Security Issues Associated With Mobile Commerce Information Technology Essay

warrantor Issues Associated With expeditious Commerce Information employ science EssayThe report investigates the current state of the officious- traffic based on its trade protection and examines the predicted future developments of the give awayline. A brief background of the M-commerce and its natural coerings is initially outlined. The questionion volition then focus on the warrantor system issues and solutions based on the quintette warranter de componentment objectives ( models) Confidentiality, credential, Authorisation, rectitude and Non-repudiation. The operations of these protection standards forget then be applied on carte du jourinal M-commerce applications, both involving erratic transaction restless-Payment and Mobile-Banking. It is concluded that unless technological development in M-commerce system go away be required, in coordinate to improve the quality of portion and discover the engrossr that such(prenominal) a system is safe to ma pping.Nestor MfuambaIntroductionThe term M-commerce ( restless-commerce) derives from E-commerce (e-commerce) which de nones handicraft minutes over the cabbage income. The proceedings could be buying and selling goods/ operate by recovering the profit. Both M-commerce and E-commerce be reference of 2 districts wrinkle markets B2B (Business to Business) and B2C (Business to Consumer), the two distinct from dealing with job for the first and dealing stop over consumer for the last. From these business concepts, we underside intoxicate that a B2B market, is more than corresponding E-commerce, where a business / drug exploiter, entreing the internet for business proceeding from an unstated doojiggers. The engineering science utilise for this system could each be wireline ( berth PC, repeal purposer wrenchs) or wireless (via lively foretells, PDAs, decision user twirls).In fact the term M-commerce, is all approximately a wireless E-commerce that is where a peregrine device is used to nettle the internet for business transactions either in B2B or B2C markets.With the pre move availability of vigorous phones (other end user devices), M-commerce run devour a promising future, in position in the B2C market. Future development applications include buying over the phone, purchase and redemption of tickets and reward schemes, travel and weather data, and report contracts on the move. However, the success of M-commerce today, very much depends on the security of the implicit in(p) technologies. For example, credit twit charges for transactions on the internet be 15%, versus 1% for POS (Point-of-Sales) credit card transactions. The chargeback rates grow to 30% digital product are sold. For M-commerce to take off, fraud rates suck to be reduced to an acceptable level. As much security domiciliate be regarded as an enabling factor for the success of M-commerce applications. In this report, I discuss the security issues associat ed with M-commerce and their solutions based on two embodying M-commerce applications, namelyMobile Payment Systems business transactions on the internet require the payments of either goods or serve. M-payment systems have different requirements and characteristics than E-payment systems (electronic-payment).Mobile-Banking Systems types of execution of financial assistances in the course of which at heart an electronic procedure the consumer uses expeditious communication techniques in conjunction with brisk devices for banking transactions.M-commerceDefinitionThe term m-commerce raft be be in many ways. From own experience and research, m-commerce is just an electronic commerce system that is accessed from agile phones. Both e-commerce and m-commerce are B2C (Business to Consumer) systems. According to the OECD (Organisation for Economic Co-operation Development), e-commerce follows two criteria that areAutomation of transactionSpatial separation of transactions and vo ice communicationBy definition m-commerce is a business commerce system exploitation winding device for business transactions performed over a unstable telecommunication vane, possibly involving the transfer of money.Based on research finished by Kalkota Ravi and Robinson Maria, they have actually divided m-commerce into five descriptive phases electronic put across m-commerce (SMS)-based m-commerce)Info connectivity m-commerce (web based m-commerce)Transactions m-commerce (strategy for organisations in order to evolve tax generating mcommerce)Transformation m-commerce (m-commerce is inter attached and fulfil into business processes within and among organisations) excerption -m-commerce (and m-commerce is a normal way to do business this means a culture change from one, in which technology is occasionally handed over to the other one where technology is an accepted part)Technology and ApplicationsThe technology of M-commerce is build on several linchpin technologie s. They distinguish by their common uses.Mobile phones have developed gradually, making signifi senst changes to their standards, starting from the first coevals (analogue phones) to the third extension (3G)first-generation or analogue phones good for voice callssecond-generation phones use digital technology and are typical of the average phone in use today2.5G digital phones support the transmission of information using general packet radio service (GPRS)third generation (3G) digital phones support voice and info transmission at greatly increase speeds3G supports run that were not possible with earlier technologiesvideo calls heap be made and captured from other 3G usersvideo and other types of media merchantman be downloaded to play on your phone3G phones practically have cameras, so you can take and transmit digital pictures billet-based services can be accessed in order to see a map of where you are, or find out the nearest garage, restaurant, bank, etcM-commerce developments are focused very strongly on the use of 3G phone technology.Wireless application protocol (WAP) enables mobile devices to browse the internet because the web browsers built into these devices support hypertext markup language (HTML) and extensible markup language (XML) the discover languages used for internet satisfy.WAP-enabled devices run microbrowsers. These are applications that suit thesmall subterfuge and small storehouse size of handheld deviceslow bandwidths that are a property of wireless interlockings for handheld devicesAnother important m-commerce technology is briefly message service (SMS), also known as texting. This popular service allows short text messages of up to 160 characters to be sent from and to mobile devices at a low cost. This has a wide application in m-commerce technology. Improvements to the service, such as T9 predictive text to help you type faster, have helped to improve the service, and a turn of enhancements such as enhanced me ssaging (EMS) led to multimedia messaging service (MMS) messaging.With an MMS-enabled phone, you cantake digital photographs and store photographs on the internetsend and receive full intensity picturesadd a text message to your picturesend and receive voice clipspurchase pictures and sounds from the internethave enhanced polyphonic ringtonesMobile Application TypesCommunicationsE-mail ClientsIM ClientsMobile Web and Internet Browsers intelligence agency/Information ClientsOn-Device Portals (Java Portals)Social Network ClientsGamesPuzzle/Strategy (e.g., Tetris, Sudoku, Mah-jong, Chess, Board Games) cards/Casino (e.g., Solitaire, Blackjack, Roulette, Poker)Action/Adventure (e.g., Doom, Pirates of the Caribbean, Role-Playing Games)Sports (e.g., Football, Soccer, Tennis, Basketball, Racing, Boxing, Skiing)Leisure Sports (e.g., Bowling, Pool, Darts, Fishing, Air Hoc gravestone)Multimedia artistic production/Image ViewersPresentation ViewersVideo PlayersAudio Players float Players (Audi o/Video)ProductivityCalendarsCalculatorsDiaryNotepad/Memo/Word ProcessorsSpreadsheetsDirectory Services (e.g., yellow pages)Banking/financeTravelCity GuidesCurrency ConvertersTranslatorsGPS/MapsItineraries/SchedulesWeatherMobile System computer architectureThe figure bellow shows the architecture of an m-commerce system from the design, we can clearly see that a user/ thickening access the web via an xml server connected to a database.Figure1. Proposed M-commerce system architectureMobile devicesThe applications of M-commerce can be implemented on different kinds of end user devices other than however mobile phonesMobile phonesPDA (personal Digital Assistant)Smart phone the invigorated phone combines mobile phone and PDA technology into one devicelaptopEarpiece device such as Bluetooth (as part of a Personal Area Network)The choice of devices in M-commerce is mainly based on the device experiences, and communicate technology used for transmission, the last allows the bandwidth capacity to variegate and submit the kind of services the end user is able to receive. In mobile phones, the technology differs from other end user devices by their ability to have internal pert cards that determine their memory capacities. Nowadays, three solutions exist Single SIM widely used around the world and surreptitious user information is stored one smart card. Dual Chip, means two smart cards in one mobile phone, as one used for user authentication to the earnings promoter as the other, is used for value-added services such as m-payment or digital signature. Dual Slot, this type of mobile phones, has a SIM card and card slot for fully-sized external smart card. This solutions consists on using different cards one after the other. e.g. POS and ATM terminals.M-commerce vs. E-commerceThis part of the report doesnt compare the two business systems. However, present advantages and disadvantages of M-commerce system over and E-commerce system. As defined in part 1.1., M- commerce is subset of the E-commerce but using end user devices as transaction platforms. The side by side(p) list summarises, the advantagesAccessibility availability is related to ubiquity and means that the end user is accessible anywhere at any time. Accessibility is probably the major advantage by proportion with E-commerce applications involving a wired end user device.Ubiquity the end user device is mobile, that is, the user can access M-commerce applications in echt time at any place.Security depending on the specific end user device, the device offers a certain level of inherent security. For example, the SIM card commonly employed in mobile phones is a smart card that stores confidential user information, such as the users secret authentication key. As such, the mobile phone can be regarded as a smart card reader with smart card. local anaestheticisation a network operator can localise registered users by using a positioning systems, such as GPS, or via GSM or UMT S network technology, and offer location- dependent services. Those services include local information services about(predicate) hotels, restaurants, and amenities, travel information, fatality calls, and mobile office facilities.Personalisation mobile devices are usually not overlap in the midst of users. This makes it possible to adjust a mobile device to the users ineluctably and wishes (starting with the mobile phone housing and ringtones). On the other hand, a mobile operator can offer personalised services to its users, depending on contract user characteristics (e.g. a user may prefer Italian food) and the users location (see above).Convenience the size and weight of mobile devices and their ubiquity and accessibility makes them an sublime tool for performing personal tasks.Along with these advantages, we also have disadvantages, the following list summarises, the factsMobile devices offer limited capabilities betwixt mobile devices these capabilities vary so much t hat end user services will fatality to be customised accordingly.The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. For this reason, standardisation bodies consisting of telecommunication companies, device manufacturers, and value-added service providers integrate their work (see Section 4.5). For example, many current mobile devices implement an IP stack to provide standard network connectivity. At the application level, the Java 2 Micro Edition (J2ME) offers a standardized application platform for heterogeneous devices.Mobile devices are more prone to stealth and destruction. According to a government report, more than 700000 mobile phones are stolen in the UK each year 12. Since mobile phones are highly personalised and incorporate confidential user information, they motive to be protected according to the highest security standards.The communication over the air interface between mobile device and network introduces improveral security threats (e.g. eavesdropping, winds and so on).SecurityConcept and ChallengesThe concept of security in M-commerce is the most important aspect of a business that a mobile-system should resolve to. There is no need to implement, such system without securing its environment, especially where transactions involve monetary value. Different studys from participants in an M-commerce scenario, percept, security and secrecy as major factors for markets breakthrough of the according system.Moving from participants point of views, I have defined five security objectives / standards that a system should respond toConfidentiality curb privacy, the content of the transaction cannot be viewed by unauthorised persons and enables encoding.Authentication ensure that the content of the transaction originates from the presumed sender/partner.Integrity ensure that the content of transaction is not modified during the delivery and cannot be altered at any time. The technique used is called digital signatures.Authorisation ensure that anyone knotty in the transaction must be recognize and verified in order to authorize/allow the transaction to take place. It is more like digital authentications.Non-repudiation no-one should be able to claim that any transaction on his/her behalf was made without their knowledge. The concept of digital signatures is applied.This standards dont just apply to end user devices, but to the whole systems involving device users, network (e.g. WAP, WEP), financial and administrative institutions (e.g. banks, governments etc.). I have identified, few security challenges related to the systemThe mobile device confidential user data on the mobile device as well as the device itself should be protected from unauthorised use. The security mechanisms employed here include user authentication (e.g. PIN or password authentication), secure memory board of confidential data (e.g. SIM card in mobile phones) and security of the operating system.The radio interface access to a telecommunication network requires the protection of genetical data in impairment of confidentiality, integrity, and authenticity. In particular, the users personal data should be protected from eavesdropping. Different security mechanisms for different mobile network technologies (i.e. in 2G, 3G, and other systems) were explained in part 2.2The network operator infrastructure security mechanisms for the end user often terminate in the access network. This raises questions regarding the security of the users data within and beyond the access network. Moreover, the user receives certain services for which he/she has to pay. This often involves the network operator and he/she will wishing to be matchd about correct charging and billing.The kind of M-commerce application m-commerce applications, especially those involving payment, need to be secured to assure nodes, merchants, and network operators. For example, in a payment sce nario both sides will want to authenticate each other before committing to a payment. to a fault, the client will want assurance about the delivery of goods or services. In addition to the authenticity, confidentiality and integrity of sent payment information, non-repudiation is important.Threats scenariosIn this part, I am button to present major threats to security based on the M-commerce security standards and care for ideal scenarios, observed during each methods.The following list shows the threatsMoney thefts as long as, m-commerce involves transaction, driven by monetary values. The system will forever and a day attract hackers, crackers and anyone with the knowledge of exploiting and abusing the system. They often set fake websites, in order to extract customers personal data, credit card detail etc.Threats to the system mobile devices are not spared from those deceptive methods of stealing information. Viruses, Trojans, Worms are often planted by individuals for reas ons known best to them alone, in order to compromise the credibility of all m-commerce system.Threats observed during authenticationObservationAn rival can download the thickening on a laptop/ screen background and use its insecurities for malicious purposes.An thwarter can arrive the user certificate stored on the mobile phone by transferring the contents to pc/laptop from the phone or memory card.An enemy can register with legal details of a valid bank bill holder and access his/her compute details or make transactions.An opponent can access user authentication directly from the phones folders or from phones memory card.An adversary can fix the fresh PIN for transacting using the asthenic forgot password feature or an adversary can change the password/PIN of a valid user without authentication/authorization.An adversary can use the auto-complete feature to access a valid users account.An adversary can guess weak passwords/PIN to retrieve customer information. beau ide al scenarioAn adversary can download the client on laptop/desktop and use its insecurities for malicious purposes. An adversary can use the auto-complete feature to access a valid users account.The customer has to first register with the bank. Customer details like full name, postal address, e-mail address, bank account details and mobile phone number should be provided.The bank would inform the trafficker to push the mobile client application to the mobile number provided by the customer. This can be do through a system which communicates between the server at trafficker end and bank end. The trafficker enters the mobile number of the customer and the client application is pushed to it. This ensures that the client is not downloaded to a pc or laptop and misused. In sequel the push is not possible, the customer has to be advised and the client application installed by the vendor.The application has to ensure that during installation a few checks are doneTransfer the banks and vendors ordinary key for encryption purposes. There can be two keys generated for the vendor one for storage and one for data transmission.The client files/folders are installed on the phone and not in the memory card.The files and folders should be restricted from being transferred to a memory card or pc/laptop. The access to these files should only be through the executable and not directly.The installer should be removed after installation.Application should not allow auto-complete feature.Threats observed during transactionsObservationBased on the services provided to the customer the following threats can be observedAn adversary can sniff the contents of transaction and obtain confidential information.An adversary can bypass authentication maintains.An adversary can make bogus shop or purchase transactions for another valid customer.An adversary can view the account details of another user.An adversary can switch the from account and pith knowledge domain during a fund transfer process.An adversary can predict the seance id and perform transactions as a valid user.An adversary can access a valid account using an active session which has not been over(p) after a long time of inactivity.An adversary can login using his credentials and view/modify the details of another valid customer.Illegal/Invalid transactions can be performed without continuous authentication process for each transaction.Ideal scenarioAn adversary can sniff the contents of transaction and obtain confidential information.All transactions should be through a secured connection. Data transmitted between the client application and the vendor server should be through HTTPS or another secured channel and also encrypted through the vendors transport populace key. The data flowing back from vendor sever to the client should be through HTTPS or a secured channel.The data flowing between the vendor server and bank server should be through HTTPS. Also the customer details, which are not required by the vendor, should be encrypted using the banks public key. The return should be through HTTPS. Any data flowing between bank/vendor to other third parties or merchants like for mobile obtain should be through a secured payment gateway.An adversary can bypass authentication controls, Illegal/Invalid transactions can be performed without continuous authentication process for each transaction and view the account details of another user.Each transaction or operation should be authenticated either using a single layer or a dual layer. The vendor side application should authenticate the customer using the PIN for non-critical operations. Validation checks should be in place to ensure that this authentication control is not bypassed.For critical transactions, there can be dual authentication mechanism, one using the PIN at the vendor and other using the Internet banking ID at the bank side. Validation checks should be in place to ensure that this authentication control is no t bypassed.An adversary can make bogus shopping or purchase transactions for another valid customer. An adversary can modify the from account and criterion field during a fund transfer process.For example, in a fund transfer operation the bank should ask for the Internet banking credentials from the customer for authentication and verification. Also checks need to be in place to ensure that the from account field cannot be modified or the amount field is not negative.An adversary can predict the session id and perform transactions as a valid user. For example, an adversary can access a valid account using an active session which has not been terminated after a long time of inactivity and login using his credentials and view/modify the details of another valid customer.In mobile shopping operation, the payment should be through a secured payment gateway. Ideally, the vendor should not store the details of the shopping done by the customer. In case the vendor performs the payment for the customer for his/her purchases, then only the details need to be stored at the vendor. Then the customer authorizes the bank to transfer the amount to the vendors account for making the payment to the merchant for his/her item. Having a good session charge mechanism ensures that assaulters dont use a valid session id for login purposes. Also the application should ensure that users are not able to change the data and view another customers details.Other possible threatsAn adversary can transfer malicious files to the server/application. Ideally, a mobile banking scenario would not require a customer to upload files to the server. Hence the same can be modify for customers.An adversary can obtain the confidential customer data and radical economy from the server. All customer data and application source code at the vendor server should be protected not only from the alfresco attackers, but from internal users/developers also.Malicious activities are undetected. Audit trail s and put down need to be maintained for the application which mentions the customer name, bank details and transaction performed with time and date for future reference.An adversary can obtain the details of the server or error messages provide information for the adversary to perform specific attacks. The application should ensure no messages are provided to the outside world which would reveal information about the system.An adversary can obtain the vendor private key from the server to perform man-in-the-middle attacks. The private keys should be stored securely and access should only be given to the application to use the keys during any kind of operations.Security TechnologyThis part of my report focuses on the network technologies, which are relevant to a secure M-commerce system. The security itself focuses on three aspects, studied in the IST SHAMAN project M-commerce network security, conveying layer security and Service security. The IST SHAMAN has studied the security architecture of current and potential future mobile systems. Here, they are discussedM-commerce Network SecurityGSM (General System for Mobile Communication) established in the early 1990s, the GSM is the first generation mobile phones and major device for M-commerce. The devices presented strong limitations with respect to their capabilities other than telephony. In term of data service, the dial-in data sessions over circuit switched connections were possible but relatively slow, at 9, 6 Kbits/s and required a purloin device such a computer, which reduced its mobility. As the GSM core network extended, a number of data services where established such asThe Short Message Service (SMS)The Wireless Application Protocol (WAP) allowing internet accessThe High Speed Circuit Switched Data (HSCSD) providing higher data ratesThe General Packet Radio Service (GPRS) extends GSM with packet orientated servicesThe figure, below shows an architecture of GSM, including GPRS, IN (Intelligent Ne twork) and SMS.Figure 2 GSM computer architectureWhat is the scenario in this architecture and what does the GSM provides as security features?The mobile station communicates over the wireless interface with a base transceiver station (BTS) which is part of a base station subsystem (BSS). The base station controller (BSC) is connected with a MSC (Mobile Switching Centre) and a SGSN (Serving GPRS Support Node). The latter two are the central switching components for circuit and packet switched data.When a customer subscribes, the GSM home network assigns the mobile station a unique identifier, the international mobile subscriber identity (IMSI), and an authentication key Ki.The IMSI and the secret authentication key Ki of the mobile station (MS) are stored in the SIM (subscriber identity module), which is take for granted to be tamper proof. On the network side, the IMSI, Ki and other information are stored in the HLR (Home Location Register) and AuC (Authentication Centre).GSM prov ides the following security features for the link between the mobile station and the network IMSI confidentiality IMSI authentication User data confidentiality on physical connections Connectionless user data confidentiality Signaling information element confidentialityIn general, the security architecture of GSM, presents basic security mechanisms for M-commerce systems. The authentication towards the network, from a mobile customer is based on a secret ki that will derive to a symmetric key, used to encrypt the link between the mobile station and the BTS. The secret key ki is never sent over the network. From there, we can say that GSM presents two weaknesses, Authentication and Encryption as it is optional.UMTS (Universal Mobile Telecommunication System) the security architecture of UMTS is designed to fix the security weaknesses of GMS. In UMTS, authentication is mutual, and encryption is needful unless the mobile station and the network agree on an unciphered connection. In ad dition, integrity protection is always mandatory and protects against replay or modification of signaling messages. UMTS introduces new cipher algorithms and semipermanent encryption keys. Thus, UMTS doesnt seem to have any security weaknesses. The architecture of this technology is depicted belowFigure 3 UTRAN system wireless fidelity (Wireless Local Area Network) The IEEE standard 802.11 specifies families of WLANs which operate in the unlicensed 2.4 GHz and 5 GHz band. The standards specify the physical layer (PHY) and the medium access control layer (MAC).When operated in the infrastructure mode, the mobile station attaches to an AP which provides connectivity to fixed net IP networks (e.g. the internet) or to other mobile stations.While, in the default mode, WLAN is not secured, this means there is a possibility of an eavesdrop attack. In order to provide a measure of security, the IEEE and IETF, have defined the WEP (Wireless homogeneous Privacy) and the VPN (Virtual Privacy Network).WEP was designed to provideAuthentication to protect the association to an APIntegrity protection on MAC framesConfidentiality on MAC framesIn comparison to other network technologies, the WEP is insecure. Based on its secret key, that serves as insert for the RC4 stream cipher, the authentication and integrity protection is completely insecure and encryption at least partly insecure. There is a possibility for an attacker to intercept a single successful authentication transaction between a mobile station and the AP and be able to authenticate without penetrating the secret keys. Furthermore, since a CRC checksum is used for integrity protection, an attacker can modify the data and adapt the checksum accordingly. For example, if the position of commercially sensitive information (e.g. an amount) within a datagram is known, the corresponding bits can be ex-ored with any value. With a enceinte number of intercepted frames, the WEP keys can even be recovered, breaking the encryption.Furthermore, since the WEP keys are network keys, preserving their secrecy is difficult for private networks and impossible for public WLAN hotspots.In recent work of the IEEE Task group on security (TgI), the new security standard IEEE 802.1X has been adopted. 802.1X is a framework for authentication and key management which employs the Extensible Authentication Protocol for a variety of authentication mechanisms, e.g. certificate based TLS. But the weaknesses of WEP cannot be remedied by the new authentication and key management schemes in 802.1X. The IEEE is currently working towards a new standard (WEP2), and a number of proposals are in circulation.VPN the technology is employ to particular IPsec, in order to establish network layer security.The IPsec protocol (or more specifically the ESP Tunnel protocol) is an internet s