Unit3@4 Emc
Unit3@4 Emc
Vulnerability is a cyber-security term that refers to a flaw in a system that can leave it
open to attack. A vulnerability may also refer to any type of weakness in a computer
system itself, in a set of procedures, or in anything that leaves information security
exposed to a threat.
• Bugs
• Weak passwords
• Software that is already infected with virus
• Missing data encryption
• OS command injection
• SQL injection
• Buffer overflow
• Missing authorization
• Use of broken algorithms
• URL redirection to untrusted sites
• Path traversal
• Missing authentication for critical function
• Unrestricted upload of dangerous file types
• Dependence on untrusted inputs in a security decision
• Cross-site scripting and forgery
• Download of codes without integrity check.
Security Policy:-
Security policy is a definition of what it means to be secure for a system, organization or other
entity. For an organization, it addresses the constraints on behavior of its members as well as
constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For
systems, the security policy addresses constraints on functions and flow among them, constraints on
access by external systems and adversaries including programs and access to data by people.
Site Scurity:-
Website security is any action or application taken to ensure website data is not exposed
to cybercriminals or to prevent exploitation of websites in any way.
Network security is any activity designed to protect the usability and integrity of your
network and data. It includes both hardware and software technologies. Effective
network security manages access to the network. It targets a variety of threats and
stops them from entering or spreading on your network.
Types of network security
Firewalls
Firewalls put up a barrier between your trusted internal network and untrusted outside
networks, such as the Internet. They use a set of defined rules to allow or block
traffic. A firewall can be hardware, software, or both. Cisco offers unified threat
management (UTM) devices and threat-focused next-generation firewalls.
Next Generation Firewall | Webinar | Demo | Trial
Network segmentation
Software-defined segmentation puts network traffic into different classifications and
makes enforcing security policies easier. Ideally, the classifications are based on
endpoint identity, not mere IP addresses. You can assign access rights based on role,
location, and more so that the right level of access is given to the right people and
suspicious devices are contained and remediated.
Network Segmentation | Stealthwatch | Webinar | Demo | Trial
Access control
Not every user should have access to your network. To keep out potential attackers,
you need to recognize each user and each device. Then you can enforce your security
policies. You can block noncompliant endpoint devices or give them only limited
access. This process is network access control (NAC).
Any software you use to run your business needs to be protected, whether your IT
staff builds it or whether you buy it. Unfortunately, any application may contain holes,
or vulnerabilities, that attackers can use to infiltrate your network. Application
security encompasses the hardware, software, and processes you use to close those
holes.
Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks
like. Behavioral analytics tools automatically discern activities that deviate from the
norm. Your security team can then better identify indicators of compromise that pose
a potential problem and quickly remediate threats.
Email security
Email gateways are the number one threat vector for a security breach. Attackers use
personal information and social engineering tactics to build sophisticated phishing
campaigns to deceive recipients and send them to sites serving up malware. An email
security application blocks incoming attacks and controls outbound messages to
prevent the loss of sensitive data.
Email Security
VPN
A virtual private network encrypts the connection from an endpoint to a network,
often over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets
Layer to authenticate the communication between device and network.
Web security
A web security solution will control your staff’s web use, block web-based threats,
and deny access to malicious websites. It will protect your web gateway on site or in
the cloud. "Web security" also refers to the steps you take to protect your own
website.
Web Security | Cloud Web Security
Wireless security
Wireless networks are not as secure as wired ones. Without stringent security
measures, installing a wireless LAN can be like putting Ethernet ports everywhere,
including the parking lot. To prevent an exploit from taking hold, you need products
specifically designed to protect a wireless network.
Firewalls:-
The most prevalent method for paying for the things you purchase online is still the
credit card. The following list provides some tips on how to make sure your transaction
is secure. For a more extensive explanation of encryption and Internet security, check
out How Encryption Works.
• Use the latest Internet browser. The program that you use to surf the Internet
is called a browser. This software has built-in encryption capabilities that
scramble the information you send to a server. Using the most recent browser
ensures that the data is protected using the latest encryption technology. This
technology also uses a Secure Sockets Layer (SSL), which is an Internet security
protocol used by Internet browsers and Web servers to transmit sensitive
information. The server receiving the data uses special "keys" to decode it. You
can make sure you are on an SSL by checking the URL -- the http at the
beginning of the address should have changed to https. Also, you should notice
a small lock icon in the status bar at the bottom of your browser window.
• Look for digital certificates that authenticate the entity you are dealing with.
Independent services like VeriSign will authenticate the identity of the Web site
you are visiting. Web sites that use this service (usually those that sell items or
services online) will have the VeriSign logo. By clicking on the logo, you can be
assured that the site is legitimate, rather than a clone of the legitimate company
set up to collect your personal and financial information.
• Read the privacy policy. The information you enter on the Web site should be
kept confidential. Make sure you read the company's privacy policy to ensure
that your personal information won't be sold to others. Services like Trust-
E review a company's privacy policy (for a fee) and then allow the company to
post the Trust-E logo if its privacy policy follows certain industry standards for
consumer protection.
• Only use one credit card for all of your online purchases.
• Never give out passwords or user ID information online unless you know
who you are dealing with and why they need it. Don't give it out to your
Internet service provider if you get an e-mail requesting it. This is a relatively
recent scam used to access your account and get your credit card number, along
with whatever other personal information is there.
• Keep records of all of your Internet transactions. Watch your credit card
statement for the charges and make sure they're accurate.
• After you've made purchases online, check your e-mail. Merchants often send
confirmation e-mails or other communications about your order.
Transaction Security:-
Cryptology:-
Cryptology, science concerned with data communication and storage in secure and
usually secret form. It encompasses both cryptography and cryptanalysis.
The term cryptology is derived from the Greek kryptós (“hidden”) and lógos (“word”).
Security obtains from legitimate users being able to transform information by virtue of a
secret key or keys—i.e., information known only to them. The resulting cipher, although
generally inscrutable and not forgeable without the secret key, can be decrypted by
anyone knowing the key either to recover the hidden information or to authenticate the
source. Secrecy, though still an important function in cryptology, is often no longer the
main purpose of using a transformation, and the resulting transformation may be only
loosely considered a cipher.
Cryptography (from the Greek kryptós and gráphein, “to write”) was originally the study
of the principles and techniques by which information could be concealed in ciphers and
later revealed by legitimate users employing the secret key. It now encompasses the
whole area of key-controlled transformations of information into forms that are either
impossible or computationally infeasible for unauthorized persons to duplicate or undo .
Cryptographic Algorithms:-
Cryptography
Authentication protocol
• EAP-MD5
• EAP-TLS
• EAP-TTLS
• EAP-FAST
• EAP-PEAP
AAA architecture protocols (Authentication, Authorization,
Accounting)[edit]
Complex protocols used in larger networks for verifying the user (Authentication), controlling access
to server data (Authorization) and monitoring network resources and information needed for billing of
services (Accounting).
TACACS, XTACACS and TACACS+[edit]
The oldest AAA protocol using IP based authentication without any encryption (usernames and
passwords were transported as plain text). Later version XTACACS (Extended TACACS) added
authorization and accounting. Both of these protocols were later replaced by TACACS+. TACACS+
separates the AAA components thus they can be segregated and handled on separate servers (It
can even use another protocol for e.g. Authorization). It uses TCP (Transmission Control Protocol)
for transport and encrypts the whole packet. TACACS+ is Cisco proprietary.
RADIUS[edit]
Remote Authentication Dial-In User Service (RADIUS) is a full AAA protocol commonly used by ISP.
Credentials are mostly username-password combination based, it uses NAS and UDP protocol for
transport.[7]
DIAMETER[edit]
Diameter (protocol) evolved from RADIUS and involves many improvements such as usage of more
reliable TCP or SCTP transport protocol and higher security thanks to TLS.[8]
Other:
Kerberos (protocol)[edit]
Kerberos is a centralized network authentication system developed at MIT and available as a free
implementation from MIT but also in many commercial products. It is the default authentication
method in Windows 2000 and later. The authentication process itself is much more complicated than
in the previous protocols - Kerberos uses symmetric key cryptography, requires a trusted third
party and can use public-key cryptography during certain phases of authentication if need be.
Digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or
documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very
strong reason to believe that the message was created by a known sender (authentication), and that
the message was not altered in transit (integrity).[1]
Digital signatures are a standard element of most cryptographic protocol suites, and are commonly
used for software distribution, financial transactions, contract management software, and in other
cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, which includes any electronic
data that carries the intent of a signature,[2] but not all electronic signatures use digital
signatures.[3][4] In some countries, including South Africa,[5] the United
States, Algeria,[6] Turkey, India,[7] Brazil, Indonesia, Mexico, Saudi
Arabia,[8] Uruguay,[9] Switzerland and the countries of the European Union,[10][11] electronic signatures
have legal significance.
Digital signatures employ asymmetric cryptography. In many instances they provide a layer of
validation and security to messages sent through a non-secure channel: Properly implemented, a
digital signature gives the receiver reason to believe the message was sent by the claimed sender.
Digital seals and signatures are equivalent to handwritten signatures and stamped seals. [12] Digital
signatures are equivalent to traditional handwritten signatures in many respects, but properly
implemented digital signatures are more difficult to forge than the handwritten type. Digital signature
schemes, in the sense used here, are cryptographically based, and must be implemented properly to
be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot
successfully claim they did not sign a message, while also claiming their private key remains secret.
Further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if
the private key is exposed, the signature is valid. Digitally signed messages may be anything
representable as a bitstring: examples include electronic mail, contracts, or a message sent via
some other cryptographic protocol.
Applications[edit]
As organizations move away from paper documents with ink signatures or authenticity stamps,
digital signatures can provide added assurances of the evidence to provenance, identity, and status
of an electronic document as well as acknowledging informed consent and approval by a signatory.
The United States Government Printing Office (GPO) publishes electronic versions of the budget,
public and private laws, and congressional bills with digital signatures. Universities including Penn
State, University of Chicago, and Stanford are publishing electronic student transcripts with digital
signatures.
Below are some common reasons for applying a digital signature to communications:
Authentication[edit]
Although messages may often include information about the entity sending a message, that
information may not be accurate. Digital signatures can be used to authenticate the source of
messages. When ownership of a digital signature secret key is bound to a specific user, a valid
signature shows that the message was sent by that user. The importance of high confidence in
sender authenticity is especially obvious in a financial context. For example, suppose a bank's
branch office sends instructions to the central office requesting a change in the balance of an
account. If the central office is not convinced that such a message is truly sent from an authorized
source, acting on such a request could be a grave mistake.
Integrity[edit]
In many scenarios, the sender and receiver of a message may have a need for confidence that the
message has not been altered during transmission. Although encryption hides the contents of a
message, it may be possible to change an encrypted message without understanding it. (Some
encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a
message is digitally signed, any change in the message after signature invalidates the signature.
Furthermore, there is no efficient way to modify a message and its signature to produce a new
message with a valid signature, because this is still considered to be computationally infeasible by
most cryptographic hash functions (see collision resistance).
Non-repudiation[edit]
Non-repudiation,[10] or more specifically non-repudiation of origin, is an important aspect of digital
signatures. By this property, an entity that has signed some information cannot at a later time deny
having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a
valid signature.
Note that these authentication, non-repudiation etc. properties rely on the secret key not having
been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked
secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation
status requires an "online" check; e.g., checking a certificate revocation list or via the Online
Certificate Status Protocol.[11] Very roughly this is analogous to a vendor who receives credit-cards
first checking online with the credit-card issuer to find if a given card has been reported lost or
stolen. Of course, with stolen key pairs, the theft is often discovered only after the secret key's use,
e.g., to sign a bogus certificate for espionage purpose.
Email Security
Email security refers to the collective measures used to secure the access and content
of an email account or service. It allows an individual or organization to protect the
overall access to one or more email addresses/accounts.
An email service provider implements email security to secure subscriber email
accounts and data from hackers - at rest and in transit.
Email security is a broad term that encompasses multiple techniques used to secure an
email service. From an individual/end user standpoint, proactive email security
measures include:
• Strong passwords
• Password rotations
• Spam filters
• Desktop-based anti-virus/anti-spam applications
Similarly, a service provider ensures email security by using strong password and
access control mechanisms on an email server; encrypting and digitally signing email
messages when in the inbox or in transit to or from a subscriber email address. It also
implements firewall and software-based spam filtering applications to restrict
unsolicited, untrustworthy and malicious email messages from delivery to a user’s
inbox.
Another excellent resource for optimising security in e-commerce are security certificates.
We are talking about digital identification, capable of verifying the identity of users, as well
as their “humanity” (most cyber attacks are perpetrated by bots). SSL and SET certificates
are the most widely used and are worth studying in depth.
Identifying sites with SSL certificates is easy: a green padlock appears in the browser,
indicating to users that all their data is secure. However, creating a secure SSL
connection requires the hosting server to have a pre-installed SSL certificate.
Fortunately for those interested, these certificates have a very low cost. Some hosting
providers even offer the free installation of Let’s Encrypt and other SSL software.
The operation of SET is simple. Generally speaking, this protocol provides a series of
certificates and digital signatures between the consumer, the company and the
banking entity, which regulate the monetary transaction from its beginning to its end.
Considering that it was created by Visa and MasterCard in collaboration with giants
such as Microsoft, IBM or Netscape, the effectiveness of the SET protocol should not
surprise us.
Netscape created the SSL protocol, and later the IETF (Internet Engineering Task
Force) developed the TLS. As you may have noticed, both certificates work in a similar
way, but they are not the same: the algorithms of the TSL certificate are more solid
and versatile than those of its predecessor.
Due to the growing number of cyber attacks, the use of the HTTPS protocol has
become widespread since 2018. This is due to the fact that the previous HTTP had
greater weaknesses and was not as secure. Specialists recommend the use of HTTPS,
but in some cases the S-HTTP protocol may be needed.
OR
E-commerce sites use electronic payment, where electronic payment refers to paperless
monetary transactions. Electronic payment has revolutionized the business processing
by reducing the paperwork, transaction costs, and labor cost. Being user friendly and
less time-consuming than manual processing, it helps business organization to expand
its market reach/expansion. Listed below are some of the modes of electronic payments
−
• Credit Card
• Debit Card
• Smart Card
• E-Money
• Electronic Fund Transfer (EFT)
• Credit Card
• Debit Card
• Smart Card
• E-Money
• Electronic Fund Transfer (EFT)
Credit Card
Payment using credit card is one of most common mode of electronic payment. Credit
card is small plastic card with a unique number attached with an account. It has also a
magnetic strip embedded in it which is used to read credit card via card readers. When
a customer purchases a product via credit card, credit card issuer bank pays on behalf
of the customer and customer has a certain time period after which he/she can pay the
credit card bill. It is usually credit card monthly payment cycle. Following are the actors
in the credit card system.
Step 1 Bank issues and activates a credit card to the customer on his/her request.
Step 2 The customer presents the credit card information to the merchant site or to the
merchant from whom he/she wants to purchase a product/service.
Step 3 Merchant validates the customer's identity by asking for approval from the card brand
company.
Step 4 Card brand company authenticates the credit card and pays the transaction by credit.
Merchant keeps the sales slip.
Step 5 Merchant submits the sales slip to acquirer banks and gets the service charges paid to
him/her.
Step 6 Acquirer bank requests the card brand company to clear the credit amount and gets
the payment.
Step 6 Now the card brand company asks to clear the amount from the issuer bank and the
amount gets transferred to the card brand company.
Debit Card
Debit card, like credit card, is a small plastic card with a unique number mapped with the
bank account number. It is required to have a bank account before getting a debit card
from the bank. The major difference between a debit card and a credit card is that in
case of payment through debit card, the amount gets deducted from the card's bank
account immediately and there should be sufficient balance in the bank account for the
transaction to get completed; whereas in case of a credit card transaction, there is no
such compulsion.
Debit cards free the customer to carry cash and cheques. Even merchants accept a debit
card readily. Having a restriction on the amount that can be withdrawn in a day using a
debit card helps the customer to keep a check on his/her spending.
Smart Card
Smart card is again similar to a credit card or a debit card in appearance, but it has a
small microprocessor chip embedded in it. It has the capacity to store a customer’s work-
related and/or personal information. Smart cards are also used to store money and the
amount gets deducted after every transaction.
Smart cards can only be accessed using a PIN that every customer is assigned with.
Smart cards are secure, as they store information in encrypted format and are less
expensive/provides faster processing. Mondex and Visa Cash cards are examples of
smart cards.
E-Money
E-Money transactions refer to situation where payment is done over the network and the
amount gets transferred from one financial body to another financial body without any
involvement of a middleman. E-money transactions are faster, convenient, and saves a
lot of time.
Online payments done via credit cards, debit cards, or smart cards are examples of
emoney transactions. Another popular example is e-cash. In case of e-cash, both
customer and merchant have to sign up with the bank or company issuing e-cash.
Prepaid payment instruments are methods that facilitate purchase of goods and services against
the value stored on such instruments. The value stored on such instruments represents the value
paid for by the holder, by cash, by debit to a bank account, or by credit card.[1]
The prepaid instruments can be issued as smart cards, magnetic stripe cards, internet
accounts, online wallets, mobile accounts, mobile wallets, paper vouchers and any such instruments
used to access the prepaid amount.[1]
Credit Cards
Credit card is plastic card which is issued by a bank. It is issued to customers of high
credit ranking. the nesessary information is stored in meganetic form on the card. A
card holder can purchsase the item from the shop or the showrooms and need not pay
cash. he has to flash the card in machine at the place where he is making purchases.
Banks issues credit card to the customers upto a certain limit. The customers can
purchase goods/services from the authorized showrooms without carring physical cash
with them. The bills are present by the showroom to the authorized branch. this bills is
presented by the paying branch to the issuing branch. issuing branch informs
thecustomer about the debit. Banks takes nominal charges for credit cards.
Creditt cards are are used for online purchases. The merchants likes credit cards
because that they know that they are issued by issuing bank on the basis of creditability
of the sredit holder and thus, like cheques, they don't have the risk of bounced. The
customers like purchasing through credit cards because they do not get goods and
services as per the term and condition, they can cancel the transaction.
For on-line transactions, credit cards are the easiest method of payment. Credit card
payment for online transactions can be proformed by phones or by filling form on
the website.
The credit card holder has to exercise great precautions. if it is lost, an FIR should be
lodged and the concerned bank should be informed immidiatlely.
Cyber Cash
Unlike Credit card, Cyber Cash is not directly involved in handlng funds. In Cyber cash
system, after deciding what is to be purchased the customer makes payment to the
merchant through credit card without disclosing the credit card number to him. The
credit card number sent to the merchant in encrypted form. The merchant forward
the encrypted payment with his private ket to the bank's Cyber Cash getway server.
The bank's Cyber Cash getway server dycripts the information, processes the
transaction and forward it to the merchant's bank. The merchant's bank forward the
authorization request to the customer's bank. The approval or denial code sent to back
to Cyber Cash getway server which returns the approval or denial code the seller who
then passes it on the customer. This process takes 15-20 second.
Internet Cheques
A cheque is a signed paper document that order the signer's bank to pay an amunot of
money to a person spacified on the cheque or bearer from the signer's account on or
after a spacified date. Cheques passes directly from the payer to the payee, so that the
timing or the purpose of the payment are clear to the payee. The payee can deposit the
cheque in an account of his choiseor cash it. Banks operate extensive facilities to
accept cheques for deposit, Process them internally, and clear and settleBetween
banks.
The electronic Cheque or e-cheque, is based on the idea that electronic documents can
be substitued for paper and public key cryptographic signatures can be substituted for
handwrittien signatures. The e-cheques is designed to fit into current cheque practices
and system with minimum impact on payers, payees, banks and the financial system.
The payer writes a cheque by structruing an electronic document with the information
legally required to be in a cheque and cryptographically sign it. The payee receive the e-
cheque, verify the payee's signature, writes out a deposit, and signs the deposit. The
payee's bank verifies the payer's and payee's signatures, credits the paye's account and
forward the cheque for clearing and settlement. Thus credit will not be a clear credit. it
will be float or temporary credit. to be confirmed after it has been cleared by the paying
bank, in the settlement process. The paye's bank verifies the paye's signatureand debits
the paye's account. The advantages of e-cheque is that cryptographic signatures on
every e-cheque can be verified at all points, while in paper cheques handwritting
signatures are rarely verified.
UNIT – 4
M-commerce (mobile commerce) is the buying and selling of goods and services through
wireless handheld devices such as smartphones and tablets. As a form of e-commerce,
m-commerce enables users to access online shopping platforms without needing to use
a desktop computer. Examples of m-commerce include in-app purchasing, mobile
banking, virtual marketplace apps like the Amazon mobile app or a digital wallet such as
Apple Pay, Android Pay and Samsung Pay.
Over time, content delivery over wireless devices has become faster, more secure and
scalable. As of 2017 the use of m-commerce accounted for 34.5% of e-commerce
sales. The industries affected most by m-commerce include:
• Financial services, which includes mobile banking (when customers use their
handheld devices to access their accounts and pay their bills) as well as brokerage
services, in which stock quotes can be displayed and trading conducted from the
same handheld device.
• Service and retail, as consumers are given the ability to place and pay for orders on-
the-fly.
• A poorly executed mobile experience can deter customers from making purchases.
• Mobile payment options are not available in every geographic location and may
not support every type of digital wallet.
• Businesses must know and comply with tax laws and regulations of all countries
they ship to (some businesses will avoid this by only allowing purchases and
shipping from their country of origin).
1 Faster purchases
Yes, many sites have mobile versions, though apps are generally 1.5 times faster when
loading data and search results on mobile devices. Moreover, there is no need to pull
data from a server and so customers can browse and purchase products faster. As
mobile ecommerce apps offer same functionality as desktop apps, people may
purchase items directly within an app.
M-commerce revenue has been rising at 30-40% rate annually since 2014, and by the
end of 2017 is expected to reach $150b total. The biggest retail app Amazon increased
number of customers from 43 million in 2015 to 67 million in 2016. The reason for such
achievements is intuitive mobile browsing, which in turn drives sales up.
• Fast
• Convenient
• Interactive
• Exclusive
This is something that is impossible with a website. Of course, one may send email
messages about new products or seasonal sales, but that channel loses badly to direct
customer notifications via mobile app. Push notifications are both instant and
unobtrusive at the same time, that’s a truly nice option for businesses. And one of the
major reasons to have a brand ecommerce app.
4 Tailored content
Based purely on individual preferences and shopping patterns with a mobile app you
can deliver personalized content to customers. And they love it (if you don’t overdo it,
surely). User location, interests, social media profiles, items viewed, etc. all can be
utilized to bring people what they need.
5 Deeper analytics
Knowing your customers equals prosperity in business these days. Knowing customers
demands data, at least very basic information like age, sex, location, shopping history.
Within your mobile app you may build and set user analytics of various levels of
sophistication. It depends on your business strategy and a budget available to make an
app.
With such data you will understand your target audience much better, and will be able to
increase sales. Names, phone numbers, emails, buying patterns and lots of other things
in store. For instance, Walmart app that 22 million customers use every month,
uses mobile data, online data and sales data combined to deliver better customer
experience. It is a whole and enormous infrastructure.
By reaching your audience faster with a mobile app you obviously cut down marketing
campaign costs. If an app has social media integration, users will do their part too in
spreading the word. You can even earn from placing ads within your app later on.
7 Store navigation/geolocation
Mobile commerce (mCommerce) is huge and growing rapidly, as visualised by this rather
informative infographic. However, if you are like me and just don't like infographics here are
some highlights.
Security
i.e., the information publishing technology necessary for the creation of suitable digital
content that can be browsed through handheld devices with limited memory, storage,
and processing capabilities; and information distribution technology to move digital
contents and transaction information over wireless networks. Thus, in the mobile
commerce framework, network infrastructure forms the very foundation while publication
and distribution technologies are the two pillars that support the creation of distributed
mobile commerce applications
Wireless networks have evolved from the basic voice only radio based analog
transmission and have acquired the digital voice and data transmission capability.
Wireless networks today are capable of achieving 2 Mbps data rates. The following
Table describes the evolution of the wireless networks.
The early mobile telephone devices were basically analog voice only devices that
offered voice communication using cellular telephony. The first generation, referred to
as 1G in short, use a product of the analog cellular telephony developed in 1978 and
deployed during the 1980s. 1G technologies were designed to transmit voice phone
calls from wireless handsets. These calls are sent in the clear, and are easy to intercept
using a scanner.
In the cellular mode of communication large geographical regions are identified and
allocated to service providers. The Telecom Regulatory Authority of India (TRAI)
handles the allocation and other regulatory issues, such as how many players can
operate within a specific area. Each of service provider is allocated a separate
frequency sub-bands within the overall frequency allotment. Service providers operating
in a particular region divide the entire region into smaller area called cells.
The cellular communication system consists of the components: the handheld device,
the transceiver within a cell, and the Mobile Telephone Switching Office (MTSO). The
service provider places an antenna at the center of the cell. The transmission and
reception pattern of the antenna, also called antenna pattern or footprint, is such that it
covers the entire cell. These antenna footprints are usually circular in shape. However,
on the map they are depicted as hexagons for convenience as they offer an orderly
pattern, as shown in fig. below.
Mobile payment
Mobile payment (also referred to as mobile money, mobile money transfer, and mobile wallet)
generally refer to payment services operated under financial regulation and performed from or via
a mobile device. Instead of paying with cash, cheque, or credit cards, a consumer can use a mobile
to pay for a wide range of services and digital or hard goods. Although the concept of using non-
coin-based currency systems has a long history,[1] it is only in the 21st century that the technology to
support such systems has become widely available.
Mobile payment is being adopted all over the world in different ways. [2][3] The first patent exclusively
defined "Mobile Payment System" was filed in 2000[4].
Mobile payments are becoming a key instrument for PSPs and other market participants, in order to
achieve new growth opportunities, according to the European Payments Council (EPC).[7] The EPC
states that "new technology solutions provide a direct improvement to the operations efficiency,
ultimately resulting in cost savings and in an increase in business volume".
Models[edit]
There are five primary models for mobile payments
• Mobile wallets
• Card-based payments
• Carrier billing (Premium SMS or direct carrier billing)
• Contactless payments NFC (Near Field Communication)
• Direct transfers between payer and payee bank accounts in near real-time (bank-led model,
intra/inter-bank transfers/payments that are both bank and mobile operator agnostic)
There can be combinations:
Mobile wallets[edit]
Main article: Online wallet
A mobile wallet is an app that contain your debit and credit card information so that users can pay for
goods and services digitally by using their mobile devices.[14] Notable mobile wallets include:
• Alipay
• ApplePay
• eWallet (Ilium Software)[15]
• GooglePay
• Gyft[15]
• Samsung Pay
• Venmo[15]
• WeChat
Generally, this is the process:[citation needed]
First payment:
• User registers, inputs their phone number, and the provider sends them an SMS with a PIN
• User enters the received PIN, authenticating the number
• User inputs their credit card info or another payment method if necessary (not necessary if the
account has already been added) and validates payment
Subsequent payments:
Credit card[edit]
A simple mobile web payment system can also include a credit card payment flow allowing a
consumer to enter their card details to make purchases. This process is familiar but any entry of
details on a mobile phone is known to reduce the success rate (conversion) of payments.
In addition, if the payment vendor can automatically and securely identify customers then card
details can be recalled for future purchases turning credit card payments into simple single click-to-
buy giving higher conversion rates for additional purchases.
Carrier billing[edit]
The consumer uses the mobile billing option during checkout at an e-commerce site—such as an
online gaming site—to make a payment. After two-factor authentication involving the consumer's
mobile number and a PIN or One-Time-Password (often abbreviated as OTP), the consumer's
mobile account is charged for the purchase. It is a true alternative payment method that does not
require the use of credit/debit cards or pre-registration at an online payment solution such as
PayPal, thus bypassing banks and credit card companies altogether. This type of mobile payment
method, which is prevalent in Asia,[citation needed] provides the following benefits:
1. Poor reliability – transactional premium SMS payments can easily fail as messages get lost.
2. Slow speed – sending messages can be slow and it can take hours for a merchant to get
receipt of payment. Consumers do not want to be kept waiting more than a few seconds.
3. Security – The SMS/USSD encryption ends in the radio interface, then the message is a
plaintext.
4. High cost – There are many high costs associated with this method of payment. The cost of
setting up short codes and paying for the delivery of media via a Multimedia Messaging
Service and the resulting customer support costs to account for the number of messages
that get lost or are delayed.
5. Low payout rates – operators also see high costs in running and supporting transactional
payments which results in payout rates to the merchant being as low as 30%. Usually
around 50%
6. Low follow-on sales – once the payment message has been sent and the goods received
there is little else the consumer can do. It is difficult for them to remember where something
was purchased or how to buy it again. This also makes it difficult to tell a friend.
Remote payment by SMS and credit card tokenization[edit]
Even as the volume of Premium SMS transactions have flattened, many cloud-based payment
systems continue to use SMS for presentment, authorization, and authentication, [18] while the
payment itself is processed through existing payment networks such as credit and debit card
networks. These solutions combine the ubiquity of the SMS channel, [19] with the security and
reliability of existing payment infrastructure. Since SMS lacks end-to-end encryption, such solutions
employ a higher-level security strategies known as 'tokenization' and 'target removal' [20] whereby
payment occurs without transmitting any sensitive account details, username, password, or PIN.
To date, point-of-sales mobile payment solutions have not relied on SMS-based authentication as a
payment mechanism, but remote payments such as bill payments,[21] seat upgrades on flights,[22] and
membership or subscription renewals are commonplace.
In comparison to premium short code programs which often exist in isolation, relationship
marketing and payment systems are often integrated with CRM, ERP, marketing-automation
platforms, and reservation systems. Many of the problems inherent with premium SMS have been
addressed by solution providers. Remembering keywords is not required since sessions are initiated
by the enterprise to establish a transaction specific context. Reply messages are linked to the proper
session and authenticated either synchronously through a very short expiry period (every reply is
assumed to be to the last message sent) or by tracking session according to varying reply addresses
and/or reply options.
The consumer uses web pages displayed or additional applications downloaded and installed on the
mobile phone to make a payment. It uses WAP (Wireless Application Protocol) as underlying
technology and thus inherits all the advantages and disadvantages of WAP. Benefits include:[24][citation
needed]
1. Follow-on sales where the mobile web payment can lead back to a store or to other goods
the consumer may like. These pages have a URL and can be bookmarked making it easy to
re-visit or share.
2. High customer satisfaction from quick and predictable payments
3. Ease of use from a familiar set of online payment pages
However, unless the mobile account is directly charged through a mobile network operator, the use
of a credit/debit card or pre-registration at online payment solution such as PayPal is still required
just as in a desktop environment.
Mobile web payment methods are now being mandated by a number of mobile network operators.
1. Mobile network operators already have a billing relationship with consumers, the payment
will be added to their bill.
2. Provides instantaneous payment
3. Protects payment details and consumer identity
4. Better conversion rates
5. Reduced customer support costs for merchants
6. Alternative monetization option in countries where credit card usage is low
One of the drawbacks is that the payout rate will often be much lower than with other mobile
payments options. Examples from a popular provider:
Others[edit]
QR code payments[edit]
QR Codes 2D barcode are square bar codes. QR codes have been in use since 1994.[31] Originally
used to track products in warehouses, QR codes were designed to replace traditional (1D bar
codes). Traditional bar codes just represent numbers, which can be looked up in a database and
translated into something meaningful. QR, or “Quick Response” bar codes were designed to contain
the meaningful info right in the bar code.
QR Codes can be of two main categories:[32][citation needed]
• The QR Code is presented on the mobile device of the person paying and scanned by a POS or
another mobile device of the payee
• The QR Code is presented by the payee, in a static or one time generated fashion and it is
scanned by the person executing the payment
Mobile self-checkout allows for one to scan a QR code or barcode of a product inside a brick-and-
mortar establishment in order to purchase the product on the spot. This theoretically eliminates or
reduces the incidence of long checkout lines, even at self-checkout kiosks.
1. Operator-Centric Model: The mobile operator acts independently to deploy mobile payment
service. The operator could provide an independent mobile wallet from the user mobile
account(airtime). A large deployment of the Operator-Centric Model is severely challenged
by the lack of connection to existing payment networks. Mobile network operator should
handle the interfacing with the banking network to provide advanced mobile payment service
in banked and under banked environment. Pilots using this model have been launched in
emerging countries but they did not cover most of the mobile payment service use cases.
Payments were limited to remittance and airtime top up.
2. Bank-Centric Model: A bank deploys mobile payment applications or devices to customers
and ensures merchants have the required point-of-sale (POS) acceptance capability. Mobile
network operator are used as a simple carrier, they bring their experience to provide Quality
of service (QOS) assurance.
3. Collaboration Model: This model involves collaboration among banks, mobile operators and
a trusted third party.
4. Peer-to-Peer Model: The mobile payment service provider acts independently from financial
institutions and mobile network operators to provide mobile payment.
For example, a user of the credit card gets reminded from the institution
stating the amount of outstanding balance, minimum amount due and
the due date. Likewise, when the customer pays through cheque or
when the payment is made by him, the institution sends an
acknowledgement through SMS stating the amount that has been
received by the institution.