Security concerns of M Commerce: an exploratory
study and review
Dr. Deepak Kumar Gupta
Assistant Professor
Amity University, Noida
deepakgupta_du@rediffmail.com
ABSTRACT
M-commerce is a main application area for
mobile devices. It provides online
transactions within a glance to the
customers. Use these services at anytime
and anywhere. These applications need a
high level of security due to the open
nature of wireless networks. Furthermore,
security is harder to implement on the
mobile platform because of the resource
constraints of mobile handheld devices.
Therefore, security methods for protecting
traditional computer communications need
to be revisited so as to certify that
electronic transactions involving mobile
devices can be secured and implemented
in a successful manner. In this paper, we
reflect on some important security issues
with deployment of strong security
concerns via m-transactions.
Keywords
M - Commerce, security issues, wireless
security, Bluetooth and cryptography.
1. INTRODUCTION
Mobile commerce is equivalent to wireless
telecommunication technologies. These
wireless devices include all hand held
devices like laptops, palmtops, tablets, ipads, smart phones etc. Through these
devices
financial and promotional
activities are conducted. The ability to
conduct mobile transactions can draw
attention of new customers and keep
current ones loyal. Generally a mobile
transaction happens when a customer uses
the web enabled services of a web dealer
and
after
negotiations
and
Ms. Lavisha
Research Scholar
Mewar University Rajasthan
lavisha87ahuja@gmail.com
communications, choose to make an order
and do payment. The order and payment
information is broadcasted from the
mobile device to a base wireless station
and from there, through the mobile
communication infrastructure of the
service provider, to the wireless
application gateway of the dealer It is
expected that mobile commerce services
would be the next biggest growth area in
the telecommunications market. These
services create fusion of two big
technologies like wireless communications
and E-Commerce.
Today, mobile communication is a
mature technology, transit from 2G to 3G
with high level of customer acceptance.
3G technology in mobile provides
countless applications. And there will be a
drastic expansion of this technology in
near future also. As there is open nature of
wireless network, security is main concern
in this platform. Because no mobile
commerce strategy is complete without
thorough understanding of security. In this
paper, we consider two main parts of mcommerce that are significant to security,
Security challenges– in mcommerce, all data are transmitted via a
mobile telecommunication network. Here,
we discuss all security challenges
including handset, language and wireless
security concerns.
M-payment (mobile payment) –
doing business on the internet requires the
payment of goods and services. But the
main idea behind this is deployment of
these services via a secure channel.
2. SECURITY CHALLENGES
Each and every Business engage monetary
phrase but this cannot be possible without
secure environment in case of mcommerce. There are different security
challenges in an m commerce picture and
they relate to obviously with the mobile
device,
the
network
operator
infrastructure, the radio interface and
which kind of m-application is used.
Depending upon these security
challenges, m commerce requests some
layers of security:
2.1 Device Security
Every mobile device has inbuilt security
features like password mechanism,
Subscriber Identification Module (SIM)
card. Mobile hand set is equipped with
SIM card that is a everyday utility object
and it may be easily lost or stolen. That
hand held device contains personal
information and this information is secure
until the strong password system will be
there. And the most important all
information is stored in the phone’s
memory not in the SIM card. SIM cards
are de facto micro-processor and can be
used to assist m commerce.
Gemplus SIM cards features a digital
signature and public key encryption [1]
and the technology is embedded in the
card. In May 1999, Motorola, jointly with
Identix, a biometrics company, developed
fingerprint scanning devices, called the
DFR 300 that is 4.5 milli- meters thick [2].
For enhancing the security of devices this
finger print bio metric feature is embedded
in new smart HWDs (Handheld wireless
devices).
2.2 Language Security
Using Java language all software must be
deployed on the handheld wireless devices
through which the amount of software that
needs to be distorted in order to allow the
application to different mobile platforms is
minimized. Java execution environments
are available for PDAs, Smart phones,
Communicators (such as Symbian),
laptops, and other platforms. Maffeis [3]
also suggested using server side Java
technology, such as the Jave-2 Enterprise
Edition (J2EE) platform, in the data centre.
This allows for shorter time-to-market and
avoids vendor lock-in.
2.3 Wireless Security
2.3.1 WAP Security
WAP (Wireless Applications Protocol) is
an open, global pattern that allows easy
access to information and interact the
mobile services instantly to the mobile
users. For wireless communication only
one protocol is publicly available i.e.
WAP. It allows M-Commerce where
Internet data moves to and from wireless
devices.
The two versions of WAP security are:
2.3.1.1 WAP 1.x security
It uses the Wireless Transport Layer
Security (WTLS) protocol. This protocol
is corresponding to Secure Socket Layer
(SSL) and it offers authentication,
encryption and integrity services. WTLS
has three levels, all have privacy and
integrity: (i) Class- 1 has no
authentication, (ii) Class-II has server
authentication only, and (iii) Class-III has
both client and server authentication.
WTLS works on some familiar algorithms
like Diffe-Hellman, RC5, SHA-1, and
IDEA [4].
WAP gateway is needed for translation
between web and WAP based protocols.
The WAP gateway is software that runs on
the computer of the Mobile Service
Provider (MSP). The main drawback for
that is the important information is
decoded into original unencrypted form at
the WAP gateway i.e. known as WAP gap.
Public key cryptography (PKC) is used for
transmission. WIM (Wireless Identity
Module) store private data, such as key
pairs, certificates, and PIN numbers. This
module is present in the mobile device.
Wireless Mark-up Language (WML) is
used in WAP 1.x technology. Figure 1
shows WAP gap model.
Fig.1 WAP Gap Model (not a full end-to-end
security)
2.3.1.2 WAP 2.0 security
It uses TLS (Transportation Layer
Security) instead of WTLS to overcome
the WAP gateway security breaches. In
this new protocol is released i.e. WPKI
(wireless public key infrastructure
protocol). This protocol uses digital
signatures and public key certificates
methods for authentication purpose. This
protocol uses RSA, RC4, 3DES, and SHA1 algorithms for encryption. Figure 2
shows
the
WAP
proxy
model.
A PKI is a set of policies, processors,
software, hardware, and technologies that
use PKC and certificate management to
secure communication [6]. PKI consists of
the following components: (i) Certificate
Authority (CA)- responsible for issuing
and revoking certificates, (ii) Registration
Authority (RA)- binding between public
key and the identities of their holders, (iii)
Certificate Holders- people, machine or
software agents that have been issued with
certificates and can use them to sign digital
documents, (iv) Verification Authority
(VA, Clients)- validate digital signatures
and their certificates from a known public
key of a trusted CA, and (v) Repositoriesstores that make available certificates.
Today’s mobile security is totally
dependent on PKI that’s why it is known
as heart of the mobile security system. The
extension of PKI is recognised as WPKI in
wireless
environment.
‘WPKI
encompasses the necessary cryptographic
technology and a set of security
management standards that are widely
recognized and accepted for meeting the
security needs of M- Commerce’ [6].
As the name suggests wireless PKI
must have work with smaller display
screen, limited memory & power capacity
and less powerful processor. They work
with the help of agents that is known as
network agents. They are responsible for
data validation, certificate authentication
and all. Figure 3 shows a schematic
diagram of WPKI.
Fig.2 WAP Proxy Model (end-to-end security)
2.3.2 PKI/WPKI
Confidentiality, authentication, integrity
and non repudiation are certified in PKI by
cryptography, digital certificates and
digital signatures. [5]
Fig.3 Wireless PKI
Wireless devices have small screen
display, limited memory, low power and
no keyboard having unique problems and
provide a big challenge to PKI solution.
Certicom developed Elliptical Curve
Cryptography (ECC) that reduced the key
size from RSA’s 1024 bits to as few as 56
bits and made handling certificates a lot
easier for low- bandwidth and low-power
devices [2]. ECC takes only 15 seconds to
process digital signature on HWD.
2.3.3 Wireless LAN (WLAN) Security
2.3.3.1 IEEE 802.11b
The WLAN standard IEEE 802.11b grants
a method for authentication and
encryption. It offers a maximum of 11
Mbps wireless Ethernet connections using
the band at 2.4 GHz. IEEE 802.11b
security features consists of security
framework called Wired Equivalent
Privacy (WEP). WEP is supported on
RC4, a symmetric stream cipher. It has a
pseudo-random number generator, whose
output is XORed to the data. WEP can use
40 or 128 bits key size. The output must be
dropped due to large key size. In August
2001, RC4 was proclaim to be broken and
can be split in less than half an hour.
Subsequently, WEP can be wrecked.
2.3.3.2 Bluetooth
For data sharing between different HWDs
Bluetooth technologies is used since 1998,
developed by Ericsson. For authentication
purpose devices shared secret keys. That
common shared secret is called a link key,
created from PIN. This link key is
recognized in a special communication
session called pairing. All paired devices
share a common link key. There are two
types of link keys: unit keys and
combination keys [17]. The size of link
key is 128-bit random number. A unit key
is common to all devices for pairing.
That’s why all devices wants to be paired
must know the unit key. Only two paired
units are allowed for transferring the data
by the help of it.
For protection purpose combination keys
are used for pairing. Those are unique for
each paired device. That’s why
combination key is more secure than link
key.
In every Bluetooth device, there are four
entities used for maintaining the security at
the link level:




the Bluetooth device has an IEEE
defined 48-bit unique address,
a private authentication key which
is a 128- bit random number,
a 8-128 bit long private encryption
key, and
a random number, which is
frequently a changing 128-bit
number that is made by the
Bluetooth device itself [7].
The security algorithms of Bluetooth are
measured strong. Bluetooth standard does
not apply the RC4 cipher; rather it applies
the E1, a modified block cipher SAFER+.
Since now there is no practical direct
assault has been reported.
2.4 Cryptography
For data protection over the internet only
cryptographic technique is used.
There are two types of cryptography first
is symmetric or secret-key and second is
asymmetric or public key cryptography
(PKC). In secret or symmetric key
cryptography, both sender and receiver
must share their secret key for
communication securely. There are two
main issues behind this method. First is
how these devices exchange the secret key
securely and second issue concerns with
the number of devices consider there are n
number of devices want to communicate
with each other then there must be O(n2)
number of secret keys must be exchanged.
And the arrangement of this huge number
is a cumbersome problem. On the other
hand side the second method of
cryptography can resolve these issues by
not sharing secret keys. This method must
ensure confidentiality. The most popular
algorithm works behind these keys i.e.
RSA. This algorithm works securely under
the e commerce environment but not in M
Commerce environment. Due to large key
size its very complex and time consuming
method for decryption. That’s why this
algorithm fails.
2.4.1 Elliptic Curve Cryptography (ECC)
Now there is a need of a new algorithm
that uses short keys for achieving a high
level of security. Algorithms based on
mathematical objects known as elliptic
curves offer interesting possibilities [8].
Elliptic curve discrete logarithm problems
(ECDLP) is defined as “give a base point
P and the kP lying on the curve, find the
value of k”. According to cryptographic
point, a new cryptographic system needs to
be defined based on elliptic curves. Any
standard system that relies on the discrete
logarithm problem has a direct analogy
based on the ECDLP. For example,
Elliptic Curve Digital Signature Algorithm
(ECDSA) has already been standardized.
Diffie-Hellman key exchange can be easily
implemented in an elliptic curve system.
[8]
This Table 1 shows direct comparison of
key sizes between ECC and RSA.
Table 1: EEC Key Size compared to RSA
ECC KEY
Size(Bits)
109
131
163
283
409
571
Traditional
RSA Key
Size( Bits)
512
768
1024
3072
7680
15360
Key
Size
Ratio
1:5
1:6
1:6
1:11
1:19
1:27
Recently, ECC has been deployed on
Smartcards without coprocessors [9].
Weimerskirch et al [10] implemented ECC
on a Palm OS device. Their study showed
that the normal transaction, such as a key
exchange or signature verification, can be
done in less than 2.4 seconds while
signature generation can be done in less
than 0.9 seconds. Table 2 shows the three
major industry standard PKC systems that
can be considered secure, efficient, and
commercially available [11].
Table 2: Three Major Industry-Standard PKC
PKC
Mathematical
Algorithm
Problem
Integer
Given a number RSA,
factorization n, find its prime Rabinfactors
Williams
Discrete
Given a prime n, ElGamal,
logarithm
and number g
Diffieand h, find x
Hellman,
such that h= gx
DSA
mod n
EC discrete Given an elliptic EC Diffielogarithm
curve E and
Hellman,
points P and Q
ECDSA
on E, find x such
that Q=x P
Difficulties phased in Elliptic Curve
System: The true difficulty of the ECDLP
is not yet fully understood [8]. Recent
research has revealed that some elliptic
curves that were supposed appropriate for
ECC are, in fact, not suitable. It is a very
difficult problem to produce a suitable
curve and base point in the first place.
The major difficulty is how to count the
number of points on the curve. Having
found the number of points on the curve, it
is relatively likely that a suitable base
point cannot be initiated. Users may
exploit random curves or special curve
generating software, such as the “Elliptic
Curve Generation Bureau” produced by
Zaxus.
In April 2000, the French National
Institute for Research in Computer Science
and Control announced that the 109-bit
ECC key was cracked in a four-month
brute- force effort using 9,500 computers
by 1300 volunteers from 40 countries [12].
2.4.2 Digital
Signature
Certificates
and
Digital
In a PKC two keys are used, public and
secret keys. For message encryption public
key and for decryption secret key is used.
On the other hand, there is no other way of
knowing the person who has the
equivalent secret key. This is where the
initiative of certificates comes up.
Certificates verify that the public key
specified in the certificate goes to a private
key believed by the genuine person, not by
a pretender. To faith a certificate means to
faith the party who issued the certificate,
not the person for whom the certificate is
issued. Digital signatures are used for
protection of a certificate. The message
can only be formed from the cipher text by
the private key holder. This gives
authorization and non-repudiation [13].
That is the foundation for digital signature.
Or protection of a private key, stored in a
Smart card, where all crypto processes
with it are executed. The usage of Smart
card is depended on a PIN.
3. DEPLOYING STRONG SECURITY
FOR WORLDWIDE COMMERCE
VIA M TRANSACTION
3.1 Joint-Signature Scheme
A joint-signature scheme acts as an
alternative to traditional digital signatures.
A joint-signature scheme works with the
help of one-way hash functions and
traditional digital signatures method via a
network operator. A joint-signature
scheme is better than the traditional digital
signatures scheme because it offers lower
communication cost. This joint-signature
scheme is based on the hypothesis that if a
third party, like the network provider
which has with ample computation and
communication resources, signs a digital
signature containing a secret that is only
shared between the customer and the
merchant, then the merchant can treat the
digital signature as a joint signature
originated from the customer and signed
by the third party/network provider [14].
3.2 Transaction Authentication Number
(TAN) / Mobile TAN (mTAN)
TAN is used in online transactions through
banking web sites. It provides four wall
protection of security by the help of OTP
(One time password) for authentication
purpose. First it demands the login
credentials followed by TAN via OTP
which is only provided in registered
mobile number. That must be available
only for some time. After estimated
interval that OTP must be expired. That
OTP is generated on mobile that’s why it
is called as mTAN (mobile transaction
authentication number).
When the customer begins a
transaction, a TAN is produced by the
customer’s bank and sent to the
customer's mobile phone by SMS. The
SMS may also contain transaction
information for verification purpose. In
fact this scheme is directly proportional
to security of the customer’s mobile
phone. Online businesses demand etransactions i.e. completed only by
sharing personal banking information.
That must not be captured as it goes
directly from browser to server. Using
wireless devices that information goes
out over the air from the handset. WAP
(wireless access protocol) can be used
with wireless networks (GSM/CDMA).
The main security part of the WAP
design is the wireless transport layer
security (WTLS) protocol, which
basically defines security measures for
wireless Internet transactions. WTLS is
supported Transport Layer Security,
previously recognized as Secure Sockets
Layer, or SSL. WTLS supports all
security features like data integrity,
privacy and authentication.
3.3 VISA and MASTERCARD take
different approaches to authentication
Visa and master card are payment
networks that bond merchant payment
terminals with your bank’s credit card
branch. Because millions of merchants
allow huge amounts of credit card
purchases every day, banks favour to use
one of these third party networks to
practice credit transactions. This practice
is four party schemes. In this consumer
and issuing bank, merchant and acquiring
bank synchronise with each other to
achieve authentication of the transaction
done by the customer.
Fig. 4 Four party scheme
4. CONCLUSION
There will be no m-commerce without
security of the essential technologies
because it engages with large amounts of
money every day. Therefore the system
used for transactions has to absolutely
secure and to be free of corruption;
business will lose customers if the mobile
security system is not secure enough. This
paper
clearly shows
how
these
technologies have been improved through
the years. This paper reviewed security
issues relating to device, language,
wireless security and cryptography
technology. In fact, some mobile payment
systems are under development or already
operational. But main prospectus will be to
unify payment methods to make our
mobile commerce safe and secure from
fraud.
REFERENCES
[1] “PKI moves forward across the globe” wireless developer network,
http://wirelessdevnet.com/channels/wap/features/mcommerce3.html.
[2] Goldman, Jeff, “Wireless Security and M Commerce” the feature March 8,
2001,http://www.thefeature.com/article?articleid=9862
[3] Maffies S., “M Commerce Needs Middleware”, 2000, “hhtp://www.softwiredinc.com/people/maffies/article/softwired/mcommerce.pdf”
[4] Osborne Mark “WAP, M-Commerce and Security”, 2000,
http://www.kpmg.co.uk/kpmg/uk/image/mcom5.pdf
[5] Sanwar Ali, Waleed Farag, Mohammad A. Rob, “Security Measures in Mobile Commerce: Problems and
Solutions” , the fourth international conference on electronic business(ICEB2004)/Beijing.
[6] Yeun, Chan Y., Farnham Tim, “Secure M Commerce with WPKI, 2001”
http://www.iris.re.kr/iwap01/program/download/g07_paper.pdf
[7] Vainio, J.T. “Bluetooth Security” 2000, http://www.niksula.cs.hut.fi/~jiitv/bluesec.html
[8] Ganley, M.J, “Elliptical Curve Cryptography”, Zaxus White Paper, pp1-9, 2000.
[9] Woodbury, A.D., Bailey, D.V., and Paar, C., “Elliptic Curve Cryptography on Smart Card without
Coprocessors”, Proc. Of the 4th Smart Card Research and Advanced Applications Conf., Sep 20-22, ppl-20,
2000.
[10] Weimerskirch, A., Parr C., and Shantz, S.C., Proc. Of the 6 th Australian Conf. On Information Security and
Privacy, July 11-13, 2001.
[11] Vanstone, S.A. “Next generation security for wireless: elliptic curve cryptography”, pp412-415, 2003,
http://www.compseconline.com/hottopics/hottopic20_8/Next.pdf
[12] Harrison, A., “Motorola Certicom Ink Elliptic Crypto Deal”, Computerworld, May 22, 2000.
[13] Sanwar Ali, Waleed Farag, Mohammad A. Rob, “Security Measures in Mobile Commerce: Problems and
Solutions” in the fourth International Conference on Electronic Business (ICEB2004), Beijing.
[14] Ahmad Tasnim Siddiqui, “M-Commerce: Security in Mobile Transactions” in Management Today, August
2014 <http://www.academia.edu/3361247/M-COMMERCE_SECURITY_IN_MOBILE_TRANSACTION>