Introduction
Mobile
commerce (m-commerce) is already being used and implemented as an alternative
to many e-commerce services. Mobile commerce is a form of electronic commerce
that specifically focuses on commerce by the use of Mobile Devices ( Dwain
Chang and Mandy Chin,2007). This paper is focused on Proximity Payments using the relatively new
Near Field Communication (NFC) technology. Visa and MasterCard have already entered this
market with contactless payment cards like PayPass and WavePay. Many banks, mobile network operators, vendors
and independent companies are already implementing this technology and doing a
number of trials. NFC (Near Field Communication) is a high frequency technology
used for proximity payments in the m-commerce field. It is a wireless
communication technology; the proposed distance between devices is around 3-10
centimeters. The NFC technology is designed for usage in mobile phones. The
device can communicate with existing ISO/IEC 14443 smartcards and readers, and
with other NFC devices. It is a “read and write” technology, and it allows the
high-speed transfer of data between enabled devices. NFC equipped device can operate
in two modes: Active and passive, depending on whether it generates its own
field. Active devices have a power supply; passive devices do not. Three modes
of NFC are Card emulation mode, reader mode, and P2P.
Problem Statement
·
Lack of a clear standard across the
industry.
·
Interested parties entering joint
ventures with biggest profit possibilities, regardless of possible technical
inferiority of their solution.
·
Merchants are not willing to buy new
payment terminals and offer possibility of NFC payment to customers until there
is a critical customer mass.
·
Users are not eager to purchase new NFC
Mobile Devices until enough Merchants are offering NFC payments.
·
Inconvenience of having Mobile Device as
a single payment solution because of battery issues and possible call or other
mobile network action in progress when payment is required.
Objectives of the research
The aim of this research is to
propose new mobile commerce proximity payment architecture, based on the
analysis of existing solutions and current and future market needs. The idea is
to change a Mobile Device into a reliable and secure payment tool, available to
everyone and with possibility to securely and easily perform purchases and
proximity payments.
- To Propose a new architecture(s) and a clear
standard, based on the advantages and disadvantages of the existing
systems.
- Analyze the possible security issues and propose how to overcome them.
Literature Review
Basic form of proximity payments is the
category of off-line micro payments. They represent the first step towards
reaching more complex, macro-payment online systems. Secure Element stored in
the device prevents non-authorized users access, and classical Public Key
structure allows only registered parties transfers. There are three Secure Element (SE)
implementations that are secure. NFC SE in sim card, Embeded SE in the device,
and External Se like NFC sticker. Mobile Device has NFC software, which
consists of Java ME program written for MIDP (Mobile Information Device
Profile), MIDlet, that runs on phones OS, and one or more Java
Applets stored on the secure hardware element. Payment and ticketing applications are stored
in a Secure Element in the device. Secure Element is a smart card chip, where
multiple applications could be stored. Secure Element has a purpose to only
accept software from trusted parts that have the private key that allows
authentication. The entire process requires only one network connection. Once the issuer registers users phone number
and the public RSA key, the X.509 certificate for that public key needs to be
issued and sent to the Secure Element of the Mobile Device. Most convenient
solution for mobile network operators is the NFC chip on a SIM card, because it
means teaming up of a network operator and any other party, or possibility of
“renting” a place on multi-application SIM/UICC. Some of the security Issues
faced by NFC are
·
Eavesdropping, where the third party receiving a signal using the
antenna.
·
Unwanted activation, which is somewhat similar to eavesdropping. Third
party attacker tries to activate the card without the owner’s knowledge.
·
Data Corruption, or modifying the data which was transmitted using
NFC device using the valid frequency.
·
Data Modification, where the attacker is sending valid, but altered
data to the receiving NFC device .
·
Data Insertion, where attacker tries to insert a new message into
a NFC communication.
·
Man-in-The-Middle-Attack, where two parties who want to establish
communication are tricked into communicating with or via the third party which is therefore
enabled to record the entire conversation .
·
Denial of service, where the attacker tries to interfere with the RF
field, in order to prevent the transaction .
Proposing new Architecture
The author proposes three architectures in the article and we will
discuss about the same.
First Architecture:
This architecture represents the next step from the current credit card
payment architecture. From users point of view, the only difference will be
that their Mobile Devices will play the role of the credit card. In the ideal
case, Mobile Device manufacturers would include only NFC chip and the antenna
to their Mobile Device; SE will be stored preferably to SIM/UICC. Credit Card
Companies role stays similar like in current credit card payment system, with
added responsibility of authenticating Customers Mobile Device using the applet
on Secure Element. The main difference between this mobile payment architecture
and existing model is that user needs to turn the application on the Mobile
Device and perform the authentication procedure before the payment.
Second Architecture:
In this model, Credit Card companies have a less important role. There is
another player, Trusted Third Party service, which makes the architecture more
secure and global, but also more complex. This might lead to the increase of
transaction fees. Focus in this particular architecture is exactly on the
Independent Trusted Third Party that has the role of the neutral trusted
service. There are two possible solutions regarding the party that performs
this role, Mobile Network Operator or the Independent Trusted Service Manager (TSM).In this architecture Mobile Device
manufacturer also embeds the NFC chip and the antenna into the device, while
the Secure Element (SE) is stored into SIM/UICC card provided by MNO. NFC
Payment Application (MIDlet) is to be provided by third party trusted service,
including download and life cycle.
Third
Architecture:
Third option
represents the architecture with an even bigger role of Mobile Device
manufacturers and designers of Operating Systems (OS). The possible players in this architecture are
Apple, Nokia, Google with Android OS and Samsung and HTC as biggest supporting
device manufacturers and RIM (Research in Motion) with Blackberry devices. The
communication between mobile carrier and Online Service is not necessary in
this architecture. MNO will only play the role of providing Internet connection
to the Customers Mobile Device in this architecture. This means that connection
between Mobile Device and Online Service (Interface 3) is physically realized
via Interface 1. The most important
player is the company that owns the online store where customer has an account
and connects using the NFC Mobile Device, which is in this case OS designer
company. Customer needs a Mobile Device equipped with NFC chip and with online
service application and a valid account in the online service connected to his
credit card.
Conclusion
The aim of this
research was to propose new mobile commerce architecture using NFC technology,
based on the analysis of existing solutions, encountered problems and current
and future market needs. NFC mobile payments have a lot of potential, but the
lack of a clear and global standard in the industry is considered one of
biggest issues, slowing down the mass-market penetration. Three entire system architectures were
proposed as possible final industry standard. payment system upgrade by Credit
Card companies to enable mobile payments, introduction of independent Trusted
Third party, and Mobile Device manufacturers and OS designers making an Online
Service handling NFC payments connecting users mobile phones directly to their
bank accounts without Credit Card companies. Each of the Architectures
brings a level of progress compared to existing solutions, most of all because
they introduce a new clear and global architecture standard and clearly defines
the roles of all involved parties. The architecture that will predominate the
mobile payments market will be a technically inferior one, but introduced by
joint venture of companies strong enough to impose it regardless of the
competition. Further work and improvements will be possible once big players,
such as Mobile Device and OS manufacturers and Credit Card companies make the
move. The original paper is available at
References
— [1]
Dwain Chang and Mandy Chin, “Will mobile television be a success?” Sep. 2007.
— [2]
Martin Newman, M-commerce - Now it really can be called a route to market, Aug.
26th, 2009.
— [3]
John Leyden “M-commerce - security risks exposed” June 2010
— [4]
Australian C&C Commission “Shopping on your mobile (m-commerce)” Aug. 2009
— [5]
Scarlet Schwiderski and Heiko Knospe “Secure M-commerce” Apr. 2008
— [6]
Jason Ankeny “Doubts in m-commerce security”, May 2009
— [7]
Ernst Haselsteiner and Klemens Breitfuß “Security in Near Field Communication
(NFC), Strengths and Weaknesses” Philips Semiconductors, June 2010
— [8]
AT&T, Verizon, T-Mobile joined venture - Isis mobile commerce network Web
page, Jan. 2011
— [9]
Lorenzo Stranges, Aymeric Harmand, Jean-Marc Meslin “Oberthur Technologies new
SIM-centric solution for NFC mobile payment” Aug. 2008
— [10]
Finextra, independent information source for financial technology community web
page, Oct. 2010
— [11]
Gauthier Van Damme, Karel Wouters, Hakan Karahan and Bart Preneel “Offline NFC
Payments with Electronic Vouchers” Aug. 2009
— [12]
European Payment Council “White Paper – Mobile Payments” First edition, June
2010
— [13]
Prof. Min So Kang, Hanyangcyber University “NFC Technical Status and
Application” RFID/USN Conference & International Exhibition, Seoul, Nov.
2006
— [14]
ECMA International, “global ICT and Consumer Electronics standards” Revision 1,
Dec. 13. 2010
— [15]
Heikki Ailisto and the Finish ITEA2 project team, “Physical browsing with NFC
technology, VTT Research 2400” Finland, Oct. 2007
— [16]
EMV, global standard for credit and debit payment cards web page
— [17]
Jeff Fonseca “NFC Market Update and Technology Overview” NXP Semiconductors,
Nov. 2009
— [18]
Smart Card Alliance Contactless and Mobile Payments Council White Paper “What
Makes a Smart Card Secure?” Oct. 2008
— [19]
NFC Research Lab in Hagenberg, Austria Official Web page,
http://www.nfc-research.at/
— [20]
Near Field Communications Forum Web page
— [21]
IBM Electronic payment processing for Web businesses, Feb. 2002
No comments:
Post a Comment