Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Mobile Payment Security'

Can Mobile Payments be Secure Enough?

Roger Clarke **

Outline of 23 October 2007

Prepared for an address in the ECom-IComp Experts Address Series at the University of Hong Kong, 25 October 2007

© Xamax Consultancy Pty Ltd, 2007

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/EC/MPS-071025.html

The accompanying slide-set is at http://www.rogerclarke.com/EC/MPS-071025.ppt


Abstract

From the very beginning of the first wave of Internet commerce in the late 1990s, Internet payment mechanisms were a serious impediment to adoption. Many approaches have been tried, but most payments continue to depend on credit cards - a scheme that was inherently flawed when it was launched in 'meatspace' and sits very uncomfortably in the fixed-connection / PC / wired era.

The current wave of eCommerce is mobile / handheld / wireless. People expect to do everything quickly, simply and intuitively. It appears that many categories of modern consumers have a cavalier attitude to risk even when making payments, and particularly when making frequent payments of relatively small sums of money.

This presentation highlights the risks that consumers face, and asks whether the perception of riskiness will impede the adoption of MCommerce.


Commentary on the Slide-Set

Mobile Payment Excitement

Slides 3-6: The chip inside Hong Kong's Octopus Card, which has been in use for a decade, is now inside many Japanese mobile phones. RFID Tags for paying road tolls are well-established. Visa has announced trials of its payWave and MicroTag technologies, embedded in key-rings (which some might think is still not as good as a design for a ring worn on the hand that was around well over a decade ago).

Slides 7-9: Other approaches, such as those from Paybox, PayPal and RingGo, let people use their mobile phones to communicate payment instructions. Common to all of these schemes are security weaknesses that represent risks to the consumer.

Payment Systems Before the Network Era

Slides 10-14: It's valuable to look back at where we've been. We understand the advantages and disadvantages of cash, and cheques and direct credits and direct debit arrangements. That includes the security issues and who bears what risks.

Slides 15-16: Then we invented the credit-card. Even when used at points-of-sale, it provided only low-grade security. The insecurity is much more problematical in MOTO (mail-order, telephone-order) transactions, also known as 'card not present'. But the convenience was greatly appreciated by consumers, and merchants were forced to pay both for the infrastructure and the losses arising from fraud.

Payments in the Network Era

Slides 18-20: The approach taken with ATM services was very different. Similarly, debit-cards use money from the consumer's own account (whereas a credit-card transaction borrows someone else's money). Such schemes involve stronger forms of authentication, usually a PIN, which needs to be protected both by the consumer and by the design of the EFT/POS system.

Slides 21-22: Credit-card transactions over the Internet, on the other hand, adopted the same low-security approach as MOTO transactions, although the transmission of credit-card details has increasingly been protected using channel encryption (SSL/https). The attempt to impose much tighter security through SET foundered.

Slides 23-24: Internet Banking has matured into a relatively secure set of services. Debit transactions over the Internet are finally emerging. The process leverages off existing Internet Banking infrastructure and hence provides (most of) the protections that apply in that context.

Slide 25: A range of other payment schemes were proposed in the enthusiastic days of the mid-to-late 1990s, including electronic cash, micro-payment, electronic payment instructions and stored-value cards. None survived, but successors to them are putting in an appearance. They too vary from highly insecure to moderately secure.

Slides 26-28: As we glide into the mobile payments era, using a wide array of wireless networks, we inherit the characteristics of the payment schemes that are already in place. Most significantly, credit-card payment is seriously insecure - even moreso when conducted using handheld consumer devices. In many case, debit-card payments may also prove to be much more susceptible to fraud, because of the context in which data is captured, and the reduced capacity of handheld devices to implement the protections that are expected in Internet Banking applications.

Security Analysis

Slides 29-33: The most apparent threat is unauthorised transactions, variously through errors, rogue devices, rogue transactions, and capture of authenticators by malware that has been infiltrated into the consumer device.

Slides 34-36: There is an enormous range of vulnerabilities in consumer devices, and many forms of malware payload can be delivered via several different vectors. Consumers cannot be expected to take responsibility for infrastructure that they neither understand nor control.

Slides 37-38: Key elements of a secure approach to Mobile Payment can be described. But a glance at the features of the exciting new payment mechanims that were scanned at the beginning of the presentation suggests that few of the requirements are satisfied by the approaches that are currently being proposed, developed, deployed and in some cases even used.

Conclusions

Slides 39-44: There are a number of things we need to know before we can judge whether mobile payment mechanisms are secure enough to attract consumers to use them in the first place and to keep them comfortable with using them once they've started. There is also a dire need for the providers of technology aand services to take responsibilty for the insecurities inherent in their schemes, and not try to impose liabilities on consumers.

Mobile payments can be faster, more convenient and less of an obstacle - not only for consumers but for thieves too.


Resources

The presentation draws on a working paper on The Feasibility of Consumer Device Security, co-authored with Alana Maurushat, (currently at UNSW in Sydney, but previously in the Faculty of Law at the University of Hong Kong).

General References

Relatively Secure Payment

Relatively Very Insecure Payment

Variously Reasonably Secure and Insecure


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 29 September 2007 - Last Amended: 23 October 2007 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/MPS-071025.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy