€¦ · Web viewSensor can be added to the device that would only require the user to swipe their...
Transcript of €¦ · Web viewSensor can be added to the device that would only require the user to swipe their...
MOBILE COMMERCE
Data Management Strategies & Technologies
DR. Abdullah Alshboul
BY
Helal Al-subagh
Abstract
Advances in e-commerce have resulted in significant progress towards strategies, requirements
and developments of e-commerce applications. However, nearly all e-commerce applications
envisioned and developed so far assume fixed are stationary users with wired infrastructure. A
new e-commerce application that will be possible and significantly benefit from emerging
wireless and mobile networks is envisioned. To allow designers, developers and researchers to
strategize and create mobile commerce applications, a four level integrated framework for
mobile commerce is proposed. Since there are potentially an unlimited number of mobile
commerce applications, several important classes of applications such as mobile financial
applications, mobile inventory management, proactive service management, product location and
search and wireless re-engineering are attempted to be identified. It is discussed how to
successfully define, architect and implement the necessary hardware/software infrastructure in
support of mobile commerce. Also, to make mobile commerce applications a reality, networking
requirements is addressed, support from wireless carriers is discussed, and some open research
problems is presented.
E-commerce, or the buying and selling of goods and services on the Internet, has become a part
of daily life for many people. The use of the Internet to purchase goods and services has grown
along with the popularity of the Internet. Businesses are increasingly turning to the Internet to
increase revenue and profits. As the Internet expands to every corner of the globe, it is becoming
easier and easier to access it from a wide variety of devices. Cell phones, PDAs, and other
mobile devices can now access the Internet from across the globe. Many E-commerce companies
have attempted to exploit this rapidly growing segment of the Internet. E-commerce over mobile
devices has now been termed M-Commerce. M-Commerce by definition is E-commerce that
occurs through the use of wireless solutions such as cell phones, pocket PC's, and PDAs. It
allows a user to purchase goods and services on the move, anytime, and anywhere.
In today’s E-commerce world, security has become a major issue that needs to be constantly
monitored and improved. By expanding E-commerce to mobile devices it is also necessary to
ensure that these devices are protected against security threats. M-Commerce faces the same
security threats that E-commerce faces plus many other due to the mobile nature of the products.
This paper will discuss the security challenges and weaknesses of M-Commerce and varying
ways to correct and overcome them. It will focus on security issues that arise when M-
Commerce devices connect and communicate over the Internet. Security challenges, risks, and
security implementations within M-Commerce will be discussed in detail. By describing the
current state of security within M-Commerce this paper will show the pitfalls that need to be
corrected. The paper will then propose an ideal M-Commerce system that will overcome these
pitfalls and provide optimal security without degrading the new technology to the point of
uselessness.
M-Commerce summary
Electronic commerce has attracted significant attention in the last few years. Advances in e-
commerce have resulted in significant progress towards strategies, requirements and
development of e-commerce applications. Nearly all the applications envisioned and developed
so far assume fixed or stationary users with wired infrastructure, such as browser on a PC
connected to the Internet using phone lines or a Local Area Network. A new e-commerce
application such as Wireless e-commerce or Mobile e-commerce will benefit one to reach the
consumer directly, regardless of where he is.
M-Commerce occurs through the use of wireless devices such as cell phones, pocket PC's, and
PDAs. It allows a user to purchase goods and services on the move, anytime, and anywhere. M-
Commerce is becoming a larger part of the Internet commerce experience. Juniper Research
performed a study that predicted that by 2009, global M-Commerce revenue will exceed 88
billion dollars. A Morgan Stanley report found that in 2005 there was 19.5 billion dollars in M-
Commerce transactions. These included revenue from people buying ring tones, cell phone
personalization, games, and services. The following chart was obtained from that Morgan
Stanley report and shows revenue generated between 2004 till 2008.
Courtesy of Morgan Stanley
With this large amount of revenue potential, companies are quickly moving into the mobile
marketplace. The M-Commerce marketplace includes many new customers that may not own a
computer or purchase goods over the Internet. In many countries of the world it is more likely
that an individual will have a cell phone then a computer with Internet connectivity. McKinsey
research firm reported that in 2005 there was an estimated 85% penetration rate for mobile phone
usage in Europe and a study in Asia by Data monitor reported that there were over 310 million
mobile devices in Asia. The Morgan Stanley research report mentioned earlier shows that in
many areas of the world the number of mobile users exceeds the number of PC users. For
example in China the ratio of cell phones to computers is 3.6 to 1, in Japan its 1.1 to 1, and in the
UK its 1.5 to1. The report also showed that more emails in Japan were sent by mobile phones
then by PC. These scenarios are highly attractive to companies because it provides an
opportunity to expand their customer bases. This means there is a potential to reach millions of
new customers and expand on revenues.
The biggest benefit that M-Commerce provides to consumers is mobility. There is no need to be
sitting at an office desk or at a home PC to perform M-Commerce. Customers can be on the
beach, in a car, or hundreds of other locations and connect to the Internet. As long as their
mobile device network is in range then M-Commerce transactions can be made. In order to meet
these demands, cell phone companies across the world are continually upgrading their networks
and increasing the speed and bandwidth of these networks.
European and Asian cell phone companies have utilized high bandwidth cell services for many
years. This technology is often referred to as 3G. American cell phone companies are beginning
to bring 3G to the US. A few examples of these are AT&T’s Broadband Connect (HSDPA),
Sprint PCS Wireless High Speed Data (EV-DO), and Verizon Wireless Broadband Access EV-
DO. These upgrades to cell services allow users to access more and more types of high
bandwidth Internet content. The ability to access a wide variety of Internet sites opens a whole
new business model. The evolving technology allows people to make productivity out of
otherwise idle time. People can buy movie tickets, make financial transactions such as
purchasing stocks or checking a bank balance, read email, or purchase other goods. And with
these increased cell services people now expect to be connected at any time, any place, without
being tied to an office or home computer.
As can be seen from the statistics and scenarios mentioned above, M-Commerce has enormous
potential to generate revenue and allow new people to access the Internet. But along with the
potential it also has a large amount of risk, limitations, and challenges. In the near future a great
deal of money and data will be transferred utilizing M-Commerce systems. And as always seems
to be the case, someone will try and exploit the system and steal this money and information. For
this reason it is necessary to ensure that current and future mobile devices that will be utilizing
within M-Commerce implement security mechanisms. M-Commerce faces the same security
threats that e-commerce faces plus many others due to the mobile nature of the products. Will
discuss the challenges and weaknesses of M-Commerce and then will present security
mechanisms that currently exist. The paper will close by discussing methods to improve current
systems for the future and what should be contained in an optimal and secure M-Commerce
security protocol.
Mobile Advertising
Mobile advertising is also a very important class of mobile commerce applications. Using
demographic information collected by wireless service providers and information on the current
location of mobile users, much targeted advertising can be done. The advertising messages sent
to the user can be location-sensitive and can inform a user about various on-going specials
(shops, malls and restaurants) in surrounding areas as shown in figure. This type of advertising
can be performed using Short Messaging Service (SMS) or by using short paging messages to
mobile users. The messages can be sent to all users located in a certain area, a user-specific
message can be sent independent of the user current location. Since the services need the current
location information of a user, a third party may be needed to provide location services. However
this may require a sharing of revenues between the network service provider and location service
provider. As more wireless bandwidth becomes available, content rich advertising involve audio,
pictures and video clips can be produced for individual users with specific needs, interests, and
inclinations. It is also possible that direct advertising to users may be performed without much
control from the wireless service providers. Mobile Inventory Management (MIM) This class of
application involves location tracking of goods, services and even people. The tracking of goods
may help service providers in determining the time of delivery to customer, thus improving
customer service and obtaining a competitive edge over other business. One very interesting
application is rolling inventory-which may involve multiple trucks carrying a large amount of
inventory while on move. Whenever a store needs certain goods/items, it can locate a truck
(preferably in nearby area) and just-in-time delivery of goods can be performed. The rolling
inventory and delivery application can reduce the amount of inventory space and cost for both
vendors and stores and may reduce the time between when an order is placed and the goods are
delivered. Location tracking of components can be broken into two components: indoor and
outdoor. Indoor tracking can be performed by a chipset (TX/RX) and location information may
be transmitted over a satellite or cellular/PCS system to the component supplier where such
information is needed. Product Location and Search (PLS) this class of application includes
locating an item in a particular area or location. This is concerned with finding an item with
certain specifications and whether it is available in a specified area or not. Potentially, there
could be multiple places where such an item or items of similar attributes are located. Currently
many people are going to several stores to find an item (certain brand/size of TV, VCR or an
automobile) and compare prices and features. Using a mobile device and centralized/distributed
database containing information on products, a user should be able to find the exact location of
the store where a certain item is located. After that the user can buy online using a browser on
his/her mobile devise. In the case of multiple stores/vendors carrying an item desired by a user,
they could compete to get customer by real time manipulation of prices or by offering instant
discounts. From the technological point of view, a mobile user can send a query message to a
centralized location (shown in figure), which in turn can interface several different stores/dealers
and decide if the item is available or not.
M-Commerce Security Challenges
M-Commerce, like E-commerce, faces formidable security hurdles. As identity theft, phishing,
and other attacks on the Internet become more prevalent, consumer trust in Internet technologies
seems to be falling. In order for M-Commerce to be successful the security weaknesses and
concerns need to be addressed and solved. The key to widespread usage of M-Commerce is to
gain the trust of users so that they will be willing to perform transaction on their mobile devices.
As previously mentioned M-Commerce has the same security problems that occur within e-
commerce plus it has its own set of unique challenges. M-Commerce has the problem of viruses
and malware, data theft, Denial of Service attacks, phishing, insecure default settings,
inexperienced users and sniffing that seem to affect all Internet technologies. M-Commerce also
has some unique problems such as limited computer power, loss or theft of the mobile device,
varying standards, the broadcast nature of wireless transmissions, immature technologies, lack of
authentication, and weak device operating systems. In order to reach its full potential these
challenges and weaknesses must be addressed.
M-Commerce has two major security challenges that differentiate it from normal Internet
commerce. The first challenge is that the devices are small and portable which can result in loss
or theft of the device. Mobile devices are by design small and portable. While this is good for
day to day usability and convenience it is not a good then when it comes to security. Modern
mobile devices contain more and more sensitive information. In recent years there has been an
abundance of instances where companies have lost personal data by losing laptops or backup
tapes. This same type of incident could occur with a mobile device. Mobile devices often contain
phone book entries, journal entries, calendars, etc. that can contain valuable personal or
corporate information. In a corporate setting the theft of this data could lead to financial losses or
loss of a company’s trade secrets. Today Pocket PCs and Smart Phones can contain full
documents or spreadsheets that could contain sensitive data. Loss of this data could harm an
individual or company more than just the disclosure of a phone book or date book. The challenge
with mobile devices is that we need to be able to protect the sensitive data on the phone even if it
is lost or stolen.
The second challenge is that mobile devices are not as powerful as modern computers. This
makes security a challenge because the same security mechanisms that may work on a desktop or
laptop PC may not work on a mobile device. The capabilities of Mobile devices often lag behind
PCs because they typically lack in processor power, memory, storage space, display capabilities,
and input capabilities. This causes problems when trying to use PC security protocols on a
mobile device. For example many encryption standards used on the Internet today use a large
amount of processing power to perform the mathematical computations required by
cryptography. Mobile devices may not have the processing power necessary to perform these
computations and therefore certain types of encryption may not be able to be used. Mobile
Devices are becoming more and more powerful but they will always be a step or two behind the
power of PCs. Because of this lag there will probably always be protocols and standards that
function on a PC that cannot be used on a mobile device.
M-Commerce Security Weaknesses
The challenges listed in the previous section cause many weaknesses within M-Commerce
systems. These weaknesses are lack of user awareness, limited computing power, possible loss or
theft of device, incomplete authentication schemes, the use of wireless transmissions, vulnerable
operating systems, and the use of unsecured technologies.
User Awareness: A major security weakness that occurs in both e-commerce and M-Commerce
is the lack of user awareness. The typical user is not aware that their actions have security
implications. A typical user will not worry about securing their phone through a locking
mechanism, or they will not ensure that transactions are secure before proceeding. This can lead
to the spread of viruses or the leaking of sensitive data.
A possible solution for overcoming the lack of user awareness is to have the wireless carriers
offer security training or provide a security awareness pamphlet when a user purchases a mobile
device. There will always be people who refuse to read a pamphlet or pay attention to security
training but the more people that are away of the risks the more likely the risks will be reduced.
Also, the mobile device manufacturers should be held responsible for making the devices a
secure as possible by default. Currently many security features are either disabled by default or
are set to the lowest security setting. If manufacturers set their device security defaults to a
secure setting then users will always have some level of protection even if they decide not to
further configure the phone.
Limited Computing Power: As mentioned in the previous section, mobile devices do not have
the same computing abilities as PCs. Mobile devices by nature need to be small and portable for
functionality and therefore cannot contain the same technology as larger PCs. A major
disadvantage of not having the same computer power is that certain security related tasks require
heavy processing in order to be accomplished successfully. The lack of CPU power makes some
of these tasks impractical within a mobile device. The best example of this is encryption. A
powerful processor is required to perform the complex mathematical calculations that are used in
modern encryption schemes. Performing complex mathematical calculations on a mobile device
can overwhelm the devices processor and cause the device to function extremely slow and
possibly crash the system. In order to get encryption to work properly on these devices
manufactures are required to either rework existing encryption algorithms to function on the
slower processor or remove the encryption all together.
As technology advances inside the mobile devices it is becoming more and more possible to
implement today’s encryption standards. The problem is that the mobile device industry needs to
increase their processor speeds at the same rate that the encryption standards change. Current
encryption methods will not work in the future. Attackers will have more powerful machines at
their disposal that can be utilized to crack current encryptions. In order for M-Commerce to stay
secure it will need to evolve with the encryption standards to ensure that the newest standards
can be utilized on mobile devices. The best circumstance would be if mobile device processors
advance at a rate that allows them to perform typical PC encryption standards. This would reduce
the amount of work that is currently necessary to rework existing encryption algorithms.
Possible Loss or Theft of Device: As stated earlier a major challenge and weakness of M-
Commerce is that the devices are small and easily lost or stolen. The loss of a device can lead to
financial losses or identity theft. The cost of a lost or stolen device goes well beyond the cost of
just replacing the device. Along with the cost of the phone a user also loses the intangible costs
associated with loss of data. It is not really possible to prevent the loss of theft of a device. But it
is possible to secure the device so that if it is lost or stolen it is useless. The best ways to do this
is to encrypt data on the devices and/or to implement a secure authentication scheme. This will
be talked about next.
Lack of Complete Authentication: One of the major weaknesses that exist within M-Commerce
is the lack of complete authentication. Currently cell phone service providers authenticate the
devices they have on their network through the use of a SIM card within the user’s mobile
device. This enables the service provider to be reasonably sure they are communicating with the
proper device. The problem occurs because there is a lack of authentication in the system
between the user and the phone. Currently most cell phones have no method in place to prove
that the user making Internet transactions on the phone is the rightful owner of the phone. This
means an attacker can use the phone to make fraudulent purchases without ever needing to crack
any authentication scheme. On most devices it is possible to enable a lock function on the phone
to secure the device but this is typically only a 4 digit code that has a small range of possibilities.
It would be relatively easy for a determined attacker to break the code through trial and error or
the use of a computer. Even with the ability to use a security code, the majority of users do not
implement it. It is seen as an inconvenience and not necessary. Even the default mode for most
devices does not implement the pass code. By not requiring the user to authenticate to the phone
anyone can access the contents of the phone and possibly impersonate the legitimate user in
order to purchase goods or services online.
There a many ways being proposed to add user authentication to mobile devices. The most basic
is to use a password scheme instead of the typical 4 digit pin. A password can be more complex
and would expand the range of possibilities by allowing numeric and alphanumeric characters. It
would also allow the password to be over 4 characters. This functionality is currently being
implemented on some Smart Phones and PDAs.
Another proposed solution is to use signature or handwriting recognition. This would require that
the device have a touch screen and stylus that would allow a user to sign their signature. The
device would then compare this to a sample signature that was entered into the device during
setup. If the signatures match then the user would be authenticated and allowed into the system.
The problem with this system is that it requires additional hardware be added to the phone. The
touch screen and stylus would add to the cost of the phone. This may make it impractical for
most mobile devices.
Yet another proposed Authentication scheme is biometrics. The most feasible biometric
technology that could be implemented in a mobile device is fingerprint recognition. A fingerprint
Sensor can be added to the device that would only require the user to swipe their thumb over a
sensor to grant access to the phone or access to specific applications on the phone. The system
could be similar to the fingerprint sensors that Lenova is implementing in their Think Pad
laptops. Many popular cell phone manufacturers, such as LG, have begun implementing
fingerprint sensors into special models of their phones. Most of these phones are currently
unavailable in the US but will be available in the future. Unfortunately biometrics have some
significant problems. For one, if the fingerprint sensor fails or reads a false negative, even with
the correct finger, then the user cannot gain access to their phone. This is a common problem in
all biometric systems, not just mobile devices. In order for biometrics to become a widespread
reasonable authentication option for mobile devices a method needs to be created to bypass the
fingerprint reader in the case it’s failing and also a more reliable scanner must be developed.
Currently the biometric sensors are not used to lock and unlock a phone. They are instead used to
authenticate the user when they are performing specific online transactions. Before the biometric
sensors can be used to log a user into their phone the false negative situation needs to be
resolved. The other downside of adding biometrics to a cell phone is that it adds a significant
hardware cost to the device and may not be reasonable on lower end mobile devices.
Vulnerability of Wireless Transmissions: Like WiFi, mobile transmissions are broadcast through
the air and because of this the transmissions are able to be captured by anyone in the vicinity of
the device sending the transmission. An ambitious attacker could sniff the air and attempt to
collect packets. Transmission technology typically encrypts all data but an attacker can still
attempt to crack the encryption. And if for some reason a transmission is not encrypted, due to an
unsecured protocol or a flaw, then the attacker can read the contents of the data. Currently the
wireless transmissions used for mobile devices are relatively secure and flaws are relatively few.
To overcome those few instances where vulnerabilities may exist, carriers and mobile device
manufacturers need to ensure that their devices use secure protocols and that the protocol is used
throughout an entire communication session so that no data is transmitted in plaintext at any
time.
Vulnerable Operating Systems: Most mobile devices have simplified operating systems. In the
past there was no need to make the OS complicated. Now devices are beginning to become more
sophisticated and have more and more applications running on them. Smart phones and PDAs
may run Microsoft Windows Mobile 5.0 OS or a Palm OS. These OS are vulnerable to coding
flaws like any PC OS. The major problem that occurs with these mobile OSs is that they do not
have the same update functionality that desktop PCs currently enjoy. For example, Microsoft
Windows Mobile does not have the Windows Automatic Update service. So if a hot fix or patch
is released to update security vulnerability within the OS then it will not be automatically pushed
to the device. In order to receive the update the user would need to be proactive and get it
themselves. This is not an efficient way to update vulnerabilities on an OS. A typical user will
not be aware of new hot fixes being released and chances are they will never apply the necessary
hot fixes. Therefore the OS is left vulnerable which could allow an attacker to gain access and
circumvent any other security features that have been implemented, such as authentication.
The solution to correcting the vulnerable Operating System problem is to create an automatic
update system like the ones that are used on PCs. The OS vendors need to create a way that will
allow carriers to push the updates to the mobile devices when the devices are online and also
have the updates installed silently in the background. The Microsoft Automated update system
could be a good model to follow.
Another weakness that seems to appear more and more in today’s technically advanced phones is
the implementation of unsecured technologies. For example many phones are beginning to
implement infrared and Bluetooth sensors into their phones. These protocols can be very helpful
for a user by allowing them to remotely connect other devices to their mobile device in order to
transfer files, date books, addresses, etc. Unfortunately, these protocols are also susceptible to
exploitation. Both Bluetooth and Infrared ports give an attacker a backdoor to gain access to the
device. An Attacker may be able to gain access to the device while never getting within 20 feet
of it. Bluetooth has also been the primary source of viruses on mobile devices. While these
viruses are not yet widespread they are becoming a bigger and bigger threat. With the lack of
virus software running on mobile devices there is reason to worry. A device that is infected by a
virus could potentially infect everyone in their address book. Bluetooth is also susceptible to
“Blue Snarfing”. Blue Snarfing is when an attacker gains access to your device through the
Bluetooth port. Once the attacker gains access to the phone the attacker can change appointments
and/or steal address books, photos, and files. Even worse an attacker may be able to make calls
through your phone or possibly crash the device OS.
Device manufacturers often implement the newest technologies because they are in a race to be
the first to market. The security issue arises when the manufacturers do not ensure these
technologies are secure or they do not disable the insecure technologies by default. In order to
correct this problem, manufacturers need to spend more research time to determine if
technologies are secure. If they are not secure the manufacturers should determine a way to make
them secure or at least disable them by default on a device so that novice users do not leave
themselves susceptible to attacks.
M-Commerce Technologies
Mobile devices typically connect through the Internet using one of two technologies, either the
Wireless Application Protocol or iMode. Which technology is used depends on location and
carrier. Both protocols have security protocols in place to protect data that is transferred. They
each also have methods to authenticate the device to the carrier. The following sections will
briefly discuss each protocol and then detail the security implementations for each protocol.
Wireless Application Protocol
The Wireless Application Protocol, or WAP, is one of the most widely used standards within M-
Commerce. It is a standard created by the WAP forum that dictates a common method for
accessing and viewing web content through wireless mobile devices, primarily mobile phones. It
has been designed to function on mobile devices that do not have the CPU power, memory,
bandwidth, or display abilities that desktop or laptop computers have. The WAP protocol details
everything from how the mobile device needs to function when accessing and viewing Internet
content, to how the data must be transferred. Every protocol within WAP is optimized for low
bandwidth and low power devices. WAP was also developed to be bearer independent. That
means that it was designed to work on a variety of mobile network types for example GPRS,
EDGE, and CDMA.
WAP allows a user to utilize very basic browser software called a “micro-browser” to visit web
pages that are designed specifically for mobile devices. These sites are usually designed with text
and minimum graphics. WAP has also been designed to be flexible and allow devices with
varying display abilities, for example screen size or resolution, to all work properly when
accessing the same sites.
WAP was initially release in 1998. [10] WAP Version 1.0, as it was called, utilized its own set of
wireless protocols in order to communicate with the carrier and remote websites. The following
figure shows the different layers of the WAP 1.0 network stack and the stacks utilized by the
carrier and a remote web server. The WAP Device is the mobile device, the WAP Gateway is the
carrier, and the Web Server is a remote website server. For information on the specific protocols
see the WAP Forum documentation for WAP 1.0.
This protocol stack was functional for the first incarnation of WAP but it was not very secure
and it was not fully functional with all Internet sites. Security in WAP 1.0 was provided through
WTLS. WTLS is a scaled down version of the popular TLS protocol. The major security
weakness of WAP 1.0 came from a problem called the “Gap Problem”. When a mobile device
attempts to connect to a website it must first connect to the carrier and then the carrier will pass
the web request to the remote web site. When using WTLS and WAP 1.0 the mobile device
would make a secure connection with the carrier and the carrier would use TLS to make a
separate secure connection to the remote website. In the figure above you can see that the
Gateway transforms the WTLS connection into a TLS connection with the remote website. The
security vulnerability, or Gap Problem, arose when the carrier had to take the data from the
mobile device and pass it to the remote server. As a middleman, the carrier would decrypt the
data from the mobile device and then encrypt it using TLS to pass the data to the remote carrier.
After the data is unencrypted and before it is passed to the remote website, the data is stored
entirely in plain text and visible to anyone who gains access to the carrier’s server. The preferred
work around to the Gap problem in WAP 1.was to not save any transactions to disk and/or, if
you were a corporate customer, move the WAP Gateway within the company network so that the
data can be better protected.[11] This solution was not thorough enough and is one of many
reasons that WAP 2.0 was developed.
WAP 2.0 was released in late 2001 and is fully backwards compatible with WAP 1.0. WAP 2.0
added support for TLS, HTTP, and TCP and introduced the ability to push data from a carrier to
a WAP enabled mobile device. WAP 2.0 is also able to support more powerful mobile devices
over higher bandwidth connections. From a security perspective the most important addition was
the ability to utilize the TCP\IP network stack. The reason being is that TLS could now be used
instead of WTLS and common PC Internet technologies could be utilized. The use of TLS
instead of WTLS allows a mobile device to make a secure tunnel from the device all the way to
the remote website. There is no longer a need to decrypt and encrypt the data at the carrier’s
server (WAP Gateway). Therefore there is no longer a Gap Problem. The figure below shows the
protocol stack for WAP 2.0 and the stacks utilized in a typical web connection. The WAP device
is the mobile device, the WAP Proxy is the carrier, and the Web Server is the remote website’s
server.
According to the WAP Forums documentation of WAP 2.0, the WAP Gateway from version 1.0
was removed and replaced by the WAP proxy. The Proxy does not perform translation like the
WAP Gateway but instead assists by speeding up communications and it can provide services to
a mobile device through a WAP push.
Besides the ability to use TLS and make a secure connection from device to website, another
major security feature of WAP is the ability to use a WAP Identity Module (WIM). The WIM is
a tamper resistant chip that is typically embedded on a users SIM card. The WIM is often
referred to as the security module of the SIM chip. The chip contains the user’s digital certificate
and private key information and it stores the cryptographic functions that can be used with
security protocols. The private keys on the WIM can be utilized for authentication and for
creating digital signatures. The chip was also designed to be tamper resistant in order to prevent
attackers from modifying or extracting the certificates or keys from the chip.
The WIM chip can be utilized within a Wireless Public Key Infrastructure (WPKI). WPKI is the
wireless version of typical PKI systems. It allows the use of private and public keys in a M-
Commerce environment. WPKI provides confidentiality through cryptography, authentication
through digital certificates, integrity through digital signatures, and non-repudiation through the
use of digital signatures and certificates. The primary difference between a PKI and WPKI
environment is that WPKI has been modified to function with lower powered mobile devices and
on lower bandwidth networks. WPKI takes full advantage of the WIM chip by using the user’s
private keys that are stored within the WIM. The same x.509 certificates that are utilized within
standard PKI are also utilized within WPKI and are stored on the WIM.
iMode
iMode is a protocol similar to WAP that allows mobile devices to connect to the Internet.
Whereas WAP was developed by a forum of vendors and researchers, iMode is a proprietary
technology and was developed by NTT DoCoMo, a Japanese telecommunications company. It is
extremely popular in Japan and is spreading to Europe and other parts of Asia. At the end of
2004 there were over 35 million users.[8] Many Japanese users send email, access websites,
purchase tickets and perform many other online transactions through iMode. Unfortunately, due
to the proprietary nature of iMode there does not seem to be the same growth potential that WAP
has. iMode requires a user to connect to a NTT DoCoMo owned server in order to access the
web. In order for iMode to grow NTT DoCoMo would need to invest a significant amount of
money into their infrastructure in order to have enough servers for a larger user base. This differs
from WAP.
Where separate vendors can share the cost by implementing their own WAP systems and
interconnecting them through the Internet.
Since iMode is proprietary, very little is known about the way security is implemented in the
system. It is known that the protocol uses standard HTTP security protocols like TLS and SSL
but lower level protocols are all proprietary so no security information is available. It is also
known that iMode phones come pre-configured with root CA keys from VeriSign or other
certificate authorities. This allows for the SSL connection between the device and the remote
web sites. As for authentication, iMode uses basic HTTP authentication.
There is reason to worry about the security of iMode because the initial implementation was
designed with security as an afterthought and the current implementation is vague. The primary
goal upon introduction of the product was to provide Internet access and make a profit. Since the
initial implementation security features have been added but it is not known exactly how secure
the devices really are. I believe in order for iMode to remain competitive with WAP more
information about its implementation must be made available to the general public. This is the
same debate that exists within the computer world of Open Source vs. Proprietary. While
Proprietary may be good for making a profit it
Model M-Commerce Security protocol
By now you can see that there are many weaknesses that exist within devices that utilize M-
Commerce. In order for M-Commerce to grow these issues must be addressed. The following
section details and ideal M-Commerce security protocol. The protocol has been categorized into
three areas: Device Security, User Security, and Network Security. These three categories cover
the three main areas that require security within an M-Commerce environment.
Device Security
Of all components of an M-Commerce system the one that should be the most secure is the
mobile device. The device is where data originates, resides, and is received. If the information
can be secured on the device then there is a better chance it will be secure throughout an entire
M-Commerce transaction. A model mobile device would be secure by default. All technologies
utilized on the phone should be locked down. The technologies utilized should not be locked
down so tightly that they are no longer functional or so much that they become a burden but
enough that a typical user will be relatively secure without the need to manually configure the
device. An example of this is that Bluetooth and Infrared sensors should be disabled by default.
If a user wishes to use the technologies then they can enable them manually on the device. When
the user enables the technologies they should be warned of the possible security risks. By making
the customer aware of possible security threats they will be more aware of their actions. They
will be more likely to disable the technology when they are finished using it.
Also, in order to provide security upon initial use of the device, the customer should be walked
through a set of configuration steps where they will be asked to provide a password and set other
security settings. This will force a user to have some level of authentication on their device and
by requesting that the user set a password there is a better chance that the feature will be utilized.
While this may be seen as a nuisance at first it is more likely that a user will be accustomed to
the feature if it is used from the very first time they power on the device.Along with prompting
the user to configure a password the manufacturer should configure the device to use
alphanumeric passwords that are greater than 4 digits. This would make the password more
difficult to crack if the device was lost or stolen.
On more sophisticated and costly phones, biometrics should be implemented. A fingerprint
scanner should be embedded within the phone. When a call is to be made or a web transaction is
to be performed the user need only to rub their finger over the sensor to be authenticated. This
will prohibit any attacker to utilize the phone if they steal the phone. At the same time it is not
overly burdensome on the user because it only requires a simple finger swipe. If Biometrics are
implemented then the password feature mentioned in the previous paragraphs can be disabled.
A model M-Commerce device should also use a mobile web protocol that has the ability to
perform secure internet transactions. This protocol should use standard TCP\IP security features
and protocols that are commonly utilized on the Internet. The implementation of proprietary
technologies or differing protocols can increase complexity and reduce the level of security
within the system. An example can be seen with the WAP 1.0 Gateway problem. The Gateway
problem was caused because WAP 1.0 utilized WTLS instead of the Internet Standard TLS. In
order to function properly the Carrier had to translate the WTLS into TLS for the Internet. This
created security vulnerability. By utilizing a standard TCP\IP protocol suite, a mobile device will
be able to use TSL\SSL to create secure tunnels for all secure transactions and communications.
WAP 2.0 is a good example of a protocol that satisfies these requirements and it would make a
good choice when implementing a secure M-Commerce model.
A model M-Commerce device should also be able to utilize private keys and digital certificates.
These would be utilized to provide authentication, confidentiality, integrity, and non-repudiation.
These private keys on the device should be unique for every individual and they should be stored
securely on the mobile device. They should also be registered with a Certificate Authority so that
their public key is available. The WIM chip within WAP is a good example of an
implementation of storing private keys. The WIM chip is tamper resistant and contains a users
private keys and certificates. The method used by a model device to store the keys and
certificates should also portable. This means that a user should be able to be take the keys with
them if they switch phones. This will allow a user to always have the same keys. If the device is
stolen, other devices on the network should be able to quickly revoke the certificate so that it is
no longer valid. This could be implemented through certificate revocation lists or other methods.
A model device should be able to implement all encryption methods that home PCs are capable
of today. This would either require that the CPUs on these devices become more powerful or a
separate chip may need to be developed that is solely responsible for performing encryption
routines. This could reduce the workload on the device CPU and prevent it from being
overloaded or crashing. By allowing mobile devices to use the same encryption standards that
PCs use we would be ensuring that the devices could interact on the Internet like they were a PC.
This is one of the overriding goals. We want the device to seem like it is a fully fledged PC that
can be stored in your pocket.
In order to prevent loss of data if the device is lost or stolen all data stored on the device should
have the option of being encrypted. This includes address books, calendars, journal entries, and
other documents stored on the phone. If the data is encrypted a lost or stolen device will not
result in the loss of data that could lead to large financial losses. There should be an option to
encrypt data so that the phone is not overly burdened by performing constant encryption routines
on all data.
The mobile device should utilize a secure mobile OS. This mobile device should have the ability
to be updated through a push function provided by the vendor or carrier. A good model to follow
for this is Microsoft’s Automatic Update function. This application allows a home computer to
receive updates without being requested by a user. The only interaction required by the user is to
Approve the installation of the security patches. A similar functionality should be utilized within
a mobile OS. It is impossible to develop a perfect OS. There will always be flaws and there
should be an efficient and effective method implemented to fix these flaws as they appear.
A model device will also not implement new technologies just for the sake of being first to
market with the technology. The manufacturer should research technologies that they implement
within their devices and they should ensure that they will not create security vulnerability on the
device. If vulnerability is found then the manufacturer should find a way to secure the
vulnerability or at the least disable the technology by default so that the security hole is not
enabled without the knowledge of the consumer. Again an example of this is Bluetooth and
Infrared sensors.
User Security
User security is also necessary within a model M-Commerce system. Users must be made aware
of the repercussions of their actions when utilizing their mobile devices. They must understand
the losses that they may incur if proper precautions are not followed. The best method to provide
this is by providing guidance to the user when they purchase the device. One method of
providing guidance would be to provide a pamphlet or booklet along with the device that details
all the security features on the phone and what settings should be utilized. The booklet should
also detail what a user should be aware of when making transactions on their phone. For example
they should be shown how to verify that they are making secure connections and they are not
being tricked by an attacker. This method of providing guidance may not be followed by all
users. In order to ensure that all users receive some sort of guidance, the mobile device should
also have warnings appear on screen when a user performs a potentially harmful action. For
example, if the user attempts to disable the password feature then the phone should make them
aware of the repercussions by displaying a warning on the screen that the user must agree to
before continuing on.
Network Security
Of all components of an M-Commerce system the network is currently the most secure. Carriers
utilize modern encoding and encryption techniques to ensure that their data is secure when
traveling through the air. In order to ensure that this security remains at all times, carriers should
ensure that encryption occurs from end to end in a transaction. This means the data is encrypted
on the device and is never unencrypted until it arrives at its destination. There should not be a
middle man that can read the data.
Conclusion
In conclusion, Wireless carriers can play a very active and important role in the mobile
commerce applications and services due to the fact that a mobile user is going through their
network to perform all mobile transactions. Service providers can also act as content aggregators
but are likely to act as a clearing house for content and application providers in advertising and
distributing their products to its customers. Wireless carriers are also to face challenges involving
how to price mobile commerce services, and because several carriers are likely to be involved in
completing a mobile commerce transaction, another issue is how to divide revenues among
multiple carriers.
There are many important issues that need to be addressed before mobile commerce applications
can be widely deployed. These include the development of new business models for charging
wireless customers and for revenue division among providers, maturity of application software,
middleware support, vendor support and user trust necessary for conducting mobile transactions.
There are some important issues for developers of m-commerce applications.
Aas you can see there are currently many security challenges and weaknesses that exist within
M-Commerce systems. In order to expand the usage of M-Commerce manufacturers, developers,
and wireless carriers need to gain consumer trust by implementing security features into their
devices. They also need to ensure that adding this security features is not overly burdensome to
the consumer. If so the devices and features will never be utilized. If Manufacturers and
Developers develop more secure devices, implement more secure protocols, and ensuring that
users are aware of potential ramifications of their actions then consumer trust will come.
This paper described many of the challenges and weaknesses that need to be overcome. But this
is by no means an all inclusive list. This paper also listed possible suggestions for overcoming
these weaknesses and it detailed what items a model secure M-Commerce system should include.
It is now up to the manufacturers, developers, and carriers to pay attention to the security aspects
of M-Commerce and resolve the issues that exist today.
References
[1] – Peat, Graham “The Promise of M-Commerce: Is it Worth the Risks?”, SafeNet
http://www.safenet-inc.com/library/2/business_brief_mcommerce.pdf
[2] – ePayNews “Statistics for Mobile Commerce”, TrinTech Group
http://www.epaynews.com/statistics/mcommstats.html
[3]- T. Karygiannis, “Wireless Network Security 802.11, Bluetooth, and Handheld Devices”,
HPCC
http://www.hpcc-usa.org/pics/03-pres/karygiannis.pdf
[4]- Yeun, Chan Yeob, “Secure M-Commerce with WPKI”, Toshiba Telecommunications
Research Laboratory
http://www.iris.re.kr/iwap01/program/download/G07.pdf
[5] -Jansen, Wayne A., “Authenticating Users on Handheld Devices”, NIST
http://csrc.nist.gov/mobilesecurity/Publications/PP-AuthenticatingUsersOnPDAs.pdf
[6]- Saarinen, Markku-Juhani “Attacks against the WAP WTLS Protocol”, University of
Jyvaskyla
http://www.freeprotocols.org/harmOfWap/wtls.pdf
[7] – WAP Forum, “Wireless Identity Module”, The WAP Forum
http://www.wapforum.org
[8] - “The Unofficial Independent iMode FAQ”, EuroTechnology
http://www.eurotechnology.com/imode/faq-gen.html
[9] – “Wireless Application Protocol Architecture Specification”, WAP Forum, July 12, 2001
http://www.wapforum.org
[10] – “WAP 2.0 Technical White Paper”, WAP Forum, January 2002
http://www.wapforum.org
[11] – Jeffs, Tamzin Z “Wireless Application Protocol 2.0 Security”, SANS Institute November
2001
http://www.sans.org/rr/papers/download.php?id=159&c=0b2c6c52463249a3c525ab7c2a7b2b3b
[12] - Meeker, Mary “Global Technology Internet Trends” Morgan Stanley, November 15,2005
http://www.morganstanley.com/institutional/techresearch/pdfs/GSB112005.pdf
[13] – Soto, Carlos A , “Hacking Bluetooth” GCN 7/25/05
http://www.gcn.com/print/24_20/36432-1.html
[14] Juul and Jorgensen, “Security Issues in Mobile Commerce Using WAP”, Roskilde
University June 19, 2002
http://medusa.sdsu.edu/network/security/wap-bled.pdf
[15] “iMode Technology”, NTT DoCoMo
http://www.nttdocomo.com/technologies/present/imodetechnology/index.html
[16] Grosche and Knospe, “Secure M-Commerce” Royal Holloway University
http://www.isg.rhul.ac.uk/~scarlet/documents/Secure%20m-commerce%20ECEJ.pdf
[17] Ashley, Hinton, and Vandenwauver “Wired versus Wireless Security: The Internet, WAP,
and I-Mode for E-Commerce” IBM Software Group – Tivoli
http://www.acsac.org/2001/abstracts/thu-1030-b-ashley.html