Technology Challenges in

Mobile Payments
Dr.V.N.Sastry
Professor, IDRBT &
Executive Secretary, MPFI
Road No.1, Castle Hills, Masab Tank,
Hyderabad 500057
E-Mail : [email protected]
Ph: 91-40-23534981
Test : 9440803813 (M) & MMID : 9211933
January 30, 2012 at IDRBT for the EDP
 Outline
• Mobile Payment Technologies

• Technology Challenges

• Some innovative developments

March 29, 2012 2

 Classification of Mobile Payments

Based on Based on Based on Based on the

Value Location Charging validation of the
method tokens exchanged
Micro
Payments Remote
Payments Post-paid Online
Payments
Mini
Payments Proximity Pre-paid Offline
Payments
Macro Payments
Payments (ex: e-coins
in P2P
transfers)
March 29, 2012 3
 Enabling Mobile Technologies
Security User
Transport Platforms
enablers Interface

SIM Voice
Long- Short- SAT
range range SMS
Infrared WPKI/ Java ME
GSM WIM
USSD
Bluetooth
GPRS Dual WAP
Java Card
slot
RFID phones
3G
NFC
4G
March 29, 2012 4
 Technology Challenges
• Device Level
• Application Level
• Communication Level
• User Level
• Security Level
• Standards Level
• Consolidation Level
March 29, 2012 5
 Device Level Challenges
• Variation in Features and
Functionalities, look and feel, text
size, recharging frequency, OS
• User Awareness and Education
• Voice, Data, MMS, interactivity, real
time response, location aided
feature etc. properly used ?

March 29, 2012 6

 Mobile Application Level
Challenges
• Is the Mobile Payment Application Developed in
Conformance to standards ? Is it
interoperable ?
• On which folder client application is to be
downloaded ? how to install and run a mobile
payment application ?
• Is the design optimized for execution in limited
phone memory?
• Has it been Tested and certified by Trusted
entity ?
• Can the customer wait for the delay to get it for
his/her new model ?
March 29, 2012 7
 Communication Level
Challenges
• Which channel to use : SMS, USSD,
GPRS, DTMF ?
• What way mobile banking
convenience is enhanced by 2G,
3G, 4G ?
• When and how to use Wireless
Communication Technologies :
Bluetooth, Zigbee, Wi-max, Wi-fi ,
LTE ?
March 29, 2012 8
 Mobile Communication
Architecture
Mobile Stations Base Station Network Subscriber and terminal
Subsystem Management equipment databases

OMC
BTS
Exchange
System
VLR
BSC MSC
HLR AUC

BTS EIR

March 29, 2012 9

 Settlement
(CCIL)
Switching
(NPCI)

Bank - A Bank -B
Interbank Mobile
Payment Service
(IMPS)

Payer-X Payee- Y

March 29, 2012 10

 User Level Challenges
• Local language support on Mobiles
• Generation of Transaction report
• Mobile Application on Phone memory or
SIM or memory card ?
• Trace of transaction data or critical
personal data : access by others
• Mobile Wallet : risk of multiple cards in the
device and value offload for cash exchange
in local currency
• Mobile based Financial Inclusion services
• Complaint registration and Grievance
resolution
March 29, 2012 11
 Biometric Settlement
Authentication Switching
( UIDAI )
(CCIL)
(NPCI)

Bank A Bank B

Mobile based Financial Inclusion

and
Mobile Wallet

BC Micro ATM ATM /

Merchant PoS
Customer

March 29, 2012 12

 Security Challenges
• Authentication
– User, Device, Application, Transaction
– Direct, Indirect
– Factors : You Know (UK), You Have (UH), You Are (UR)
– One Way from source (S) to destination (D)
– Mutual between source, destination or intermediate entities
as Telco , Mobile Payment Provider, Bank Server, Switching
agency.
• Encryption & Decryption Using Cryptoghaphy
– Symmetric key ( Password, m-Pin )
– Asymmetric key (PKI , WPKI )
• Layers of OSI Model
• Access Control Models
• Between Source (S) and Destination (D)
– MPP to Bank : SSL / TCP
– Bank to NPCI : SSL/TCP
March 29, 2012 13
 Major 3 Sections of a Mobile Phone
– Power Section
• Power distribution
• Charging section
– Radio Section
• Band Switching
• RF Power Amplification
• Transmitter
• Receiver
– Computer Section
• CPU (central processing unit)
• Memory (RAM,FLASH,COMBO CHIP)
March 29, 2012 14
 Some reported attacks on
Mobile Phones
• Phishing
• Botnet •Cabir (First in 2004 )
• Fake Player •Comwar
• Trojan horse
•Skulls
• Bluejacking
(Symbian ) •Windows CE virus
• BlueBug
• BlueSnarfing
• BluePrinting
March 29, 2012 15
 Mobile Station
• Mobile Equipment (ME) is identified by
– International Mobile Equipment Identity (IMEI) Number
• Subscriber Identity Module (SIM) Card has keys,
identifiers and algorithms
• Identifiers
– Ki – Subscriber Authentication Key
– IMSI – International Mobile Subscriber Identity
– TMSI – Temporary Mobile Subscriber Identity
– MSISDN – Mobile Station International Service Digital Network
– PIN – Personal Identity Number protecting a SIM
– LAI – location area identity

• STK ( SIM Application Toolkit) allows applications in

the SIM to interact with any ME
• ETSI GSM 11.14 standard defines the interface
between the SIM and the interoperable ME .
March 29, 2012
16
 SIM Card
• Mobile Payment Application can be installed on either ME or SIM .
• The application burnt on the SIM card gives by far the most secure
application environment. The mobile application can be stored on
its own security domain and hence prevented from others having
access to it.
•  Forensic tools and procedures exist that can be used to bypass
built-in security mechanisms and recover the contents of a device.
• Both software and hardware-based methods are available for data
recovery, including those that exploit existing vulnerabilities.
• A number of GSM mobile phones allow acquisition with a forensic
tool, if a PIN-enabled (U)SIM is missing or removed from the
device. It is also possible to create substitute (U)SIMs for certain
models of phones that fools them into treating the (U)SIM as the
original, and allowing access.
•  

March 29, 2012

17
 Security at Mobile Channel Level
• Voice Channel : DTMF for IVRS
• Text Channel : SMS, USSD
• MMS Channel : GPRS
• GSM Security Mechanisms
• Equipment Identity Register (EIR)
– Black list – stolen or non-type mobiles
– White list - valid mobiles
– Gray list – local tracking mobiles
• Central Equipment Identity Register (CEIR)
– Approved mobile type (type approval authorities)
– Consolidated black list (posted by operators)
March 29, 2012 18
 Security at Mobile Application level
• Client Application developed by the
Mobile Payment Provider (MPP)
• Server Application of the MPP at the
Bank level
• Security Testing
• Key Generation and storage process
• Check Sum implemented
• Reaching to the destined address only ?

March 29, 2012 19

 Multiple Standard
Challenges
• ISO Standards
• IEEE Standards
• PCI DSS Standards
• Regulatory Standards
• Global platform Standards
• EMV Standards
• NIST Standards
• SFMS, SWIFT Standards
• NFC Standards
March 29, 2012 20
 Mobile ad hoc network technologies
Technology Theoretical Bit Rate Frequenc Range Power
Standard y Consumptio
n
IEEE 802.11b 1,2,5.5, 11 Mbits/s 2.4 GHz 100m-500m 30mW
IEEE 802.11g Upto 54 Mbits/s 2.4 GHz 25-50m 79mW

IEEE 802.11a Upto 54 Mbits/s 5 GHz 40m 250mW

Bluetooth 1 Mbits/s 2.4 GHz 10 m-100m 1mW

IEEE
802.11.15.1
UWB (IEEE 110 - 480 Mbit/s 10 GHz 10m 200 mW
802.15.3)
Hiper LAN2 Upto 54 Mbits/s 5 GHz 150m 200 mW

IrDA 4Mbits 850 nm 10 m 200mW

March 29, 2012 21
IEEE 802.11n 600 Mbits/s 5 GHz 100m - 250m 1500W
 Consolidation Level
Challenges
• Server capabilities to handle high
volume mobile payment transactions
• Periodic and round the clock clearing
services for mobile payments
• Net and Real time funds settlement
between Banks
• Cash management issues at ATMs on
account of high velocity mobile
payments.
• Offering Mobile Banking Application as
a Cloud Service
March 29, 2012 22
 Some Innovative solutions of
Mobile Payments in India:
• Bringing all stakeholders of Mobile Payments into
one platform by the Mobile Payment Forum of India
(MPFI) in 2006
• Use of Mobile Phone Number and MMID only for
Mobile Payments
• Use of AADHAR number and BIN for Mobile
Payments
• Use of USSD based Mobile Payments
• Development of MANETS for Financial Inclusion by
IDRBT
• And many other solutions reported in the workshop
March 29, 2012 23
 MANET Ecosystem for
Mobile Payments

 MANET nodes.

 Gateway.

 Backbone Network.

 Bank Server.

 Fixed Relay.
March 29, 2012 24
 Mobile ad-hoc Network (MANET)
 It is a Mobile wireless network.
 MANET nodes are rapidly deployable, self
configuring and capable of doing autonomous
operation in the network.
 Nodes co-operate to provide Connectivity and
Services.
 Operates without base station and centralized
administration.
 Nodes exhibit mobility and the topology is dynamic.
 Nodes must be able to relay traffic sense.
 A MANET can be a standalone network or it can be
connected to external networks(Internet).

March 29, 2012 25

 MANET based Mobile Payments
Cellular
Network
/Satellite
Gateway Backbone I
Technology
MANET Fixed Relays Internet /
Private LAN
node

Village

Mobile ad hoc Network Bank Server

March 29, 2012 26
 Testbed
Cellular Network/
ISDN/PSTN/ LLN/
Mobile Node A Satellite Network
192.168.1.2

Mobile Node C
192.168.1.3 192.168.1.1
Mobile Node B
Gateway
192.168.1.3

Fixed Relay
Mobile Node D Bank-A Bank-B
192.168.1.4 MANET in a Server Server
March 29, 2012 Village 172.16.0.8 162.16.6.124 27
March 29, 2012 28