Security Issues Associated With Mobile Commerce Information Technology Essay

Security Issues Associated With Mobile Commerce Information Technology Essay The report investigates the current state of the Mobile-commerce based on its security and examines the predicted future developments of the system. A brief background of the M-commerce and its applications is initially outlined. The discussion will then focus on the security issues and solutions based on the five security objectives (standards): Confidentiality, Authentication, Authorisation, Integrity and Non-repudiation. The applications of these security standards will then be applied on two M-commerce applications, both involving mobile transaction: Mobile-Payment and Mobile-Banking. It is concluded that further technological development in M-commerce system will be required, in order to improve the quality of service and ensure the user that such a system is safe to use. Nestor Mfuamba Introduction The term M-commerce (mobile-commerce) derives from E-commerce (e-commerce) which denotes business transactions over the internet. The transactions could be buying and selling goods/services by accessing the internet. Both M-commerce and E-commerce are part of two districts business markets: B2B (Business to Business) and B2C (Business to Consumer), the two distinct from dealing with business for the first and dealing end consumer for the last. From these business concepts, we can see that a B2B market, is more like E-commerce, where a business / user, accessing the internet for business transactions from an unstated devices. The technology used for this system could either be wireline (home PC, end user devices) or wireless (via mobile phones, PDAs, end user devices). In fact the term M-commerce, is all about a wireless E-commerce that is where a mobile device is used to access the internet for business transactions either in B2B or B2C markets. With the ubiquitous availability of mobile phones (other end user devices), M-commerce services have a promising future, especially in the B2C market. Future development applications include buying over the phone, purchase and redemption of tickets and reward schemes, travel and weather information, and writing contracts on the move. However, the success of M-commerce today, very much depends on the security of the underlying technologies. For example, credit card charges for transactions on the internet are 15%, versus 1% for POS (Point-of-Sales) credit card transactions. The chargeback rates grow to 30% digital product are sold. For M-commerce to take off, fraud rates have to be reduced to an acceptable level. As much security can be regarded as an enabling factor for the success of M-commerce applications. In this report, I discuss the security issues associated with M-commerce and their solutions based on two existing M-commerce applications, namely: Mobile Payment Systems: business transactions on the internet require the payments of either goods or services. M-payment systems have different requirements and characteristics than E-payment systems (electronic-payment). Mobile-Banking Systems: types of execution of financial services in the course of which within an electronic procedure the consumer uses mobile communication techniques in conjunction with mobile devices for banking transactions. M-commerce Definition The term m-commerce can be defined in many ways. From own experience and research, m-commerce is just an electronic commerce system that is accessed from mobile phones. Both e-commerce and m-commerce are B2C (Business to Consumer) systems. According to the OECD (Organisation for Economic Co-operation Development), e-commerce follows two criteria that are: Automation of transaction Spatial separation of transactions and delivery By definition m-commerce is a business commerce system using mobile device for business transactions performed over a mobile telecommunication network, possibly involving the transfer of money. Based on research done by Kalkota Ravi and Robinson Maria, they have actually divided m-commerce into five descriptive phases: Messaging m-commerce (SMS)-based m-commerce) Info connectivity m-commerce (web based m-commerce) Transactions m-commerce (strategy for organisations in order to evolve revenue generating mcommerce) Transformation m-commerce (m-commerce is interconnected and implemented into business processes within and between organisations) Infusion -m-commerce (and m-commerce is a normal way to do business this means a culture change from one, in which technology is occasionally handed over to the other one where technology is an accepted part) Technology and Applications The technology of M-commerce is built on several key technologies. They distinguish by their common uses. Mobile phones have developed gradually, making significant changes to their standards, starting from the first generation (analogue phones) to the third generation (3G): first-generation or analogue phones good for voice calls second-generation phones use digital technology and are typical of the average phone in use today 2.5G digital phones support the transmission of data using general packet radio service (GPRS) third generation (3G) digital phones support voice and data transmission at greatly increased speeds 3G supports services that were not possible with earlier technologies: video calls can be made and received from other 3G users video and other types of media can be downloaded to play on your phone 3G phones often have cameras, so you can take and transmit digital pictures location-based services can be accessed in order to see a map of where you are, or find out the nearest garage, restaurant, bank, etc M-commerce developments are focused very strongly on the use of 3G phone technology. Wireless application protocol (WAP) enables mobile devices to browse the internet because the web browsers built into these devices support hypertext markup language (HTML) and extensible markup language (XML) the key languages used for internet content. WAP-enabled devices run microbrowsers. These are applications that suit the: small screen and small memory size of handheld devices low bandwidths that are a feature of wireless networks for handheld devices Another important m-commerce technology is short message service (SMS), also known as texting. This popular service allows short text messages of up to 160 characters to be sent from and to mobile devices at a low cost. This has a wide application in m-commerce technology. Improvements to the service, such as T9 predictive text to help you type faster, have helped to improve the service, and a number of enhancements such as enhanced messaging (EMS) led to multimedia messaging service (MMS) messaging. With an MMS-enabled phone, you can: take digital photographs and store photographs on the internet send and receive full color pictures add a text message to your picture send and receive voice clips purchase pictures and sounds from the internet have enhanced polyphonic ringtones Mobile Application Types Communications: E-mail Clients IM Clients Mobile Web and Internet Browsers News/Information Clients On-Device Portals (Java Portals) Social Network Clients Games: Puzzle/Strategy (e.g., Tetris, Sudoku, Mah-jong, Chess, Board Games) Cards/Casino (e.g., Solitaire, Blackjack, Roulette, Poker) Action/Adventure (e.g., Doom, Pirates of the Caribbean, Role-Playing Games) Sports (e.g., Football, Soccer, Tennis, Basketball, Racing, Boxing, Skiing) Leisure Sports (e.g., Bowling, Pool, Darts, Fishing, Air Hockey) Multimedia: Graphics/Image Viewers Presentation Viewers Video Players Audio Players Streaming Players (Audio/Video) Productivity: Calendars Calculators Diary Notepad/Memo/Word Processors Spreadsheets Directory Services (e.g., yellow pages) Banking/Finance Travel: City Guides Currency Converters Translators GPS/Maps Itineraries/Schedules Weather Mobile System Architecture The figure bellow shows the architecture of an m-commerce system: from the design, we can clearly see that a user/client access the web via an xml server connected to a database. Figure1. Proposed M-commerce system architecture Mobile devices The applications of M-commerce can be implemented on different kinds of end user devices other than only mobile phones: Mobile phones PDA (Personal Digital Assistant) Smart phone the smart phone combines mobile phone and PDA technology into one device Laptop Earpiece device such as Bluetooth (as part of a Personal Area Network) The choice of devices in M-commerce is mainly based on the device features, and network technology used for transmission, the last allows the bandwidth capacity to vary and influence the kind of services the end user is able to receive. In mobile phones, the technology differs from other end user devices by their ability to have internal smart cards that determine their memory capacities. Nowadays, three solutions exist: Single SIM widely used around the world and confidential user information is stored one smart card. Dual Chip, means two smart cards in one mobile phone, as one used for user authentication to the network operator as the other, is used for value-added services such as m-payment or digital signature. Dual Slot, this type of mobile phones, has a SIM card and card slot for fully-sized external smart card. This solutions consists on using different cards one after the other. e.g. POS and ATM terminals. M-commerce vs. E-commerce This part of the report doesnt compare the two business systems. However, present advantages and disadvantages of M-commerce system over and E-commerce system. As defined in part 1.1., M-commerce is subset of the E-commerce but using end user devices as transaction platforms. The following list summarises, the advantages: Accessibility accessibility is related to ubiquity and means that the end user is accessible anywhere at any time. Accessibility is probably the major advantage by comparison with E-commerce applications involving a wired end user device. Ubiquity the end user device is mobile, that is, the user can access M-commerce applications in real time at any place. Security depending on the specific end user device, the device offers a certain level of inherent security. For example, the SIM card commonly employed in mobile phones is a smart card that stores confidential user information, such as the users secret authentication key. As such, the mobile phone can be regarded as a smart card reader with smart card. Localisation a network operator can localise registered users by using a positioning systems, such as GPS, or via GSM or UMTS network technology, and offer location- dependent services. Those services include local information services about hotels, restaurants, and amenities, travel information, emergency calls, and mobile office facilities. Personalisation mobile devices are usually not shared between users. This makes it possible to adjust a mobile device to the users needs and wishes (starting with the mobile phone housing and ringtones). On the other hand, a mobile operator can offer personalised services to its users, depending on specified user characteristics (e.g. a user may prefer Italian food) and the users location (see above). Convenience the size and weight of mobile devices and their ubiquity and accessibility makes them an ideal tool for performing personal tasks. Along with these advantages, we also have disadvantages, the following list summarises, the facts: Mobile devices offer limited capabilities between mobile devices these capabilities vary so much that end user services will need to be customised accordingly. The heterogeneity of devices, operating systems, and network technologies is a challenge for a uniform end user platform. For this reason, standardisation bodies consisting of telecommunication companies, device manufacturers, and value-added service providers integrate their work (see Section 4.5). For example, many current mobile devices implement an IP stack to provide standard network connectivity. At the application level, the Java 2 Micro Edition (J2ME) offers a standardized application platform for heterogeneous devices. Mobile devices are more prone to theft and destruction. According to a government report, more than 700000 mobile phones are stolen in the UK each year [12]. Since mobile phones are highly personalised and contain confidential user information, they need to be protected according to the highest security standards. The communication over the air interface between mobile device and network introduces additional security threats (e.g. eavesdropping, winds etc †¦). Security Concept and Challenges The concept of security in M-commerce is the most important aspect of a business that a mobile-system should respond to. There is no need to implement, such system without securing its environment, especially where transactions involve monetary value. Different views from participants in an M-commerce scenario, percept, security and privacy as major factors for markets breakthrough of the according system. Moving from participants point of views, I have defined five security objectives / standards that a system should respond to: Confidentiality: ensure privacy, the content of the transaction cannot be viewed by unauthorised persons and enables encryption. Authentication: ensure that the content of the transaction originates from the presumed sender/partner. Integrity: ensure that the content of transaction is not modified during the delivery and cannot be altered at any time. The technique used is called digital signatures. Authorisation: ensure that anyone involved in the transaction must be recognize and verified in order to authorize/allow the transaction to take place. It is more like digital certificates. Non-repudiation: no-one should be able to claim that any transaction on his/her behalf was made without their knowledge. The concept of digital signatures is applied. This standards dont just apply to end user devices, but to the whole systems involving device users, network (e.g. WAP, WEP), financial and administrative institutions (e.g. banks, governments etc.). I have identified, few security challenges related to the system: The mobile device confidential user data on the mobile device as well as the device itself should be protected from unauthorised use. The security mechanisms employed here include user authentication (e.g. PIN or password authentication), secure storage of confidential data (e.g. SIM card in mobile phones) and security of the operating system. The radio interface access to a telecommunication network requires the protection of transmitted data in terms of confidentiality, integrity, and authenticity. In particular, the users personal data should be protected from eavesdropping. Different security mechanisms for different mobile network technologies (i.e. in 2G, 3G, and other systems) were explained in part 2.2 The network operator infrastructure security mechanisms for the end user often terminate in the access network. This raises questions regarding the security of the users data within and beyond the access network. Moreover, the user receives certain services for which he/she has to pay. This often involves the network operator and he/she will want to be assured about correct charging and billing. The kind of M-commerce application m-commerce applications, especially those involving payment, need to be secured to assure customers, merchants, and network operators. For example, in a payment scenario both sides will want to authenticate each other before committing to a payment. Also, the customer will want assurance about the delivery of goods or services. In addition to the authenticity, confidentiality and integrity of sent payment information, non-repudiation is important. Threats scenarios In this part, I am going to present major threats to security based on the M-commerce security standards and address ideal scenarios, observed during each methods. The following list shows the threats: Money thefts: as long as, m-commerce involves transaction, driven by monetary values. The system will always attract hackers, crackers and anyone with the knowledge of exploiting and abusing the system. They often set fake websites, in order to extract customers personal data, credit card details etc. Threats to the system: mobile devices are not spared from those deceptive methods of stealing information. Viruses, Trojans, Worms are often planted by individuals for reasons known best to them alone, in order to compromise the credibility of all m-commerce system. Threats observed during authentication: Observation: An adversary can download the client on a laptop/desktop and use its insecurities for malicious purposes. An adversary can obtain the user credentials stored on the mobile phone by transferring the contents to pc/laptop from the phone or memory card. An adversary can register with valid details of a valid bank account holder and access his/her account details or make transactions. An adversary can access user credentials directly from the phones folders or from phones memory card. An adversary can obtain the new PIN for transacting using the weak forgot password feature or an adversary can change the password/PIN of a valid user without authentication/authorization. An adversary can use the auto-complete feature to access a valid users account. An adversary can guess weak passwords/PIN to retrieve customer information. Ideal scenario: An adversary can download the client on laptop/desktop and use its insecurities for malicious purposes. An adversary can use the auto-complete feature to access a valid users account. The customer has to first register with the bank. Customer details like full name, postal address, e-mail address, bank account details and mobile phone number should be provided. The bank would inform the vendor to push the mobile client application to the mobile number provided by the customer. This can be done through a system which communicates between the server at vendor end and bank end. The vendor enters the mobile number of the customer and the client application is pushed to it. This ensures that the client is not downloaded to a pc or laptop and misused. In case the push is not possible, the customer has to be informed and the client application installed by the vendor. The application has to ensure that during installation a few checks are done Transfer the banks and vendors public key for encryption purposes. There can be two keys generated for the vendor; one for storage and one for data transmission. The client files/folders are installed on the phone and not in the memory card. The files and folders should be restricted from being transferred to a memory card or pc/laptop. The access to these files should only be through the executable and not directly. The installer should be removed after installation. Application should not allow auto-complete feature. Threats observed during transactions Observation: Based on the services provided to the customer the following threats can be observed: An adversary can sniff the contents of transaction and obtain confidential information. An adversary can bypass authentication controls. An adversary can make bogus shopping or purchase transactions for another valid customer. An adversary can view the account details of another user. An adversary can modify the from account and amount field during a fund transfer process. An adversary can predict the session id and perform transactions as a valid user. An adversary can access a valid account using an active session which has not been terminated after a long time of inactivity. An adversary can login using his credentials and view/modify the details of another valid customer. Illegal/Invalid transactions can be performed without continuous authentication process for each transaction. Ideal scenario An adversary can sniff the contents of transaction and obtain confidential information. All transactions should be through a secured connection. Data transmitted between the client application and the vendor server should be through HTTPS or another secured channel and also encrypted through the vendors transport public key. The data flowing back from vendor sever to the client should be through HTTPS or a secured channel. The data flowing between the vendor server and bank server should be through HTTPS. Also the customer details, which are not required by the vendor, should be encrypted using the banks public key. The return should be through HTTPS. Any data flowing between bank/vendor to other third parties or merchants like for mobile shopping should be through a secured payment gateway. An adversary can bypass authentication controls, Illegal/Invalid transactions can be performed without continuous authentication process for each transaction and view the account details of another user. Each transaction or operation should be authenticated either using a single layer or a dual layer. The vendor side application should authenticate the customer using the PIN for non-critical operations. Validation checks should be in place to ensure that this authentication control is not bypassed. For critical transactions, there can be dual authentication mechanism, one using the PIN at the vendor and other using the Internet banking ID at the bank side. Validation checks should be in place to ensure that this authentication control is not bypassed. An adversary can make bogus shopping or purchase transactions for another valid customer. An adversary can modify the from account and amount field during a fund transfer process. For example, in a fund transfer operation the bank should ask for the Internet banking credentials from the customer for authentication and verification. Also checks need to be in place to ensure that the from account field cannot be modified or the amount field is not negative. An adversary can predict the session id and perform transactions as a valid user. For example, an adversary can access a valid account using an active session which has not been terminated after a long time of inactivity and login using his credentials and view/modify the details of another valid customer.In mobile shopping operation, the payment should be through a secured payment gateway. Ideally, the vendor should not store the details of the shopping done by the customer. In case the vendor performs the payment for the customer for his/her purchases, then only the details need to be stored at the vendor. Then the customer authorizes the bank to transfer the amount to the vendors account for making the payment to the merchant for his/her item. Having a good session management mechanism ensures that attackers dont use a valid session id for login purposes. Also the application should ensure that users are not able to change the data and view another customers details. Other possible threats: An adversary can upload malicious files to the server/application. Ideally, a mobile banking scenario would not require a customer to upload files to the server. Hence the same can be disabled for customers. An adversary can obtain the confidential customer data and source code from the server. All customer data and application source code at the vendor server should be protected not only from the outside attackers, but from internal users/developers also. Malicious activities are undetected. Audit trails and logging need to be maintained for the application which mentions the customer name, bank details and transaction performed with time and date for future reference. An adversary can obtain the details of the server or error messages provide information for the adversary to perform specific attacks. The application should ensure no messages are provided to the outside world which would reveal information about the system. An adversary can obtain the vendor private key from the server to perform man-in-the-middle attacks. The private keys should be stored securely and access should only be given to the application to use the keys during any kind of operations. Security Technology This part of my report focuses on the network technologies, which are relevant to a secure M-commerce system. The security itself focuses on three aspects, studied in the IST SHAMAN project: M-commerce network security, Transport layer security and Service security. The IST SHAMAN has studied the security architecture of current and potential future mobile systems. Here, they are discussed: M-commerce Network Security GSM (General System for Mobile Communication): established in the early 1990s, the GSM is the first generation mobile phones and major device for M-commerce. The devices presented strong limitations with respect to their capabilities other than telephony. In term of data service, the dial-in data sessions over circuit switched connections were possible but relatively slow, at 9, 6 Kbits/s and required a separate device such a computer, which reduced its mobility. As the GSM core network extended, a number of data services where established such as: The Short Message Service (SMS) The Wireless Application Protocol (WAP) allowing internet access The High Speed Circuit Switched Data (HSCSD) providing higher data rates The General Packet Radio Service (GPRS) extends GSM with packet oriented services The figure, below shows an architecture of GSM, including GPRS, IN (Intelligent Network) and SMS. Figure 2: GSM Architecture What is the scenario in this architecture and what does the GSM provides as security features? The mobile station communicates over the wireless interface with a base transceiver station (BTS) which is part of a base station subsystem (BSS). The base station controller (BSC) is connected with a MSC (Mobile Switching Centre) and a SGSN (Serving GPRS Support Node). The latter two are the central switching components for circuit and packet switched data. When a customer subscribes, the GSM home network assigns the mobile station a unique identifier, the international mobile subscriber identity (IMSI), and an authentication key Ki. The IMSI and the secret authentication key Ki of the mobile station (MS) are stored in the SIM (subscriber identity module), which is assumed to be tamper proof. On the network side, the IMSI, Ki and other information are stored in the HLR (Home Location Register) and AuC (Authentication Centre). GSM provides the following security features for the link between the mobile station and the network: †¢ IMSI confidentiality †¢ IMSI authentication †¢ User data confidentiality on physical connections †¢ Connectionless user data confidentiality †¢ Signaling information element confidentiality In general, the security architecture of GSM, presents basic security mechanisms for M-commerce systems. The authentication towards the network, from a mobile customer is based on a secret ki that will derive to a symmetric key, used to encrypt the link between the mobile station and the BTS. The secret key ki is never sent over the network. From there, we can say that GSM presents two weaknesses, Authentication and Encryption as it is optional. UMTS (Universal Mobile Telecommunication System): the security architecture of UMTS is designed to fix the security weaknesses of GMS. In UMTS, authentication is mutual, and encryption is mandatory unless the mobile station and the network agree on an unciphered connection. In addition, integrity protection is always mandatory and protects against replay or modification of signaling messages. UMTS introduces new cipher algorithms and longer encryption keys. Thus, UMTS doesnt seem to have any security weaknesses. The architecture of this technology is depicted below: Figure 3  : UTRAN system WLAN (Wireless Local Area Network): The IEEE standard 802.11 specifies families of WLANs which operate in the unlicensed 2.4 GHz and 5 GHz band. The standards specify the physical layer (PHY) and the medium access control layer (MAC). When operated in the infrastructure mode, the mobile station attaches to an AP which provides connectivity to fixed net IP networks (e.g. the internet) or to other mobile stations. While, in the default mode, WLAN is not secured, this means: there is a possibility of an eavesdrop attack. In order to provide a measure of security, the IEEE and IETF, have defined the WEP (Wireless Equivalent Privacy) and the VPN (Virtual Privacy Network). WEP was designed to provide: Authentication to protect the association to an AP Integrity protection on MAC frames Confidentiality on MAC frames In comparison to other network technologies, the WEP is insecure. Based on its secret key, that serves as input for the RC4 stream cipher, the authentication and integrity protection is completely insecure and encryption at least partly insecure. There is a possibility for an attacker to intercept a single successful authentication transaction between a mobile station and the AP and be able to authenticate without knowing the secret keys. Furthermore, since a CRC checksum is used for integrity protection, an attacker can modify the data and adapt the checksum accordingly. For example, if the position of commercially sensitive information (e.g. an amount) within a datagram is known, the corresponding bits can be ex-ored with any value. With a large number of intercepted frames, the WEP keys can even be recovered, breaking the encryption. Furthermore, since the WEP keys are network keys, preserving their secrecy is difficult for private networks and impossible for public WLAN hotspots. In recent work of the IEEE Task group on security (TgI), the new security standard IEEE 802.1X has been adopted. 802.1X is a framework for authentication and key management which employs the Extensible Authentication Protocol for a variety of authentication mechanisms, e.g. certificate based TLS. But the weaknesses of WEP cannot be remedied by the new authentication and key management schemes in 802.1X. The IEEE is currently working towards a new standard (WEP2), and a number of proposals are in circulation. VPN: the technology is employ to particular IPsec, in order to establish network layer security. The IPsec protocol (or more specifically the ESP Tunnel protocol) is an internet s