Technology Challenges in Mobile Payments

Dr.V.N.SastryProfessor, IDRBT &

Executive Secretary, MPFI Road No.1, Castle Hills, Masab Tank,

Hyderabad 500057E-Mail : vnsastry@idrbt.ac.in

Ph: 91-40-23534981 Test : 9440803813 (M) & MMID : 9211933

January 30, 2012 at IDRBT for the EDP

March 29, 2012

Outline • Mobile Payment Technologies

• Technology Challenges

• Some innovative developments

2

Classification of Mobile Payments

Based on Value

Micro Payments

Based on Charging method

Based on Location

Based on the validation of the

tokens exchanged

Macro Payments

Mini Payments Proximity

Payments

Remote Payments

Pre-paid

Post-paid Online Payments

OfflinePayments

(ex: e-coins in P2P

transfers) March 29, 2012 3

March 29, 2012

Enabling Mobile Technologies

User Interface

PlatformsSecurity enablers

Transport

Short-range

Long-range

GSM

GPRS

RFID

Bluetooth

Infrared

3G

SAT

Java ME

Java Card

Voice

SMS

USSD

WAP Dual slot

phones

WPKI/WIM

SIM

4G

NFC

4

March 29, 2012

Technology Challenges• Device Level• Application Level• Communication Level• User Level• Security Level• Standards Level• Consolidation Level

5

March 29, 2012

Device Level Challenges

• Variation in Features and Functionalities, look and feel, text size, recharging frequency, OS

• User Awareness and Education • Voice, Data, MMS, interactivity, real

time response, location aided feature etc. properly used ?

6

March 29, 2012

Mobile Application Level Challenges

• Is the Mobile Payment Application Developed in Conformance to standards ? Is it interoperable ?

• On which folder client application is to be downloaded ? how to install and run a mobile payment application ?

• Is the design optimized for execution in limited phone memory?

• Has it been Tested and certified by Trusted entity ?

• Can the customer wait for the delay to get it for his/her new model ?

7

March 29, 2012

Communication Level Challenges

• Which channel to use : SMS, USSD, GPRS, DTMF ?

• What way mobile banking convenience is enhanced by 2G, 3G, 4G ?

• When and how to use Wireless Communication Technologies : Bluetooth, Zigbee, Wi-max, Wi-fi , LTE ?

8

Mobile Communication Architecture

Mobile Stations Base Station Subsystem

Exchange System

Network Management

Subscriber and terminal equipment databases

BSC MSCVLR

HLR

EIR

AUC

OMCBTS

BTS

March 29, 2012 9

March 29, 2012

Bank - A Bank -B

Switching (NPCI)

Settlement (CCIL)

Interbank Mobile Payment Service

(IMPS)

Payer-X Payee- Y

10

March 29, 2012

User Level Challenges• Local language support on Mobiles• Generation of Transaction report • Mobile Application on Phone memory or

SIM or memory card ?• Trace of transaction data or critical

personal data : access by others• Mobile Wallet : risk of multiple cards in

the device and value offload for cash exchange in local currency

• Mobile based Financial Inclusion services• Complaint registration and Grievance

resolution11

BC Micro ATM ATM / Merchant PoS

Bank A Bank B

Switching(NPCI)

Biometric Authentication

( UIDAI )

Settlement (CCIL)

Customer

Mobile based Financial Inclusion and

Mobile Wallet

March 29, 2012 12

March 29, 2012

Security Challenges• Authentication

– User, Device, Application, Transaction – Direct, Indirect– Factors : You Know (UK), You Have (UH), You Are (UR)– One Way from source (S) to destination (D)– Mutual between source, destination or intermediate entities

as Telco , Mobile Payment Provider, Bank Server, Switching agency.

• Encryption & Decryption Using Cryptoghaphy– Symmetric key ( Password, m-Pin )– Asymmetric key (PKI , WPKI )

• Layers of OSI Model• Access Control Models• Between Source (S) and Destination (D)

– MPP to Bank : SSL / TCP – Bank to NPCI : SSL/TCP

13

Major 3 Sections of a Mobile Phone

– Power Section• Power distribution• Charging section

– Radio Section• Band Switching• RF Power Amplification• Transmitter• Receiver

– Computer Section• CPU (central processing unit)• Memory (RAM,FLASH,COMBO CHIP)

March 29, 2012 14

Some reported attacks on Mobile Phones

• Phishing

• Botnet

• Fake Player

• Trojan horse

• Bluejacking (Symbian )

• BlueBug

• BlueSnarfing

• BluePrinting

•Cabir (First in 2004 )

•Comwar

•Skulls

•Windows CE virus

March 29, 2012 15

Mobile Station• Mobile Equipment (ME) is identified by

– International Mobile Equipment Identity (IMEI) Number

• Subscriber Identity Module (SIM) Card has keys, identifiers and algorithms

• Identifiers– Ki – Subscriber Authentication Key– IMSI – International Mobile Subscriber Identity– TMSI – Temporary Mobile Subscriber Identity– MSISDN – Mobile Station International Service Digital Network– PIN – Personal Identity Number protecting a SIM– LAI – location area identity

• STK ( SIM Application Toolkit) allows applications in the SIM to interact with any ME

• ETSI GSM 11.14 standard defines the interface between the SIM and the interoperable ME .

March 29, 2012 16

SIM Card• Mobile Payment Application can be installed on either ME or

SIM .• The application burnt on the SIM card gives by far the most

secure application environment. The mobile application can be stored on its own security domain and hence prevented from others having access to it.

•  Forensic tools and procedures exist that can be used to bypass built-in security mechanisms and recover the contents of a device.

• Both software and hardware-based methods are available for data recovery, including those that exploit existing vulnerabilities.

• A number of GSM mobile phones allow acquisition with a forensic tool, if a PIN-enabled (U)SIM is missing or removed from the device. It is also possible to create substitute (U)SIMs for certain models of phones that fools them into treating the (U)SIM as the original, and allowing access.

•  March 29, 2012 17

Security at Mobile Channel Level • Voice Channel : DTMF for IVRS

• Text Channel : SMS, USSD

• MMS Channel : GPRS

• GSM Security Mechanisms• Equipment Identity Register (EIR)

– Black list – stolen or non-type mobiles– White list - valid mobiles– Gray list – local tracking mobiles

• Central Equipment Identity Register (CEIR)– Approved mobile type (type approval authorities)– Consolidated black list (posted by operators)

March 29, 2012 18

Security at Mobile Application level

• Client Application developed by the Mobile Payment Provider (MPP)

• Server Application of the MPP at the Bank level

• Security Testing

• Key Generation and storage process

• Check Sum implemented

• Reaching to the destined address only ?

March 29, 2012 19

March 29, 2012

Multiple Standard Challenges

• ISO Standards• IEEE Standards• PCI DSS Standards• Regulatory Standards• Global platform Standards• EMV Standards• NIST Standards• SFMS, SWIFT Standards• NFC Standards 20

Mobile ad hoc network technologies

March 29, 2012

Technology Standard

Theoretical Bit Rate Frequency

Range Power Consumption

IEEE 802.11b 1,2,5.5, 11 Mbits/s 2.4 GHz 100m-500m 30mW

IEEE 802.11g Upto 54 Mbits/s 2.4 GHz 25-50m 79mW

IEEE 802.11a Upto 54 Mbits/s 5 GHz 40m 250mW

BluetoothIEEE 802.11.15.1

1 Mbits/s 2.4 GHz 10 m-100m 1mW

UWB (IEEE 802.15.3)

110 - 480 Mbit/s 10 GHz 10m 200 mW

Hiper LAN2 Upto 54 Mbits/s 5 GHz 150m 200 mW

IrDA 4Mbits 850 nm 10 m 200mW

IEEE 802.11n 600 Mbits/s 5 GHz 100m - 250m 1500W 21

March 29, 2012

Consolidation Level Challenges

• Server capabilities to handle high volume mobile payment transactions

• Periodic and round the clock clearing services for mobile payments

• Net and Real time funds settlement between Banks

• Cash management issues at ATMs on account of high velocity mobile payments.

• Offering Mobile Banking Application as a Cloud Service

22

Some Innovative solutions of

Mobile Payments in India:• Bringing all stakeholders of Mobile Payments into

one platform by the Mobile Payment Forum of India (MPFI) in 2006

• Use of Mobile Phone Number and MMID only for Mobile Payments

• Use of AADHAR number and BIN for Mobile Payments

• Use of USSD based Mobile Payments• Development of MANETS for Financial Inclusion by

IDRBT• And many other solutions reported in the workshop March 29, 2012 23

MANET Ecosystem for Mobile Payments

MANET nodes.

Gateway.

Backbone Network.

Bank Server.

Fixed Relay. March 29, 2012 24

Mobile ad-hoc Network (MANET) It is a Mobile wireless network. MANET nodes are rapidly deployable, self

configuring and capable of doing autonomous operation in the network.

Nodes co-operate to provide Connectivity and Services.

Operates without base station and centralized administration.

Nodes exhibit mobility and the topology is dynamic. Nodes must be able to relay traffic sense. A MANET can be a standalone network or it can be

connected to external networks(Internet).

March 29, 2012 25

MANET based Mobile Payments

I

Cellular Network /Satellite

Technology Internet /

Private LAN

Gateway

Fixed Relays

Bank Server

Mobile ad hoc Network

Village

MANET node

Backbone

March 29, 2012 26

Testbed

Mobile Node C

192.168.1.3Mobile Node B192.168.1.3

Mobile Node D192.168.1.4

Mobile Node A192.168.1.2

Gateway192.168.1.1

Fixed Relay

MANET in a Village

Cellular Network/

ISDN/PSTN/ LLN/ Satellite Network

Bank-A Server

172.16.0.8

Bank-B Server

162.16.6.124March 29, 2012 27

March 29, 2012 28