A Risk Assessment Framework for Mobile Payments

Roger Clarke **

Outline of 31 January 2011

Prepared for a seminar in the Information Technology Department of Bond University, on 11 February 2011

© Xamax Consultancy Pty Ltd, 2007-11

This document is at http://www.rogerclarke.com/EC/MP-RAF-1102.html

The accompanying slide-set is available in
PowerPoint (1.8MB) or PDF (13.5MB)

Abstract

Progress in Mobile Commerce is heavily dependent on effective and reliable payment mechanisms. Security concerns loom as a major impediment to widespread and rapid adoption, and there is accordingly an urgent need for a framework within which security issues in mobile commerce can be evaluated. This paper draws on lessons from prior payment mechanisms, and applies risk assessment theory, in order to develop such a framework. It provides insights into the use of the framework by performing a test application. Implications for policy, practice and research are drawn.

The presentation draws on the following papers:

Clarke R. & Maurushat A. (2007) 'The Feasibility of Consumer Device Security' Submission to the Australian Securities and Investments Commission (ASIC) in relation to its Review of the Electronic Funds Transfer Code of Conduct, April 2007, at http://www.rogerclarke.com/II/ConsDevSecy.html

Clarke R. (2008) 'A Risk Assessment Framework for Mobile Payments' Proc. 21st Bled eCommerce Conf., June 2008, pp. 63-77, at http://www.rogerclarke.com/EC/MP-RAF.html

Resources

The presentation draws on a working paper on The Feasibility of Consumer Device Security, co-authored with Alana Maurushat, (currently at UNSW in Sydney, but previously in the Faculty of Law at the University of Hong Kong).

General References

• Mobile Commerce (Wikipedia Entry)
• Mobile Payment (Wikipedia Entry)
• Mobile Phone

Relatively Secure Payment

• HKSAR Treasury Advice re Internet Banking in Hong Kong (Requires the identifier and the authenticator - and possibly a second authenticator - and all transactions are encrypted end-to-end from the device to the financial institution)

Relatively Very Insecure Payment

• Octopus Card ("Users simply wave their Octopus over a reader, and the correct amount will be deducted automatically")

Variously Reasonably Secure and Insecure

• Mobile Phone / Contactless-Chip / RFID / 'NFC' - Near Field Communications (The degree of security depends on the implementation. It can range from 'Very Insecure' - possibly requiring no confirmation in order to relieve people of money in the most convenient manner possible, via 'as Insecure as a credit card', to - maybe - 'as Secure as Internet Banking')
  • the Sony Felica Card (used for HKSAR's Octopus) and for Osaifu-Keitai - the Japanese 'Wallet Mobile'
  • UK RingGo parking payments by mobile phone ("When you first use RingGo we will store some - but not all - of your credit card details in our secure data vault. The next time you phone we can retrieve this information, giving you the opportunity to use the same card again. We will simply ask you for the missing elements of data that we are not allowed to store")
  • Australia - Telstra / NAB / Visa payWave Trial in Early 2008? and: "If stolen, the NFC-enabled phones must be reported stolen immediately -- similar to a credit card. "But of course, in the same way as if your credit card was stolen, there is consumer protection and you would not be left out of pocket," she said. Larger purchases must be authorised by a PIN (personal identification number) ... -- and the trial will help us find the right level, but we are envisaging less than $30 to $50" (Melbourne Herald-Sun of 1 Sep 2007)

Acknowledgements

Earlier versions of this seminar were presented at the University of Hong Kong on 25 October 2007, at the Victoria Uni of Wellington on 1 May 2008, and at the Bled eConference in Slovenia on 17 June 2008.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

Personalia

Photographs Presentations Videos

Access Statistics

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax. From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021. Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer

Xamax Consultancy Pty Ltd ACN: 002 360 456 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 6916

Created: 19 March 2008 - Last Amended: 31 January 2011 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/MP-RAF-1102.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy