Talk given by Tom at the Global Messaging 2009 conference in London on 24th June 2009. It coverred the essence of what makes a good mobile service, using Masabi's UK rail work as a case study.

1. Secure Payment and Ticketing Applications Tom Godber - CTO Masabi

2. Agenda Who Are Masabi The Mobile Experience Mobile Ticketing Taking Mobile Payments

4. 4 alphabets

5. 2 Factor Authentication

6. Secure messaging

8. Mobile Masochism The mobile experience is about PAIN Texting on a Moto… Pretty much anything at all onNokia’s touchscreen S60… User experience is becoming important Ex-RAZR users often won’t Moto again But nothing is perfect, even Steve

9. Many Services Will Fail Good ideas are common Good ideas which actually work aren’t Given handset constraints… Given real world conditions… Compared to existing alternatives…

10. Pick Your Battles A successful service must offer a significant advantage to the user An mPaymentmust be easier than cash and cards Just because a user can do something, doesn’t mean they will Offer net pain relief

11. Considerations User probably moving Must be simple Must be resilient Has user got alternatives? Cash Debit/credit cards PC

12. Connecting With The RealWorld

13. UK Rail Barcodes Reliable, fast Offline scanning Tickets still work when Internet doesn’t! Open security PKI signatures prevent modification Public Key verification is cheap, easy Royalty free, open barcodes Aztec scans best on a handset screen

14. UK Train Ticketing Phone becomes your ticket Today’s reality: Only supported on a few routes Eg. our National Express trial 3-6 months: Train franchises start to go live Some rollout of barcode reading gates

15. Not Just a Ticket UK Rail Barcode has space for other entitlements Eg. Free coffee Bundle other sales together with ticket Barcodes have plenty of other uses Remove cash from high-risk environments to reduce ‘shrinkage’

16. Mobile Ticket Delivery

17. Handset Support Chiltern Railways ticket app trial showed: Adopted outside young male demographic Often user’s first transaction with a phone Tickets must be supported on everything! Smartphones are a niche

18. Not All About The iPhone

19. Ticket Delivery SMS tickets Wap tickets Local application ticket wallet

20. Pure SMS Ticketing Picture messaging can carry small barcodes 3 SMS per picture is expensive Too small for new rail ticket barcodes Simple insecure 1D or 2D barcodes only No text details for visual inspection Scanner always required Can be forwarded and reused

21. Wap Ticketing Wap Push with ticket URL User downloads ticket Saves image like a wallpaper Must trust OMA DRM A lot of effort to size image Handsets often rescale an image that is slightly too big or small This plays havoc with barcode scanners!

22. Java Ticket Wallet User installs local ticket wallet Server sends tickets over SMS One encrypted binary msg/ticket Delivered directly to wallet app App can display ticket details and barcode Better barcode rendering > faster scanning Details readable to an inspector

23. BUT

24. Address Customer Needs! UK Rail Tickets – mainly bought in the station!

25. User Needs Ticket delivery is an extension of online Fairly useful for users without printers BUT most train tickets not bought online Sell from phone Buy in taxi / on street / in station Avoid queues

27. Mobile Payment Channels SMS Premium SMS > phone bill Credit card over SMS Payment through the browser Payment through a local app

28. SMS Premium SMS payment Good for simple transactions Easy to set up, works on everything 30-60% operator cut Best for low-value high-margin items SMS insecure for any other payment Messages be read on stolen phones Messages be read on the network

29. Mobile Browser Purchase Wap purchase is multi-step Repeat page loads slow and expensive Requires continuous connection Data mis-entry becomes painful Limited opportunity to help user with validation etc – not like full web AJAX Often insecure Wap1 inherently insecure Transcoders can mess with Wap2 and the mobile web

30. Mobile Browsers Wap security Wap2 security Inherently insecure: Used on older browsers, “Wap” settings Like the web: Most handsetsuse this with “Internet” settings

31. Transcoders with HTTPS Some transcoders leave HTTPS alone Others will insert themselves in the connection Handset cannot verify end certificate Just like a man-in-the-middle attack!

32. Java Ticket Sales App Ticket purchase in UK Aimed at repeat users Intelligent client Helps user with data entry=> minimises resends After 1st purchase, just enter CVV Submits credit card purchase with one encrypted SMS Good when signal strength low Integrated into ticket wallet

33. Technology Notes

34. Java (someone has to like it) You don’t have to be the ‘best’ Sometimes being the only option is good enough NOT suitable for everything Remember, pick your services Good for: Recurring purchases Flaky connections Retries, SMS fallback, fat intelligent client

35. Near Field Communication A lot like “Oyster on your phone” (Almost) no handset support Common by 2013? NFC already embedded on cards Habit: you pay with a card, why use a phone? Who will pay for the infrastructure?

36. NFC – Not Today NOKIA HANDSETS NOKIA NFC HANDSETS

37. Some Notes On Oyster Great in London Almost everyone has to usepublic transport Locals ‘bribed’ to adopt with lower fares Large government subsidies Not economically viable to roll out elsewhere Even London overground train lines required £40m subsidy to support it

38. tom@masabi.com+44 7967 551670@tomgodber