Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Security issues in_mobile_payment
1. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 1
Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET
HOD, Dept., of Computer Science
Bangalore City College
Bangalore.
E-mail: adisesha1@rediffmail.com
Phone No.:9449081542
Abstract:
Mobile e-commerce (or m-commerce) is considered a natural extension of e-commerce
and represents a new way for conducting commerce. M-commerce refers to e-commerce
transactions conducted through a mobile device via wireless networks. The electronic payment
performed in wireless environments leads to the term mobile payment (or m-payment), which is
defined as any payment transaction involving the purchase of goods or services that is completed
with a wireless device. M-payments facilitate m-commerce because they let users make online
purchases from their mobile devices remotely at any time. A key challenge with gaining user
adoption of mobile banking and payments is the customer’s lack of confidence in security of the
services. Understanding the mobile banking and payments market and ecosystem is critical in
addressing the security challenges. There are new security risks introduced with mobile banking
and payments that must be identified and mitigated. There are risks that have both an existing
mitigation method as well as those that do not have a clear risk mitigation solution. We also here
present the major security issues that must be taken into consideration when designing,
implementing, and deploying secure m-payment systems. In particular, we focus on threats,
vulnerabilities, and risks associated with such systems as well as corresponding protection
solutions to mitigate these risks. We also discuss some of the challenges that need to be addressed
in the future as m-payment systems become fully integrated with other emerging technologies
such as fifth-generation mobile networks (5G) and cloud computing.
Keywords: m-commerce, m-payment systems, m-payment Threats, Security
1. Introduction
There doesn’t seem to be a week that something relative to mobile and/or mobile payments is not
in the news. Mobile and everything mobile is the current hot area where new investments and new
ideas are blossoming in the hopes of being part of the next “big thing” that generates healthy
returns and wealth. Consumers are embracing mobile in their day to day lives and are more likely
to forget their wallet at home than their mobile phone. With all this energy and momentum around
mobile, as with any new next big thing, there are some areas of concern to consider. A key area of
concern for consumers and financial service providers is the security of mobile banking and
payments. There are new technologies and new entrants as well as a complex supply chain that will
increase the security risks. There is no real standard for technology that has captured the market
and regulations relative some of the new entrants are non-existent. Customers have increased
control of their device in terms of application downloads, OS updates and personalization of their
2. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 2
devices. This will lead to new challenges relative to privacy and will take some time before the
younger generation realizes the implications of privacy violations. Compounding the challenge is
the fact that traditional security controls such as AV, firewalls, and encryption have not reached
the level of maturity needed in the mobile space. As with any emerging market area, these
challenges will resolve over time. Until this are matures, there are measures that can be taken
relative to customer education, service process rigor, payments technology and fraud preventive
and detective controls that can mitigate the security risks.
2. Definition of Mobile Payment System
A mobile payment system (MPS) can be defined as any payment system that enables financial
transactions to be made securely from one organization or individual to another over a mobile
network (using a mobile device).
While the key phases of the generic mobile payment procedure is applicable to almost all
transactions, they can be categorized into several different groups or procedures based. Mobile
payment procedures are categorized as location-based(remote and proximity Transactions),
value-based (micro-payments, mini-payments and macro-payments), charge-based (post-paid,
pre-paid and pay-now), validation-based (online mobile payment, offline mobile payment) and
technology-based (single chip, dual chip, dual slot), token-based (eco in) and account-based
(wireless wallets). .
3. Key Technologies
3.1. Mobile Elements
In understanding the security risks of mobile banking, it is useful to understand the general
hardware and system software of a mobile device. The most prevalent technology relative to
mobile devices and the associate wireless carriers today is based on 2G technology (GSM/EDGE)
and 3G technology (UMTS/HSPA) standards. The latest technology currently being rolled out by
major carriers is Long Term Evolution (LTE) which doesn’t currently meet the requirements to be
considered 4G (speeds of up to 100Mbps for a moving user and 1Gbps for a stationary user) but is
being marketed as 4G.
The basic components of a wireless network include the spectrum for the wireless interface, the
antennas and radio processing equipment located at the base station or cell sites, and the
connectivity (T1, microwave) from the cell site back to the mobile switching center that contains
the voice and data processing equipment. The security elements for 3G technology include
encryption on the air interface and mutual authentication between the user and the network
(involving the HLR and USIM).
3.2. GSM AND GPRS SECURITY ARCHITECTURE
Global System for Mobile Communications (GSM) is the most popular standard for mobile
phones in the world. Figure 1 shows the basic structure of the GSM architecture; GSM provides
SMS and GPRS (General Packet Radio Service) services.
3. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 3
Figure 1. GSM Architecture
The GPRS Core network is an integrated part of the GSM network; it is layered over the
underlying GSM network, with added nodes to cater for packet switching. GPRS also uses some of
the existing GSM network elements; some of these include existing Base Station Subsystems
(BSS), Mobile Switching Centers (MSC), Authentication Centers (AUC), and Home Location
Registers (HLR). Some of the added GPRS network elements to the existing GSM network
include; GPRS Support Nodes (GSN), GPRS tunneling protocol (GTP), Access points, and the
(Packet Data Protocol) PDP Context.
3.2.1 Security mechanisms in the GSM network
The GSM network has some security mechanism to prevent activities like Subscriber Interface
Module (SIM) cloning, and stop illegally used handsets. GSM has methods to authenticate and
encrypt data exchanged on the network.
The GSM authentication center is used to authenticate each SIM card that attempts to connect to
4. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 4
the GSM network. The SIM card authentication takes place when a mobile station initially
attempts to connect to the network, i.e. when a terminal is switched on. If authentication fails then
no services are offered by the network operator, otherwise the (Serving GPRS Support Node)
SGSN and HLR is allowed to manage the services associated with the SIM card.
The authentication of the SIM depends on a shared secret key between SIM card and the AUC
called Ki. This secret key is embedded into the SIM card during manufacture, and it is also
securely replicated into the AUC.
When the AUC authenticates a SIM, it generates a random number known as the RAND. It sends
this RAND number to the subscriber. Both the AUC and SIM feed the Ki and RAND values into
the A3/A8 (or operator proprietary algorithm (COMP128)) and a number known as Signed
RESponse (SRES) is generated by both parties. If the SIM SRES matches the AUC SRES the SIM
is successfully authenticated. Both the AUC and SIM can calculate a second secret key called Kc
by feeding the Ki and the RAND value into the A5 algorithm.
This would be used to encrypt and decrypt the session communications. After the SIM
authentication the SGSN or HLR requests the mobile identity, this is done to make sure that the
mobile station being used by the user is not black listed. The mobile returns the IMEI
(International Mobile Equipment Identity) number; this number is forwarded to the EIR
(Equipment Identity Register). The EIR authorizes the subscriber and responds back to the SIM
with the status, if the mobile is authorized the SGSN informs the HLR and PDP Context activation
begins.
3.2.3 Problems with GSM Network
Problems with the A3/A8 authentication algorithm -A3 and A8 are not actually encryption
algorithms, but placeholders used in algorithm COMP128 [2].COMP128 was broken by Wagner
and Goldberg in less than a day.
Problems with A5 algorithm: The A5 algorithm is used to prevent casual eavesdropping by
encrypting communications between mobile station (handset) and BSS. Kc is the Ki and RAND
value fed into the A5 algorithm. This Kc value is the secret key used with the A5 algorithm for
encryption between the mobile station and BSS. There are at least three flavours of the A5
algorithm. These include A5/1 which is commonly used in western countries. The A5/1 is deemed
strong encryption [3] but it was reverse engineered some time ago. A5/2 has been cracked by
Wagner and Goldberg, the methodology they used required five clock cycles making A5/2 almost
useless. Finally A5/0 is a form of A5 that does not encrypt data at all. All these problems with the
A5 encryption algorithms prove that eavesdropping between mobile station and BSS is still
possible, making GPRS over the GSM core network very insecure for mobile banking.
Attack on the RAND value: When the AUC attempts to authenticate a SIM card, the RAND value
sent to the SIM card can be modified by an intruder failing the authentication. This may cause a
denial of service attack.
3.3 Short Message Service
This service allows mobile systems and other networked devices to exchange short text messages
with a maximum length of 160 characters. SMS uses the popular text-messaging standard to
enable mobile application based banking. The way this works is that the customer requests for
information by sending an SMS containing a service command to a pre-specified number. The
5. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 5
bank responds with a reply SMS containing the specific information. One of the major reasons that
transaction based services have not taken off on SMS is because of concerns about security.
3.3.1 Security Problems with SMS
The initial idea for SMS usage was intended for the subscribers to send non-sensitive messages
across the open GSM network. Mutual authentication, text encryption, end-to-end security,
nonrepudiation were omitted during the design of GSM architecture. In this section we discuss
some of the security problems of using SMS.
Forging Originators Address: SMS spoofing is an attack that involves a third party sending out
SMS messages that appear to be from a legal sender. It is possible to alter the originator s address
field in the SMS header to another alpha-numerical string. It hides the original senders address and
the sender can send out hoax messages and performs masquerading attacks.
SMS Encryption: The default data format for SMS messages is in plaintext. The only encryption
involved during transmission is the encryption between the base transceiver station and the mobile
station. End-to- end encryption is currently not available. The encryption algorithm used is A5
which is proven to be vulnerable. Therefore a more secure algorithm is needed.
3.4 Wireless application protocol/GPRS.
GPRS is a mobile data service available to GSM users that enables WAP-enabled devices such as
mobile phones to support services such as Internet browsing, multimedia messaging service, and
Internet based communication services such as email and World Wide Web access. Mobile phones
or terminals can access the internet using WAP browsers; WAP browsers can only access WAP
sites. Instead of the traditional HTML, XML or XHTML, WAP sites are written in WML
(Wireless Markup Language). The WAP protocol is only persistent from the client to the WAP
gateway, the connection from the WAP Gateway to the Bank Server is secured by either SSL or
TLS.
WAP provides security of communications using the WTLS (WAP Transport Layer Security)
protocol and the WIM (WAP Identity Module). WTLS provides a public-key based security
mechanism similar to TLS and the WIM stores the secret keys. In order to allow the
interoperability of WAP equipment and software with many different technologies WAP uses the
WAP protocol suite. Figure 2 illustrates the different layers of the WAP protocol.
Figure 2. WAP Protocol Suite Source from [6]
6. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 6
3.4.1 Security problems with Current GPRS Implementations
Security issues with present implementations that use WAP:
The present mobile banking implementations that are using WAP have proven to be very secure,
but there exist some loopholes which could lead to insecure communications. Some of these
loopholes include:
There is no end-to-end encryption between client and bank server.
There is end-to-end to encryption between the client and the Gateway and between the
Gateway and the Bank server.
To resolve this, the bank server could have its own Access Point Name (APN) in any of the
GPRS networks. This APN would serve as the WAP Gateway for the bank. Therefore the
client would be connected directly to the bank without third parties in the middle of the
communication.
Public key cryptosystems key sizes offered by the WTLS standard are not strong enough to
meet today’s WAP applications security requirements. Considering the low processing
power of the handheld devices, the key sizes have been restricted.
Anonymous key exchange suites offered by the WTLS handshake are not considered
secure. Neither client nor the server is authenticated. Banks should provide functionality to
disallow this option of handshaking.
Security issues associated with using the plain GPRS network:
The GPRS core network is too general; it does not cater for some banking security requirements.
Some of these requirements include:
Lack of account holder or bank authentication. The Bank can provide a unique APN to
access the Bank server, but without this or some other authentication mechanism anyone
can masquerade as the Bank. All these issues raise concerns of fabrication of either bank
information or account holder information Provision of functions to avoid modification of
data and ensure the integrity of data for both the account holder and the Bank.
The methods to cater for confidentiality of data between the mobile station and the bank
server have proven to be weak, and the network operator can view account holder s
information. This raises security issues for both the bank and account holder.
The bank cannot prove that the account holder performed a specific action and the account
holder cannot prove that the bank performed a specific action.
GPRS provides session handling facilities, but does not handle Bank specific sessions; this
may cause inconsistencies on the banks side raising security issues.
3.5 Other Technologies
Phone-based application. The m-payment client application (residing on the consumer’s mobile
phone) can be developed using the Java 2 Platform, Micro Edition for GSM-based mobile phones
and the Binary Runtime Environment for Wireless for mobile phones based on code division
multiple access.
SIM-based application. The Subscriber Identity Module (SIM) used in GSM mobile phones is a
smart card whose information can be protected using cryptographic algorithms and keys. (Smart
7. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 7
cards are microcomputers small enough to fit in a wallet or even a mobile phone. They have their
own processors and memory for storage.) SIM applications are relatively more secure than client
applications that reside on the mobile phone.
RFID. This technology uses radio frequency (RF) signals to exchange data between a reader and
an electronic tag attached to an object, for the purpose of ID and tracking.
Voice-based payment transactions. These can be done by making a phone call to a special
number and providing a credit card number.
Dual chip. Dual-chip phones have two slots: one for a SIM card (telephony) and another for a
payment chip card. This solution allows an m-payment application provider to develop an
m-payment application in the payment chip card without collaborating with the
telecommunications operator (the owner of the SIM card).
Near-field communication. This short-range wireless communication standard results from the
fusion of the contactless smart card (RFID) and the mobile phone. NFC does not have native
encryption capabilities and therefore is vulnerable to security exploits if not properly
implemented. RF signal which NFC works from has the potential to be read or intercepted up to
several meters away with the proper equipment without needing line of sight. Appropriate
encryption will provide adequate protection against eavesdropping.
Mobile wallet. This m-payment application software on the mobile phone contains details of the
customer (including bank account details and/or credit card information) that enable the customer
to make payments using the mobile phone. A possible drawback to the mobile wallet and secure
element solution is that a single pin unlocks all of the accounts stored in the wallet. This is in
contrast to plastic cards, where each card can be set to use a different pin. Mobile wallets could
thus present greater exposure to loss in the event that a mobile wallet device and its single pin are
compromised
3.5.1. Security Vulnerabilities and Solutions
As mentioned earlier, m-payment systems rely on underlying communication technologies (such
as GSM, Bluetooth, and RFID) whose security vulnerabilities are often ignored when the security
aspects of the m-payment systems are analyzed. Therefore, m-payment system designers should
take a holistic view when performing a security analysis during design and implementation.18 In
general, to counter potential threats, a secure m-payment system must satisfy the following
transaction security properties: authentication, confidentiality, integrity, authorization,
availability, nonrepudiation (ensuring that users can’t claim that a transaction occurred without
their knowledge), and accountability (defined as the ability to show that the parties who engage in
the system are responsible for the transaction related to them).
Table 1 summarizes the types of vulnerabilities and threats and their corresponding risks in an
m-payment system environment together with relevant protection solutions.
8. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 8
Table 1. Vulnerabilities, threats, risks, and protection solutions in m-payment systems.[1]
4. 4G Transmission in security of mobile payment.
4G fourth-generation wireless defines the stage of broadband mobile communications that
supersede the third generation 3G, 4G used orthogonal frequency-division multiplexing - OFDM
instead of time division multiple access - TDMA or code division multiple access – CDMA. ISP’s
are increasingly marketing their services as being 4G, even when their data speeds are not as fast as
the International Telecommunication Union (ITU) specifies. According to the ITU, a 4G network
requires a mobile device to be able to exchange data at 100 Mbit/sec. A 3G network, on the other
hand, can offer data speeds as slow as 3.84 Mbit/sec. OFDM is a type of digital modulation in
which a signal is split into several narrowband channels at different frequencies. This is more
9. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 9
competent than TDMA, which divides channels into time slots and has multiple users take turns
transmitting CDMA, which simultaneously transmits multiple signals on the same channel.
Thus it pays way to support efficient encryption mechanisms in securing the mobile payment.
4.1 Cryptography – Vulnerabilities in Mobile Payment
Cryptography techniques play an important role in satisfying the transaction security properties
mentioned earlier. They’re essential in securing m-payments over open networks that have little or
no physical security. Symmetric cryptography shares a secret between two parties (a sender and a
receiver) who want to communicate safely without revealing details of the message. Symmetric
cryptographic methods are suitable because of their low computational requirements. However,
key management in symmetric-key operations is complex. To solve this complexity, public-key
cryptography uses a pair of keys for every party: a public key (that is published) and a private key
(that remains secret). Thus, it is not necessary to share a secret key between the sender and the
receiver before communicating securely. However, traditional asymmetric signature schemes
make the signature computations expensive and aren’t suitable or mobile devices. Moreover, to
avoid impersonation attacks, for every public key, a certificate is required and must be verified by
a certification authority, causing an additional information exchange (and increased delays) during
each transaction.
5. Upcoming Opportunities and Challenges
Mobile communication continues to evolve and improve, and new technologies offering attractive
business opportunities are emerging. Solutions provided by m-payment vendors must evolve in
order to support increasingly sophisticated client applications running on mobile devices. At the
same time, designers must continuously adapt existing m-payment systems to allow clients to take
advantage of the benefits associated with emerging technologies while simultaneously ensuring
secure and reliable payment transactions. We have identified several upcoming opportunities that
may provide an effective solution to the existing security issues in m-payment.
5.1 5G Technology
The 5G mobile communications technology is the next generation of the existing 4G Long-Term
Evolution network technology. It will enable users to transmit massive data files including
high-quality digital movies practically without limitation, allowing subscribers to enjoy a wide
range of services, such as 3D movies and games, real-time streaming of ultra-high-definition
content, and remote medical services. 5G will enable software-defined radio and flexibility in
encryption method used. Furthermore, 5G will improve latency, battery consumption, cost, and
reliability, which will reduce the cost of communications over wireless networks when performing
payment transactions. Heterogeneous wireless networking technologies will continue to play a
fundamental role in the deployment of 5G networks. However, the disparity of security solutions
used by different wireless, mobile, cellular networks makes end-to-end security solutions still a
significant challenge that must be addressed to support future secure m-payment systems and
applications.
10. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 10
5.2 Cloud Computing
A cloud-based m-payment system is a type of proximity payment that stores payment credentials
(used to authenticate the payment transaction) on a remote server rather than at the mobile device.
To use this solution, both the consumer and the merchant must download the cloud-based
application and subscribe to the service. The physical mobile phone might not be needed to
complete the payment, depending on the exact solution. Consumers can access their account
information in the cloud via mobile devices. In addition, payment notification can be
communicated via email or SMS text messages once a cloud payment is completed. Despite the
benefits offered by cloud-based m-payment systems, some security issues remain unsolved. For
example, payment data and stored payment credentials in the cloud could be compromised if the
cloud server is attacked. Also, payment data should not be transmitted via SMS or email because
cloud platforms aren’t encrypted. Finally, data privacy remains a key concern for payment data
stored in the cloud, which could share this information with other businesses without the
consumer’s explicit approval.
5.3Encryption Technology
Elliptic curve cryptography (ECC) is an alternative approach to public-key cryptography. It relies
on the elliptic curve logarithm, which dramatically decreases the key size needed to achieve the
same level of security offered in conventional public key cryptographic schemes. This allows ECC
to provide similar security as RSA but using much smaller key sizes (approximately one-eighth of
the key size used by RSA), which in turn significantly reduces processing overhead. Therefore,
faster computations, lower power consumption and memory, and bandwidth savings are properties
offered by ECC that are useful for implementing encryption on resource-constrained mobile
devices. In the future, system designers should explore the possibility of incorporating ECC
algorithms in existing or new m-payment systems to reap many of the benefits of ECC in mobile
devices. Self-certified public-key schemes (where public-key authentication can be achieved
implicitly with signature verification) are an alternative security solution for m-payment systems
based on restricted communication scenarios, where an engaging party has connectivity
restrictions that prevent communication with a certification authority for validating a certificate
during a transaction. In those schemes, the user’s public key is derived from the signature of his or
her secret key along with his or her identity, and is signed by the system authority using the
system’s secret key. However, the expiration of this kind of certificate isn’t defined in all the
schemes proposed in the literature and is an open problem that still must be solved.
6. Conclusion
The aim of this paper is to focus on mobile payments to analyze the different factors as Negative
and Positive that impact adoption of mobile payments, and to introduce the mobile payment
emerging technologies and services. The key finding based on the analysis is while consumers
continue to express concern over using their mobile phone to conduct banking and financial
services transactions, it is a fear born more of perception than reality. There are threats, but the
security controls available to mitigate risk at this level are substantial and effective. However,
security practices will need to continue to evolve as more and more smart phones and technologies
11. Security Issues In Mobile Payment
Prof. K. Adisesha, BE, M.Sc. M.Tech, NET Page 11
enter the market running more and more applications, creating an ever growing opportunity for
security threats.
References
[1]Mobile Payments: Risk, Security and Assurance Issues, white paper, ISACA, Nov. 2011;
www.isaca.org/Groups/Professional-English/pci-compliance/GroupDocuments/MobilePayments
WP.pdf.
[2] Systematic Literature Review: Security Challenges of Mobile Banking and Payments System.
Md. Shoriful Islam International Journal of u- and e- Service, Science and Technology Vol. 7, No.
6 (2014), pp. 107-116 http://dx.doi.org/10.14257/ijunesst.
[3] 4G and Its Future Impact: Indian Scenario -Butchi Babu Muvva, Rajkumar Maipaksana, and
M. Narasimha Reddy International Journal of Information and Electronics Engineering, Vol. 2,
No. 4, July 2012
[4] Determining New Security Challenges for Mobile Banking- Dr. Syed Nisar Osman
International Journal of Research in Advent Technology (E-ISSN: 2321-9637) Special Issue1st
International Conference on Advent Trends in Engineering, Science and Technology“ICATEST
2015”, 08 March 2015
[5]http://warse.org/pdfs/ijatcse03122012.pdf
[6] A Secure Cloud-Based Nfc Mobile Payment Protocol.
(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 5, No. 10,
2014
[7] Cloud Backup: Cloud Backup - FAQs, April 2010, Version 1.6,
https://backup.eu.businessitondemand.com
[8] Security of Mobile Banking-Kelvin Chikomo, Ming Ki Chong, Alapan Arnab, Andrew
Hutchison