ECOMMERCE TRANSACTION

IN MOBLE COMPUTING ENVIRONMENT

ABSTRACT

Ecommerce Transaction on Mobile consists conducting information and

transaction by means of mobile devices. One such service is mobile banking,
which offers the user the possibility to inquire personal bank accounts, stock
exchanges information as well as transfer funds from one account to another.
Advanced technologies such as the SIM Application Toolkit and the wireless
application protocol, enable new user friendly value added services via mobile
phones. Various technologies and there possible services that can be built upon
them are described in this paper. I conclude by drawing out possibilities for
market evolution and technologies in the area of Ecommerce on mobile
computing environment and will make a link to the multimedia services over
UMTS.

1
 Chapter 1:
Introduction

Various technologies try to function as enablers in the mobile arena for the
service providers who want to offer value-added services (VAS): the SIM Toolkit
(STK) technology that is based on loading applications on the operators SIM
card inside the mobile terminal, the Wireless Application Protocol (WAP)
technology that attempts have Internet-access for the mobile by providing a
generic platform for accessing Web content in a reduced form, and the Compact
HTML (CHTML) language which intends to bring full Internet capabilities to the
mobile channel. CHTML is seen as a possible future evolution of WAP. Both
STK and WAP technologies are available today.

2
 All these technologies try to prepare an image of the mobile domain the
business models that have emerged on the Internet as electronic commerce
(eCommerce) [1,2,3]. However, digital mobile communications have several
competitive advantages with respect to fixed-net eCommerce like make the
offering of Value Added service over mobile. These include the mobility feature,
independence from time and place, real time reception of data whenever it is
produced as well as easy end-user reach ability and much more mobility
requirement [1,2,3]. These advantages not only make it possible to have mobile,
but also function as enablers for the overall migration from physical to electronic
commerce. That is Mobile Ecommerce not only provide a channel form mobile
communications but also provide a driver for the adoption of Mobile Ecommerce.
This paper explores in greater detail the services, as well as the main technical
and market trends that will determine these future mobile eCommerce offerings.

Chapter 2:
Mobile Ecommerce Services

Mobile eCommerce applications contain a large variety of services. Example,

services are the sale and purchase of goods, e-mail, phonebook, the weather, city
navigation, dictionary, ordering food, travel information, the news, sports
information as well as ticketing, etc [1]. These are all promising value-added
services. Mobile banking is stated to be the most promising Mobile Ecommerce
service. Mobile banking encompasses both information retrieval services and
transaction services. Payment services are considered to be a subset of banking
services. Possible information retrieval services are inquiries about personal bank
accounts and stock exchange information [1]. Possible mobile banking
transactions are payment of electronic bills, transfer of funds between accounts,
sale and purchase of products and secure transfer of credit and debit card

3
information to merchants [2]. In addition, other fields of interest include reporting
systems that give mobile personnel access to enterprise data via the mobile
channel. For example, sales personnel having access to sales reports by selecting
items in a menu and a server application that feeds their mobile display with the
appropriate data from a back-end system. Also as a form of reporting system,
VAS could provide the end-user with logistics information, e.g. the location of a
parcel sent by an express mail service. Here the bridge between application server
and business support systems as e.g. SAP is crucial [1]. All these services would
have a reasonably high utilization today. In order to address this issue, various
bodies around the world have tried to set the framework for the deployment of
mobile VAS. Below I present the most comprehensive approaches available
Today. These are not mutually exclusive and can actually complement each other
in different areas.

Chapter 3:
Technology

3.1 SIM Application Toolkit (STK)

The SIM Application Toolkit is part of the GSM Phase 2+ standard and has been
delivered with almost every new GSM-phone since late 1998. It offers the
programmer a defined set of standardized commands. The commands include the
addressing the handset ( say for display, text, wait, etc.), addressing the user by
requesting or receiving input, setting-up interactive menus on the handset and
controlling access to services by means of passwords. By this set of commands,
applications can be defined, that run on the SIM-card. These applications can be
dynamically downloaded to and removed from the SIM-card of the mobile user.

4
For transportation of applications and data to and from the SIM-card STK
technology relies on the short message services (SMS).

The STK supports the usage of external smartcards. Applications running on

any external smartcards are controlled by the SIM-card.

The main advantage of STK is its availability on the market and the wide-
spread existence of STK capable handsets and SIM-cards. As soon as operators
exchange the GSM Phase 2 SIM-cards in the market place to STK compliant
SIM-cards the number of possible VAS-customers will increase considerably [1].
A drawback of STK is its inability to offer an attractive access to the Internet,
which is deemed to be the future market driver for mobile VAS.

3.2 Wireless Application Protocol (WAP)

As opposed to STK, WAP claims to offer Internet-like access on the mobile
phones [1]. WAP was standardized by the WAP Forum and is included in the
Mobile Execution Environment (MExE) work being performed by ETSI SMG4
[1]. WAPs main building block that will be discussed below is the Wireless
Markup Language (WML) that forms the basis of WAP micro-browsers for the
mobile phones.
The Wireless Markup Language is a page description language close to
HTML (Hypertext markup language) used to build sites on the Internet. The
commands of WML are a subset of HTML. Page descriptions in WML require
less data and have been tokenized in order to provide further reduction in data
traffic [1]. These reductions are necessary as todays WAP phones have limited
storage capacity and the speed available for data transfers over mobile networks

5
does not favor the transport of large amounts of data. Reducing the necessary
volume therefore ensures reasonably fast access to applications and sites from the
mobile phone. Similar to Internet access on a PC, a WML browser is needed for
the access and support of applications in the WAP context.

As with STK, WAP data can be transported using SMS, or even circuit-
switched data. If a lot data is transported over SMS channels VAS will eventually
be financially uninteresting for customers of operators that levy a relatively high
price for these channels. WAP VAS will most likely take off with packet data
services such as GPRS (Generalized Packet Radio System) announced for mid-
2000. GPRS will bring about increased data rates for a lower perceived cost per
byte to the user [1]. Packet data will act as an enabler not only for WAP but for
all mobile internet driven technologies [1]. However primarily the access to the
internet will be with the first versions of WAP, the WAP Forum will most likely
try to evolve WAP in such a way as to provide full Internet access. Since WAP
does not depend on the underlying mobile communication standard, service
providers have access to a potentially broader and international community of
end-users. With WAP the operator can provide the link to either a WML server
containing the requested information sites written in native WML or content
filters and proxies that translate Internet content into WML.

6
 Chapter 4:
Architecture

Value added services may be built using classic client-server three-tier

architecture with an enhanced transport component between the mobile device
(client) and the application server of the service provider (server) [1]. The exact
architecture depends on the technology used (STK or WAP).

4.1 SIM Application Toolkit Architecture

In an STK-based solution the transport component consists of an over-the-air
(OTA) center monitoring the up and downloading of front-end applications to the
SIM-card of the user and an SMS service center to prepare messages for
transportation as shown in Fig.1. The mobile phone acts as a thin client

7
containing only the menu-driven user interface as well as security algorithms for
end-to-end security. Behind the application server lie the data servers of the
service provider storing the required information.

The STK server relays information requests to the back-end servers of the service
providers where data is gathered and stored for the VAS. As with other
distribution channels, the STK server incorporates the gateway function to the
information systems of the service provider.

The OTA takes care of transferring application information and data

between the SIM and the STK server. The OTA is moreover the place where
information about the service usage may be gathered for billing. This architecture
component is usually property of the mobile operator and the OTA can be used
for other SIM related tasks. As indicated in Fig. 1 there are two possible models
of ownership that differ in the control over the OTA. The OTA can be managed
by the mobile operator. It can also be run by the service provider who therewith
would have extensive control about the client applications up and downloaded on
the SIM cards and usage information.

The SMS-center is the link to the transportation layer of the mobile network.
Out of the 140 Bytes currently used by SMS messages roughly 100 can be used

8
for information due to the control overhead needed when sending data packages.
This implies that SMS-based transportation is very slow. The mobile devices
together with the SIM-card constitute the front-end part of the VAS system. The
client applications run either on the SIM-card or on an external smart card.

4.2 Wireless Application Protocol (WAP) Architecture

With WAP-based applications there are mainly two different architectures: a
proxy architecture and a native WML architecture [1].

The proxy architecture is composed of various components as shown in Fig.

2. The applications run on the Web Server and can be written using normal
HTML. The Web Server is linked to the back-end systems of the service provider.
The WAP proxy and filter translate the contents from the Web Server as well as
from other Internet servers into WML (Wireless Markup Language). Information
from the mobile phone is routed through the WAP proxy and filter as well.
Between the mobile phone and the WAP proxy and filter lies the mobile network.
The mobile phone itself contains the front-end part including a micro-browser, a
formbased user interface and strong security algorithms as e.g. RSA.

9
Instead of the gateway architecture with its proxies and filters a native WML
architecture can also be used. The server parts of the applications are then directly
written in WML. A dedicated WML server would have to be built and integrated
in the back-end systems of the service provider. This WML server would most
likely be run by the service provider.

Chapter 5:
Security

In open transaction channels like the Internet and the mobile network, strong
security procedures need to ensure authentication of the parties involved in the
transaction as well as confidentiality, integrity and non repudiation of the
transmitted data [2]. I examine below the issues relating to security in the context
of mobile eCommerce as a vehicle enabling and supporting secure electronic
transactions [1].

5.1 Security in Internet Channel

10
In the (fixed line) Internet channel, there are currently two main approaches to
solve the security problem: the PIN/TAN and the PK (public key) solution [2].
The PIN/TAN concept ensures simple one-way authentication and confidentiality
with a personal identification number (PIN) and a transaction number (TAN) that
is unique for each transaction as shared secrets between sender and receiver. The
drawback of this transaction-based solution is that no session is established with
by of the TAN. In case of a connection loss, the status of the transaction being
performed can not be back-traced by the user.

Public key solutions, in turn, provide means for two-way authentication

and strong encryption by using a pair of keys (public and private key) [2]. In this
way, session based secure connections become possible. Typically, public key
schemes are supported by a trusted third party (TTP) which serves as issuer of
personal certificates [2]. Those contain the name and the public key of the user
and thus offer a high assurance of personal identity [2].
The secure socket layer (SSL) protocol is used to combine the authentication
and encryption procedures of public key techniques. After both parties have
authenticated themselves using their asynchronous (public and private) keys by
means of a handshake protocol, SSL initiates the generation of the symmetric key
for encryption and establishes a secure encrypted connection.

The strength of the PK solutions depends on the secrecy of the private

keys. Most advanced solutions therefore store the key pair on an external smart
card which also performs the necessary security processing. This also has the
advantage that an integration of security solutions across various transaction
channels can be achieved. With generating and storing the key pair on an external

11
smart card, the private key will never leave its place of origin, hence maximum
secrecy is ensured. Due to the limitations in processing power of todays smart
cards and the unavailability of smart card readers, intermediate PK solutions store
the key pair on the hard drive or on a floppy disk are used today. In Germany, for
instance, there is the home banking computer interface (HBCI) standard for
financial transactions on open networks which allows message authentication
(MAC) algorithms on external smart cards or PK (to be precise RSA a public
key based algorithm that can be used for both authentication and encryption)
solutions implemented either in software (residing e.g. on the hard drive) or on an
external smart card. The HBCI is widely applied by German financial institutions.

5.2 Applicability to Mobile Channel

For usability reasons, it becomes clear that PIN/TAN procedures would offset the
advantages of the mobile channel as being flexible and independent. Hence, PK
solutions are needed to ensure strong security on the mobile channel. As with the
Internet channel, maximum secrecy of the private key and cross-channel
integration could be achieved with storing the key pair and the algorithms on an
external smart card here as well. At the same time, the lack of a widespread
interface to such a smart card hinders the applicability of this optimum solution in
the mobile channel, too.

However, the key pair and the security algorithms could be hosted by either
the hardware of the mobile terminal or the SIM card. The drawback of the former
solution is that the handset terminal itself is not seen as personal to the mobile
subscriber as until today, no user relevant data is stored on the handset hardware.

12
This could change, however, with the advent of micro browsers residing on the
handset hardware (e.g. WAP). Still, a dedicated area on the hardware would need
to be identified and especially protected for key storage. This could lead to a
considerable obstacle from a procedural point of view.

In turn, storing the keys and the certificate on the SIM (smart) card appears as
secure as storing them on an external smart card. The disadvantage being that the
user would need to have multiple certificates for different transaction channels
because the SIM card is not accessible from e.g. the home PC. This can only be
circumvented with a compromise on the secrecy of the private key by allowing
exporting the key from e.g. the hard disk of the home PC to the SIM card of the
mobile phone. For that, an internationally accepted standard is available
(PKCS#12) which allows for secure import and export of personal certificates and
secret keys.
However, as long as there is no common smart card and interface for all
transaction channels, there will be a problem between the uniqueness of the
certificate-user relationship and the media available to store secret keys in
different transaction channels.

13
 Chapter 6:
Conclusion

The Enormous growth in mobile eCommerce is predicted in the near future. New
technologies and high market penetration of new mobile terminals in conjunction
with the introduction of packet data and lower communication tariffs will enable
eCommerce for the mobile user. Mobile eCommerce is ready to happen today and
the first movers will reap the greatest benefits. In addition, the appearance of such
mobile eCommerce applications and services in the near future will help cultivate
the market in the possibilities of performing transactions with the mobile phone
and thus help create the right market conditions for the introduction of high-speed
mobile multimedia services with the advent of UMTS technologies.

14
 Bibliography

[1]. Jochen Schiller Mobile Communication Low price Edition,

Reprint 2002.

[2]. Jari Veijalainen, Aphrodite Tsalgatidou Electronic Commerce

Transaction in a Mobile Computing Environment
University of Jyvaskyla , 1999.

15
[3]. Sofia Eklund, Kalevi Pessi Exploring Ecommerce in
Geographical Bound Retailing, 2001.

16