Professional Documents
Culture Documents
SYSTEM
BY
CHAPTER ONE
1
1.1 INTRODUCTION
This chapter provides an overview of the mobile payment system,
an
introduction
to
industry
background
and
the
problem
emergence
of
mobile
phones
and
other
mobile
subscriptions
(ITU,
2009).
The
growth
in
mobile
banking
and
transfer
because
it
stabilizes
the
1.5 OBJECTIVES
4
consider
the
existing cloud
computing and
NFC
will
enhance
economic
activities
in
Nigeria
if
implemented.
5. It will help researchers in the field.
6. It will provide a common platform for everyone with a
mobile
phone
or
communication
device
to
get
connected financially.
7. It will add to existing knowledge in the field.
8. It will enhance I.T proficiency among the public since it
involves the use of a digital communication device .
An application residing in a
secure environment performing
the payment functions related
to a Mobile Contactless
Payment, as specified by the
Mobile Contactless Payment
application issuer in accordance
with the payment scheme.
Personal device with mobile
Mobile device
communication capabilities
such as a telecom network
connection, Wi-Fi, Bluetooth
which offers connections to
internet.
Examples of mobile devices
include mobile phones, smart
Mobile Network Operator
(MNO)
by software/hardware through a
Mobile payment service
mobile device.
A PSP providing the mobile
issuer
(MRP)
equipment).
An application residing in a
(MRP) application
Mobile service
scheme.
Service such as identification,
payment, ticketing, loyalty, etc.,
made available through a
mobile device.
The provider of a mobile
Mobile wallet
service.
A digital wallet accessed
through a mobile device. This
service may reside on a mobile
device owned by the consumer
(i.e. the holder of the wallet) or
may be remotely hosted on a
secured server (or a
combination thereof) or on a
merchant website. Typically, the
10
the PSP.
The service provider that issues
11
Network operator
credentials".
The provider of data
connectivity to the consumer
and potentially other services.
MNOs and ISPs are examples of
network operators.
A contactless protocol specified
Communication)
On-line passcode
by ISO/IEC 18092 .
Secret data known by the
consumer/payer and used for
remote financial services, such
as on-line banking, SCT
payments, etc., to verify its
Payer
identity.
A natural or legal person who
holds a payment account and
allows a payment order from
that payment account, or,
where there is no payment
account, a natural or legal
12
order.
Means an account held in the
name of one or more payment
service users which is used for
the execution of payment
Payment component
transactions.
Either a dedicated mobile
payment/authentication
application and/or a set of
credentials.
Enables the consumer/payer to
Interface (UI)
Payment gateway
UI.
A service operated by a
beneficiarys PSP or a trusted
third party that manages the
authorisation of payments for
merchants.
It facilitates the transfer of
information between the
13
operation
The bodies referred to in Article
1 of the and legal and natural
persons benefiting from the
Payment system
Payment transaction
payment transactions .
An act, initiated by the payer or
by the beneficiary, of placing,
transferring or withdrawing
funds, irrespective of any
underlying obligations between
14
POI).
A certified tamper-resistant
platform (device or component)
capable of securely hosting
applications and their
confidential and cryptographic
15
Secured Server
Static authentication
16
Strong authentication
A dynamic authentication
method which involves at least
two independent
authenticators. This means that
Trusted Execution
Environment (TEE)
(TSM)
Umbrella UI
manager UI.
A method for checking that a
user (consumer) is the one
claimed.
1.12 ABBREVIATIONS
Abbreviation
C2B
C2C
Term
Consumer-to-Business
Consumer-to-
CSM
Consumer
Clearing and
18
Settlement
CVM
Mechanism
Cardholder
ETSI
Verification Method
European
Telecommunications
GP
GSMA
HSM
Standards Institute
GlobalPlatform
The GSM Association
Hardware Security
IBAN
Module
International Bank
ISP
Account Number
Internet Service
MCP
Provider
Mobile Contactless
MNO
Payment
Mobile Network
MRP
Operator
Mobile Remote
MVNO
Payment
Mobile Virtual Network
NFC
Operator
Near-Field
OS
OTA
PAN
Communications
Operating System
Over the Air
Primary Account
PC
POI
PSD
Number
Personal Computer
Point of Interaction
Payment Services
19
PSP
Directive
Payment Service
QR code
SCP
SCT
SDD
SE
TEE
Provider
Quick Response code
SEPA Card Payment
SEPA Credit Transfer
SEPA Direct Debit
Secure Element
Trusted Execution
TSM
Environment
Trusted Service
TTP
UI
Manager
Trusted Third Party
User Interface
CHAPTER 2
2.1 Introduction
Money has evolved several times in human history from the days
of the barter trade, from coins to paper, then plastic and now
phones. About 15 years ago, the mobile phone was used for
making calls, playing simple games and texting friends. Today,
mobile phones can be used to access the Internet, make video
calls, take photos, find your location on a map, purchase transport
20
different
payment
instruments
and
payment
account
information.
on
cloud
computing
and
sheds
light
on
the
provider
interaction[7].
Plummer,
Bittman,
Austin,
traffic,
banks,
security
systems,
public
health
and
expanding
is
stressful
for
IT
management,
thus
the
computing
can
be
defined
as
the
provision
of
27
infrastructure.
There
are many
and
traditional outsourcing.
Grid Computing
28
29
and
virtual
resources
dynamically
assigned
and
to
purchase
new
hardware.
After
new
hardware
is
in
private
cloud,
but,
31
as
more
employees
use
Public cloud
Private cloud
Community cloud
Hybrid cloud, which combine both public and private
only
be
accessed
locally,
and
the
organizations
IT
that
has
common
concerns
(e.g.
security
33
to
most
ASPs
maintained
separate
instance
of
the
and
cost
efficiently
to
changes
in
the
business
resource
allocation
can
get
bigger
or
smaller
require
an
ideal
performance,
perfect
39
platforms
located
in
clouds.
These
centralized
resource
demand
and
supply
in
mobile
devices.
mobile
applications,
the
infrastructure
of
mobile
the
necessary
services
to
mobile
users
such
as
Challenges
Resource Limitations
The main issue with the mobile cloud is the resource limitations of
mobile devices. Compared to desktop computers, they have less
memory, less compute power, and battery capacity limits. The
mobile cloud is often viewed as SaaS, meaning that computation
and
data
handling
are
usually
performed
in
the
cloud.
The
dynamic
nature
of
application
throughput
devices
sophisticated
have
less
security
computing
algorithms;
power
therefore
to
execute
mobile
cloud
to
enforce
standardized
credential
Solutions
46
protection
need
to
think
about
partitioning
application
into
lighter
components
that
can
be
processed
simultaneously.
4G Technology
One of the biggest enablers for network reliability in mobile cloud
computing will be the full implementation of 4G Technology, which
will help with issues of latency and bandwidth. HTML5 also allows
specification of offline support, which makes local storage
possible, helping with connectivity interruptions. One example of
an HTML5 benefit is the ability to watch a video without a plug-in
like
Adobe
Flash
improvements
in
or
Microsoft
forms
Silverlight.
specifications
applications.
47
that
HTML5
benefit
features
mobile
Embedded Hypervisor
An embedded hypervisor will enable cross-platform applications.
The hypervisor allows a web application to run on any smart
phone without being aware of the underlying architecture. Mobile
platforms require the hypervisor to be built in. For example, the
Motorola Atrix has an embedded hypervisor that allows it to run a
wider range of applications, not just those developed specifically
for it.
Security
As mentioned earlier, mobile phones get lost easily. Therefore,
there should be a way to prevent data misuse from lost or stolen
devices. One way is the ability to wipe off mobile devices
remotely. Some mobile manufacturers and wireless carriers
provide this feature. The risk of privacy exposure and identity
theft can be reduced by implementing improved protection
measures
for
sharing
data
in
interconnected
systems,
of
security
systems
in
mobile
phones.
Mobile
cloud
that
mobile
app
developers
require.
With
the
Cost Advantages
Building
once
and
deploying
to
many
devices
50
app stores to distribute their apps, and publish them on their own
private channels.
2.9.2
Frameworks
Developers do not have to create their own code to allow
industry-standard authentication and authorization techniques in
their web applications. For instance, if an application needs to
make use of several OpenID providers (Microsoft Live, Google ID,
Facebook, or Twitter to name a few) on the Internet, the developer
must manually write forking code to understand multiple tokens,
parse them to a canonical structure, and apply authorization rules
before the user is able to access an application functionality.
Some service providers simplify this whole process through simple
settings. All the required implementation is already configured
51
2.9.6
available,
reliable,
and
53
high-performance
platform
54
56
More
Benefits
of
cloud-based
mobile
payment
solutions
From the merchants perspective, cloud-based mobile payment
services may be more flexible by avoiding some POS constraints.
For example, the cloud wallet decouples a purchase from the
payment and can support traditional electronic and alternative
payment methods that may offer less expensive payment options
to the merchant. Implementation of the mobile payment solution
may be easier since new POS hardware is not always required.
From the consumers perspective there are several benefits:
57
58
permission
(opt-in)
before
sharing
consumer
2.13
In
this
section,
some
typical
MCC
applications
are
introduced.
A. Mobile Commerce
Mobile
commerce
(m-commerce)
is
business
model
for
bandwidth,
configurations,
and
high
complexity
security).
of
Therefore,
mobile
device
m-commerce
61
between
students
and
teachers.
In
this
case,
Varshney
[16]
presents
five
main
mobile
healthcare
be
monitored
at
anytime
and
anywhere
through
blood
63
requiring
large
computing
resource
(e.g.,
graphic
cramming
is
the
practice
of
placing
unauthorized,
69
While
cloud
computing
harnesses
the
power
of
increase
reliability,
and
increase
flexibility
by
become
more
service
oriented.
Nevertheless,
grid
Figure 2.2:
et al. 2008)
72
et
al.
2008).
Thus,
traditional
SaaS
can
be
feature
is
the
elasticity
cloud
computing
offers.
programming
interfaces
(API)
and
automatic
with
the
appropriate
level
of
security
and
identity
developed
and
delivered
in
controlled
white
room
to
cryptographic
determine
everyone
key.
the
except
Cryptographic
output
of
an
holders
keys
encryption
of
are
unique
values
algorithm
that
when
transforming plain text to encrypted text. The longer the key, the
more difficult it is to decrypt the text in a given message. Key
rotation7 is the process of decrypting data with the old
encryption key and re-keying the data with the new encryption
key.
Encryption
protects
consumer
and
transaction-level
in
the
mobile
phone.
The
original
equipment
76
Fig 2.3
developers,
independent
of
the
mobile
phone
Industry
analysts
report
that
major
manufacturers
are
making
it
difficult
to
transfer
mobile
payment
inconvenient
for
consumers
when
they
need
to
transfer
(For
example,
Googles
mobile
wallet
payments
as
the
SIM
is
easily
removable.
MNOs
can
also
79
Fig 2.4
Fig 2.5
Unlike the SIM and embedded secure element options, there are
three ways to issue, provision and distribute an NFC-enabled
microSD card to the consumer:
(1) Card-issuing financial institution provides the microSD card.
(2) Retailer provides a blank microSD card to the end consumer,
similar to a prepaid card.
(3)
MNO bundles
the microSD
with
phone
or
sells
it
independently of a phone.
Implementing an NFC-enabled microSD card solution can speed
deployment of mobile contactless payment services by allowing a
81
antennae.
Communication
conflicts
and
82
contactless
payments
are
considered
extremely
card
network.
These
values
are
only
valid
for
one
card
provisioning,
using
the
existing
clearing
and
Yet
the
number
of
cross-industry
participants
standards
components
to
and
define
their
applications,
roles
and
means
accesses
that
to
NFC
companies
are
downloadable
applications
for
both
retailers
and
In
this
scenario,
the
communication
between
By
on
recognition
of
radio
resource
availability
in
to
the
limitation
of
wireless
bandwidths,
network
mobility.
They
cause
delays
when
users
want
to
Therefore,
have more
2.20.2
Pardis Pourghomi,
Ghinea(2013)
(IJACSA)
International
Journal
Gheorghita
of
Advanced
will
be
withdrawn
from
his
account
otherwise
PROPOSED MODEL
The authors proposed an extension to previously proposed NFC
Cloud Wallet model. Since there are multiple options applicable to
this model, they designed the model based on the following
assumptions:
SE is part of SIM
Cloud is part of MNO
MNO is managing SE/SIM
Banks, etc. are linked with MNO
These assumptions are appropriate regarding the NFC execution
process and its ecosystem. As mentioned in Section IIIpreviously,
SE is in the format of UICC therefore SE is part of the SIM. MNO
manages the cloud infrastructure and it is the only party that has
full access and permission to manage confidential data which are
stored in the cloud. As MNO is the owner of the cloud, it fully
manages the SIM in terms of monitoring the GSM network and
controlling clouds data. From the financial institutions point of
view, they only deal with MNO as MNO is the single party that has
full control over the SIM as well as the cloud.
The Proposed Protocol
This proposal is based on cloud architecture where the cloud is
being managed by the Mobile Network Operator MNO. The cloud
and the banking sector are the subsystems of MNO, in addition to
the existing subsystems of an MNO. Assumption is made that the
94
MNO
for
customer
authentication
and
shop
identification.
Step 5.1: In case of incorrect TMSI, a declined message is sent.
Step 6: In case of correct identification, the MNO generates one
set of authentication triplet (R, S, Kc) and sends R to mobile
device through shop POS terminal.
Step 7-8: SIM computes Kc from R as explained in Section V. SIM
generates a random number Rs and concatenates with R,
encrypts with key Kc and sends it to the MNO through shop POS
terminal.
Step 9-10: The MNO checks the validity of the SIM (or mobile
device). It receives EKc(R||Rs) from the mobile device and
decrypts the message by Kc, the key it already has in
authentication triplet. The MNO compares R in the authentication
triplet with the R in the response. In case they do not match, a
Stop message is sent to the mobile device and the protocol
execution is stopped. If both R are same, then the mobile is
authenticated for a valid SIM. In this case, the MNO swaps R and
Rs, encrypts with Kc and sends it to mobile device.
Step 11-12: This step authenticates the MNO to the mobile
device. The mobile device receives the response EKc (Rs||R) and
96
97
Fig 2.6
Step 15-17: The shop POS terminal sends the Total Price (TP) and
the Receipt Number encrypted with Kc2. The user's mobile device
decrypts the information and displays to the user. If he agrees, he
enters the PIN. The PIN is an additional layer of security and adds
trust between the user and the shopkeeper. A PIN binds a user
with his mobile device, so the shopkeeper is to believe that the
user is the legitimate owner of the mobile device. Moreover, the
user feels more secure as no one else can use his mobile device
for transaction without his consent. PIN is stored in a secure
location in the SIM. The SIM compares both PINs and if both are
same, the user is authenticated as the legitimate user of the
mobile device. Otherwise, the protocol is stopped.
D. Phase 3. Transaction
Step 18: The customer's cell phone generates two messages, PI
and TRM, such that;
PI= Receipt No, Total Price, Time Stamp (TSU)
TRM=PI, Rs, Transaction Counter
Step 19:TSU represents the exact time and date the transaction
has been committed by the user. TC is a counter that is
incremented after each transaction and is used to prevent replay
attack. PI is encrypted with Kc2 so that it can be verified by the
shop POS terminal. The user encrypts the TRM with Kc so that it
cannot be modified by the shop terminal. The user computes MAC
with Kc1 over the TRM using Encrypt-then-MAC approach for
integrity protection.
99
Step 20-21: The POS terminal can decrypt only the PI encrypted
with by Kc2 to check its correctness. The POS terminal does not
need to verify the MAC (and it cannot do so), as it already knows
the main contents of PI. The Shop POS terminal also verifies the
TSU to be in a defined time window. If PI is correct, the POS
terminal relays the encrypted TRM with corresponding MAC along
with the TSU to the MNO.
Step 22: On receipt of the message, the MNO checks the
integrity of the message by verifying the MAC with Kc1. If the MAC
is invalid, the transaction execution is stopped. In case of a valid
MAC, the MNO decrypts the message. The MNO compares the Rs
in the TRM with the Rs received earlier in the authentication
phase. A correct match confirms that the user is the same who
was earlier authenticated.It also verifies the TC and TSU. In case
of successful verification, the MNO communicates with the
concerned subsections for monetary transaction. The concerned
subsections of the MNO checks the credit limitations of the user,
and if satisfied, executes the transaction. Once the transaction is
executed,
the
MNO
generates
Transaction
Information
(TI)
message as:
TI = Transaction Serial Number, Amount, TSTr
Step 23-25: The MNO encrypts TI with Kc2, digitally signs the
message and sends it to the shop POS terminal. The POS terminal
verifies the signature. A valid signature indicates correct TI. The
POS also verifies the TI for the amount mentioned in the TI. In
case of successful verification, the POS terminal appends the
100
message it received from the MNO with the Shopping Details (SD)
and corresponding digital signature.
Step 26: The user verifies both signatures. It verifies the
contents of TI and SD.
2.20.3
AND
OBSERVATORY
ELECTRONIC
(EPSO)
MARCH
PAYMENT
2002
by
SYSTEMS
Grard
Carat.
2.20.4
and
securing
mobile
payment:
formal
model,
103
specifically
designed
for
wireless
environments
is
and
successfully
prove
that
they
satisfy
the
goals
and
enhance
introduced
the security
a
limited-use
of the
key
proposed
generation
protocols,
technique
they
which
ROBUST
CLIENT
VERIFICATION
IN
CLOUD
107
Previous Actions
Knowledge
Acquiring
protocol
Current Actions
Gaining
Algorithm
Client
Framework
Gain value
Fig 2.7
Proposed Architecture
calls
in
afternoon.
Let
F 1,
F2,.,
Fk
represents
genuine user phone book and bad calls represents any incoming
or outgoing calls which are not listed in the memory of the phone
or a SIM card. The clients framework is a multiplication of R
probability function trained on the variable T as instance of time.
Therefore clients framework is,
[P(F1/T),P(F2/T),. . . P(FR/T]
The knowledge acquiring protocol fundamentally computes such
functions structuring clients model.
THE GAINING PROTOCOL
With a facilitated clients framework and previously known set of
actions of the client, the gaining protocol yields a gain value
representing the probability that the trusted handheld device is
under the control of genuine user. This can also be described as
gaining independent charecteristics. The gaining function is
developed
in
very
secure
and
robust
way
under
the
110
between the mobile phone and the POS is carried out through NFC
technology that transmits the payment details to merchant's POS.
Customer credentials are not stored in the mobile phone; rather,
they are stored online. Google Wallet takes the form of an
application stored on the customer's mobile phone. The customer
will have an account with Google Wallet which includes the
relevant registered credit/debit cards. Accordingly, the Google
Wallet device has a chip /SE which stores encrypted payment card
information. Linked credit or debit card credentials are not stored
on the SE; rather, the virtual prepaid credit/debit card which is
created during the setup is stored on the SE. The transaction then
operates through the virtual prepaid credit/debit card that
transfers funds from the Google Wallet into the merchant's POS
when the customer taps his phone on the POS.
B. MasterPass
"MasterPass" (Mastercard, 2013; Bodhani, 2013) is a service
which has been developed by MasterCard as an extended version
of PayPass Wallet Services (NFC World, 2013) and provides a
digital wallet service for secure and convenient online shopping.
In MasterPass, delivery information and transaction data are
stored in a central and secure location. The latest MasterPass
provides the following services (NFC World, 2013):
MasterPass checkout services: This service enables the
vendors payment acceptance in a consistent way irrespective of
the clients location. This means vendors have the ability to
accept a payment without having to know where the client is. For
113
instance, when the client is in store, he can use this service since
it supports NFC, Quick Response (QR) codes, tags, and mobile
devices to pay for products at a vendors POS. Thus, in online
shopping scenarios, the client can use this service to pay for a
product without having to enter the card and delivery details
every time he intends to make a purchase.
MasterPass-connected wallets: Vendors, financial institutions,
and partners are able to provide their own wallets using this
service. The clients card information, address books, etc. can be
saved in a secure cloud provided by a party they trust. Thus,
clients can use other credit and debit cards in addition to their
MasterCards cards.
MasterPass value added services: The purpose of this service is
to improve the clients shopping experience before, during and
after checkout. Value added services include account balances,
offers, loyalty programs, and real-time alerts.
114
REFERENCES
1. European Payments Council .(White paper on mobile
payments)
2. Mobile phone as a wallet by Alcatel lucent (2010)
3. http://www.gsma.com/digitalcommerce/digital-mobilewallets
4. Cloud Computing
and
Computing
Evolution
MARKUS
URL:
http://csrc.nist.gov/publications/nistpubs/800-
10.
for
dummies.
Indianapolis,
Indiana:
Wiley
URL:
http://wwwen.zte.com.cn/endata/magazine/ztecommunicat
ions/2011Year/no1/articles/2
01103/t20110318_224532.html. Accessed 07 December
2012.
14.
X. Yang, T. Pan, and J. Shen, On 3G Mobile Ecommerce Platform Based on Cloud Computing, in
Proceedings of the 3rd IEEE International Conference on
Ubi-Media Computing (U-Media), pp. 198 - 201, (August
2010).
15. W. Zhao, Y. Sun, and L. Dai, Improving computer basis
teaching through mobile communication and cloud
computing technology, in Proceedings of the 3rd
International Conference on Advanced Computer Theory
and Engineering (ICACTE), vol. 1, pp. 452 - 454,
(September 2010).
116
16.
117
22.
in
Advances
in
Computing
and
(2013).
MasterPass.
Available
at:
https://masterpass.com/online/Wallet/Help?cid=127568.
[Accessed May 12, 2014].
26. Bodhani, A. (2013) New ways to pay [Communications
Near Field], Engineering & Technology, 8(7), pp. 32-35.
118