higher data rates

The General Packet Radio Service (GPRS) extends GSM with packet oriented services

The figure, below shows an architecture of GSM, including GPRS, IN (Intelligent Network) and SMS.

Figure 2: GSM Architecture

What is the scenario in this architecture and what does the GSM provides as security features?

The mobile station communicates over the wireless interface with a base transceiver station (BTS) which is part of a base station subsystem (BSS). The base station controller (BSC) is connected with a MSC (Mobile Switching Centre) and a SGSN (Serving GPRS Support Node). The latter two are the central switching components for circuit and packet switched data.

When a customer subscribes, the GSM home network assigns the mobile station a unique identifier, the international mobile subscriber identity (IMSI), and an authentication key Ki.

The IMSI and the secret authentication key Ki of the mobile station (MS) are stored in the SIM (subscriber identity module), which is assumed to be tamper proof. On the network side, the IMSI, Ki and other information are stored in the HLR (Home Location Register) and AuC (Authentication Centre).

GSM provides the following security features for the link between the mobile station and the network:

• IMSI confidentiality

• IMSI authentication

• User data confidentiality on physical connections

• Connectionless user data confidentiality

• Signaling information element confidentiality

In general, the security architecture of GSM, presents basic security mechanisms for M-commerce systems. The authentication towards the network, from a mobile customer is based on a secret ki that will derive to a symmetric key, used to encrypt the link between the mobile station and the BTS. The secret key ki is never sent over the network. From there, we can say that GSM presents two weaknesses, Authentication and Encryption as it is optional.

UMTS (Universal Mobile Telecommunication System): the security architecture of UMTS is designed to fix the security weaknesses of GMS. In UMTS, authentication is mutual, and encryption is mandatory unless the mobile station and the network agree on an unciphered connection. In addition, integrity protection is always mandatory and protects against replay or modification of signaling messages. UMTS introduces new cipher algorithms and longer encryption keys. Thus, UMTS doesn’t seem to have any security weaknesses. The architecture of this technology is depicted below:

Figure 3 : UTRAN system

WLAN (Wireless Local Area Network): The IEEE standard 802.11 specifies families of WLANs which operate in the unlicensed 2.4 GHz and 5 GHz band. The standards specify the physical layer (PHY) and the medium access control layer (MAC).

When operated in the infrastructure mode, the mobile station attaches to an AP which provides connectivity to fixed net IP networks (e.g. the internet) or to other mobile stations.

While, in the default mode, WLAN is not secured, this means: there is a possibility of an eavesdrop attack. In order to provide a measure of security, the IEEE and IETF, have defined the WEP (Wireless Equivalent Privacy) and the VPN (Virtual Privacy Network).

WEP was designed to provide:

Authentication to protect the association to an AP

Integrity protection on MAC frames

Confidentiality on MAC frames

In comparison to other network technologies, the WEP is insecure. Based on its secret key, that serves as input for the RC4 stream cipher, the authentication and integrity protection is completely insecure and encryption at least partly insecure. There is a possibility for an attacker to intercept a single successful authentication transaction between a mobile station and the AP and be able to authenticate without knowing the secret keys. Furthermore, since a CRC checksum is used for integrity protection, an attacker can modify the data and adapt the checksum accordingly. For example, if the position of commercially sensitive information (e.g. an amount) within a datagram is known, the corresponding bits can be ex-ored with any value. With a large number of intercepted frames, the WEP keys can even be recovered, breaking the encryption.

Furthermore, since the WEP keys are network keys, preserving their secrecy is difficult for private networks and impossible for public WLAN hotspots.

In recent work of the IEEE Task group on security (TgI), the new security standard IEEE 802.1X has been adopted. 802.1X is a framework for authentication and key management which employs the Extensible Authentication Protocol for a variety of authentication mechanisms, e.g. certificate based TLS. But the weaknesses of WEP cannot be remedied by the new authentication and key management schemes in 802.1X. The IEEE is currently working towards a new standard (WEP2), and a number of proposals are in circulation.

VPN: the technology is employ to particular IPsec, in order to establish network layer security.

The IPsec protocol (or more specifically the ESP Tunnel protocol) is an internet standard for the protection of IP packets between two nodes (e.g. a mobile station and a security gateway).

The two architectures (WEP and VPN) are depicted in Figure 4 and 5 below. Figure 4: WEP Architecture

Figure 5 : VPN Architecture

Transport Layer Security

The above technology is all about securing the wireless link between a mobile customer and access network. The fact of such technology implicates that an access network is considered secure and the m-commerce transaction is completely handled within the access network.

The discussion at this point, focuses on end-to-end security for mobile devices.

I have identified two types of transport security layers:

SSL/TLS

The SSL/TLS (Internet Secure Socket Layer, protocol is by far the most widely used internet security protocol. Its main application is the HTTPS protocol (HTTP over SSL), but it may also be used as a standalone protocol. SSL requires a bidirectional byte stream service (i.e. TCP). SUN has implemented a client side version of SSL for limited devices, called KSSL (Kilobyte SSL). KSSL does not offer client side authentication and only implements certain commonly used cipher suites, but it has a very small footprint and runs on small devices using the J2ME platform.

WTLS

The WAP forum has standardised a transport layer security protocol (WTLS) as part of the WAP 1 stack. WTLS provides transport security between a WAP device (e.g. a mobile phone) and a WAP gateway which performs the protocol transformation to SSL/TLS. Hence, no real end-to-end security is provided and the WAP Gateway needs to be trusted. Note that the WAP Forum now proposes a WAP 2 stack which is a classical TCP/IP stack on a wireless bearer medium. This permits end-to-end SSL/TLS sessions.

Service Security

Here, the discussion focuses on the security of the network services which can be used in m-commerce.

Intelligent Network

IN, network architecture is intended both for fixed as well as mobile telecom networks. It allows operators to differentiate themselves by providing value-added services in addition to the standard telecom services such as PSTN, ISDN and GSM services on mobile phones.

In IN, the intelligence is provided by network nodes on the service layer, distinct from the switching layer of the core network, as opposed to solutions based on intelligence in the core switches or telephone equipments.

IN is based on the Signaling System #7 (SS7) protocol between telephone network switching centers and other network nodes owned by network operators.

The architecture of IN, is built on an IN component SCN (Service Control Point) which controls calls or data services via the CAMEL (Customised Applications for Mobile Enhanced network logic)

Parlay / OSA

The Open Service Access or OSA is part of the third generation mobile telecommunications network or UMTS. OSA describes how services are designed in a UMTS network.

The standards for OSA are being developed as part of the 3rd Generation Partnership Project (3GPP). The standards for OSA are published by ETSI and 3GPP.

The API for OSA is called Parlay, (or Parlay/OSA or OSA/Parlay) as the APIs are developed jointly in collaboration by 3GPP, ETSI, and the Parlay Group. These APIs can be freely downloaded from the web. Sometimes OSA would be misspelled as Open Services Architecture or even confused with Open systems architecture.

The Parlay/OSA framework then provides gateway functionality between applications and Service Capability Features (SCF’s) of the IN. M-Commerce applications can then access core network functionality, e.g. inquire status and location of a mobile user, send messages or place calls. Parlay/OSA applications are portable among networks which is usually not possible with IN services.

Security is an important issue, since Parlay/OSA potentially opens the core network to intruders. Parlay/OSA specifies authentication and encryption on the application layer. But the security also depends on the underlying network architecture, e.g. firewalls and strict policies should protect core network components.

Other security services:

SMS

Widely used in m-commerce and limited 160 characters. This technology is also being used for authentication and confidentiality towards a network. However its protection is question, because there is no end-to-end security

USSD

Unstructured Supplementary Service Data allows data communication between a mobile station and either the HLR, VLR, MSC or SCP in a way transparent to the other network entities. USSD possesses no separate security properties; instead it relies on the GSM/UMTS signaling plane security mechanisms.

SIM/USIM Application Toolkit

The SIM and USIM Application Toolkits (SAT and USAT respectively) allow operators and other providers to create applications which reside in the SIM/USIM. These applications can

E.g. send, receive and interpret SMS or USSD strings. Currently, there exist banking applications using SAT. This permits the sending application (e.g. the one residing on the SIM card) to send protected messages to the receiving application (which e.g. runs at a payment service operator). The required security mechanisms are:

Authentication

Message Integrity

Replay detection and sequence integrity

Proof of receipt and proof of execution

Message Confidentiality

Indication of the security mechanisms used

However, it depends on the applications whether these security mechanisms are implemented and whether their cryptographic strengths are sufficient.

Further Developments and Security Recommendations

The future development of m-commerce is still a big issue from the technology aspects and mobile customers. Aspects of technology could be: the programming, the network architectures, the security technology, new forms of devices etc.

Programming

One of the most discussed issue, m-commerce should improve. As a developer, the porting of the programming language Java onto mobile devices, still presents limitations and problem solution through Java could be:

Java SE components and source codes (src) are not compatibles on J2ME, the platform used for mobile applications.

Complicated authorization. Though it is possible to store authorization data in a mobile phone, with a java application and to use them for automatic authorization, but for security reasons, this is critical.

Unsatisfying adaptation to the particular device. Here exists the same problem, as with WAP. Though there is a common standard, a lot of manufactures are expanding it on their own. This results again in different platforms.

No offline usage possible. This problem is solved with a java application.

Unnecessary transmission of data. Also this problem is solved through java.

Second device inadequate problem solution. The advantages of a PDA are getting smaller with the usage of Java, but still it has some left, like i.e. display size.

No possibility for announcement services. This problem exists still with java.

Network architecture

Advancements have been implemented in WAP. WAP-2, slightly modified WAP, was implemented for server direct access. No need on AP, as the link between the server and mobile device is direct and secure. The problem solutions through WAP are:

Complicated authorization. There is still a complicated authorization procedure necessary. WAP 2.0 offers no function for automatic authorization.

Unsatisfying adaptation to the particular device. With the introduction of the User Agent Profile, this problem is solved.

No offline usage possible. This problem is still present, alike the first version of WAP, a continuous connection to the bank during the usage is still necessary.

Unnecessary transmission of data. Also this problem still exists. Still the whole application is transmitted every time.

Second device inadequate problem solution. The advantages of a PDA still exist, so the problem is not solved.

No possibility for announcement services. With the introduction of Push-Services, this problem will be solved.

Security technology

The development of m-commerce security technologies improved to digital signature, a method that clearly proves the origin of a message. In this particular method, a hash-value has to be deduced from the message, in order to secure the transaction. Both the sender and receiver share the encrypted hash-value known as the sender private key to deduce the message. The method is widely used in mobile banking. The solutions through security:

A private key (only known to the sender)

A public key (know to the bank)

A safe place to store the public key

An application to encrypt the deduced Hash-Value

An application to generate the message, deduce the Hash-Value and send them both together

New form of devices

New forms of devices are promising the solution of some of the problems in the near future.

The current advancements in the form of devices, is the 3G of mobile phones. 3G brings together two powerful forces: wideband radio communications and IP-based services. Together, these lay the groundwork for advanced Mobile Internet services.

The mobile devices example: Samsung S5230 Tocco Lite, Blackberry 9250 Storm, Alcatel OT-708 etc…

Another form of mobile devices coming soon, predicted for 2010 is the 4G mobile phones.

In March 2002 NTT DoCoMo announced that trials had begun on the next generation of mobile communications. Dubbed ‘4G’, the new I-mode technology will increase data transmission rates (up to 200 times faster than 2G at 20Mbit/sec). 3G data rates are currently 2Mbit/sec, which is very fast compared to 2G’s 9.6Kbit/sec. 4G builds on the 3G standard, although it integrates and unifies the different interfaces (W-CDMA, CDMA2000, EDGE, etc).

Security recommendations

There is but one solution to all issues that at times dent the security of m-commerce services. Strict vigil on malicious intruders. Easier said than done? So is every preventive measure. However, with online transactions, progress in security has been overwhelming.

Authentication

Most notable are the advances in identification and elimination of non-genuine users. M-commerce service designers now use multi-level identification protocols like security questions, encrypted passwords (Encryption), biometrics and others to confirm the identity of their customers. These steps have found wide favor all around due to their effectiveness in weeding out unwelcome access.

Intrusion Check

The issue of tackling viruses and their like has also seen rapid development with anti-virus vendors releasing strong anti-viruses. These are developed by expert programmers who are a notch above the hackers and crackers themselves. Firewalls are another common way of implementing security measures. These programs restrict access to and from the system to pre-checked users/access points.

Educating Users

M-commerce is run primarily by users. Thus, M-Commerce service providers have also turned to educating users about safe practices that make the entire operation trouble free. Recent issues like phishing have been tackled to a good extent by informing genuine users of the perils of publishing their confidential information to unauthorized information seekers.

Educating the user could be:

Adhere to security recommendations

Back up your data

Protect yourself against computer viruses

Store access-granting means securely

Look out for encryption

Avoid active content

Conclusion

There will be no m-commerce without security of the underlying technologies. In this report

I have discussed security issues associated with m-commerce network and service technologies based on two transactions applications: M-payment and M-banking and presented problem solutions to each of the future developments technologies and m-commerce user recommendations. Regarding m-payment, some systems are under development or already operational. One of the main future challenges will be to unify payment solutions, providing the highest possible level of security.