logging in or signing up itsk aSGuest16810 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 119 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: April 15, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Mobile Commerce : Mobile Commerce CMSC 466/666 UMBC Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Commerce: Overview : Mobile Commerce: Overview Mobile commerce (m-commerce, m-business)—any e-commerce done in a wireless environment, especially via the Internet Can be done via the Internet, private communication lines, smart cards, etc. Creates opportunity to deliver new services to existing customers and to attract new ones Mobile commerce from the Customer‘s point of view : Mobile commerce from the Customer‘s point of view The customer wants to access information, goods and services any time and in any place on his mobile device. He can use his mobile device to purchase tickets for events or public transport, pay for parking, download content and even order books and CDs. He should be offered appropriate payment methods. They can range from secure mobile micropayment to service subscriptions. Mobile commerce from the Provider‘s point of view : Mobile commerce from the Provider‘s point of view The future development of the mobile telecommunication sector is heading more and more towards value-added services. Analysts forecast that soon half of mobile operators‘ revenue will be earned through mobile commerce. Consequently operators as well as third party providers will focus on value-added-services. To enable mobile services, providers with expertise on different sectors will have to cooperate. Innovative service scenarios will be needed that meet the customer‘s expectations and business models that satisfy all partners involved. M-Commerce Terminology : M-Commerce Terminology Generations 1G: 1979-1992 wireless technology 2G: current wireless technology; mainly accommodates text 2.5G: interim technology accommodates graphics 3G: 3rd generation technology (2001-2005) supports rich media (video clips) 4G: will provide faster multimedia display (2006-2010) Terminology and Standards : Terminology and Standards GPS: Satellite-based Global Positioning System PDA: Personal Digital Assistant—handheld wireless computer SMS: Short Message Service EMS: Enhanced Messaging Service MMS: Multimedia Messaging Service WAP: Wireless Application Protocol Smartphones—Internet-enabled cell phones with attached applications Attributes of M-Commerce and Its Economic Advantages : Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet, intranet, extranet connections Instant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databases Personalization—preparation of information for individual consumers Localization of products and services—knowing where the user is located at any given time and match service to them Outline : Outline M-Commerce Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Computing Infrastructure : Mobile Computing Infrastructure Screenphones—a telephone equipped with color screen, keyboard, e-mail, and Internet capabilities E-mail handhelds Wirelined—connected by wires to a network Cellular (mobile) phones Attachable keyboard PDAs Interactive pagers Other devices Notebooks Handhelds Smartpads Hardware Slide 11: Mobile Computing Infrastructure(cont.) Unseen infrastructure requirements Suitably configured wireline or wireless WAN modem Web server with wireless support Application or database server Large enterprise application server GPS locator used to determine the location of mobile computing device carrier Mobile Computing Infrastructure (cont.) : Mobile Computing Infrastructure (cont.) Software Microbrowser Mobile client operating system (OS) Bluetooth—a chip technology and WPAN standard that enables voice and data communications between wireless devices over short-range radio frequency (RF) Mobile application user interface Back-end legacy application software Application middleware Wireless middleware Mobile Computing Infrastructure (cont.) : Mobile Computing Infrastructure (cont.) Networks and access Wireless transmission media Microwave Satellites Radio Infrared Cellular radio technology Wireless systems Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Service Scenarios : Mobile Service Scenarios Financial Services. Entertainment. Shopping. Information Services. Payment. Advertising. And more ... Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation. : Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation. Entertainment Music Games Graphics Video Pornography Communications Short Messaging Multimedia Messaging Unified Messaging e-mail Chatrooms Video - conferencing Transactions Banking Broking Shopping Auctions Betting Booking & reservations Mobile wallet Mobile purse Information News City guides Directory Services Maps Traffic and weather Corporate information Market data Classes of M-Commerce Applications : Classes of M-Commerce Applications Mobile Application: Financial Tool : Mobile Application: Financial Tool As mobile devices become more secure Mobile banking Bill payment services M-brokerage services Mobile money transfers Mobile micropayments Replace ATM’s and credit cards?? Financial Tool: Wireless Electronic Payment Systems : Financial Tool: Wireless Electronic Payment Systems “transform mobile phones into secure, self-contained purchasing tools capable of instantly authorizing payments…” Types: Micropayments Wireless wallets (m-wallet) Bill payments Examples : Examples Swedish Postal Bank Check Balances/Make Payments & Conduct some transactions Dagens Industri Receive Financial Data and Trade on Stockholm Exchange Citibank Access balances, pay bills & transfer funds using SMS Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service Shopping from Wireless Devices Have access to services similar to those of wireline shoppers Shopping carts Price comparisons Order status Future Will be able to view and purchase products using handheld mobile devices Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service Targeted Advertising Using demographic information can personalize wireless services (barnesandnoble.com) Knowing users’ preferences and surfing habits marketers can send: User-specific advertising messages Location-specific advertising messages Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service CRM applications MobileCRM Comparison shopping using Internet capable phones Voice Portals Enhanced customer service improved access to data for employees Mobile Portals : Mobile Portals “A customer interaction channel that aggregates content and services for mobile users.” Charge per time for service or subscription based Example: I-Mode in Japan Mobile corporate portal Serves corporations customers and suppliers Mobile Intrabusiness and Enterprise Applications : Mobile Intrabusiness and Enterprise Applications Support of Mobile Employees by 2005 25% of all workers could be mobile employees sales people in the field, traveling executives, telecommuters, consultants working on-site, repair or installation employees need same corporate data as those working inside company’s offices solution: wireless devices wearable devices: cameras, screen, keyboard, touch-panel display Mobile B2B and Supply Chain Applications : Mobile B2B and Supply Chain Applications “mobile computing solutions enable organizations to respond faster to supply chain disruptions by proactively adjusting plans or shifting resources related to critical supply chain events as they occur.” accurate and timely information opportunity to collaborate along supply chain must integrate mobile devices into information exchanges example: “telemetry” integration of wireless communications, vehicle monitoring systems, and vehicle location devices leads to reduced overhead and faster service responsiveness (vending machines) Applications of Mobile Devices for Consumers/Industries : Applications of Mobile Devices for Consumers/Industries Personal Service Applications example airport Mobile Gaming and Gambling Mobile Entertainment music and video Hotels Intelligent Homes and Appliances Wireless Telemedicine Other Services for Consumers Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Payment for M-Commerce : Mobile Payment for M-Commerce Mobile Payment can be offered as a stand-alone service. Mobile Payment could also be an important enabling service for other m-commerce services (e.g. mobile ticketing, shopping, gambling…) : It could improve user acceptance by making the services more secure and user-friendly. In many cases offering mobile payment methods is the only chance the service providers have to gain revenue from an m-commerce service. Mobile Payment (cont.) : Mobile Payment (cont.) the consumer must be informed of: what is being bought, and how much to pay options to pay; the payment must be made payments must be traceable. Mobile Payment (cont.) : Mobile Payment (cont.) Customer requirements: a larger selection of merchants with whom they can trade a more consistent payment interface when making the purchase with multiple payment schemes, like: Credit Card payment Bank Account/Debit Card Payment Merchant benefits: brands to offer a wider variety of payment Easy-to-use payment interface development Bank and financial institution benefits to offer a consistent payment interface to consumer and merchants Payment via Internet Payment Provider : Payment via Internet Payment Provider WAP GW/Proxy SSL tunnel MeP GSM Security SMS-C Browsing (negotiation) Mobile Wallet CC/Bank IPP Payment via integrated Payment Server : Payment via integrated Payment Server WAP GW/Proxy ISO8583 Based CP Mobile Commerce Server GSM Security SMS-C Browsing (negotiation) CC/Bank Mobile Wallet Voice PrePaid VPP IF SSL tunnel Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Limitations of M-Commerce : Limitations of M-Commerce Usability Problem small size of mobile devices (screens, keyboards, etc) limited storage capacity of devices hard to browse sites Technical Limitations lack of a standardized security protocol insufficient bandwidth 3G liscenses Limitations of M-Commerce : Limitations of M-Commerce Technical Limitations… transmission and power consumption limitations poor reception in tunnels and certain buildings multipath interference, weather, and terrain problems and distance-limited connections WAP Limitations Speed Cost Accessibility Limiting technological factors : Limiting technological factors Mobile Devices Battery Memory CPU Display Size Networks Bandwidth Interoperability Cell Range Roaming Localisation Upgrade of Network Upgrade of Mobile Devices Precision Mobile Middleware Standards Distribution Security Mobile Device Network Gateway Potential Health Hazards : Potential Health Hazards Cellular radio frequecies = cancer? No conclusive evidence yet could allow for myriad of lawsuits mobile devices may interfere with sensitive medical devices such as pacemakers Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Security in M-Commerce: Environment : Security in M-Commerce: Environment WAP1.2(WIM) (SIM) WAP Architecture : WAP Architecture Comparison between Internet and WAP technologies : Comparison between Internet and WAP technologies WAP Risks : WAP Risks WAP Gap Claim: WTLS protects WAP as SSL protects HTTP Problem: In the process of translating one protocol to another, information is decrypted and re-encrypted Recall the WAP Architecture Solution: Doing decryption/re-encryption in the same process on the WAP gateway Wireless gateways as single point of failure Platform Risks : Platform Risks Without a secure OS, achieving security on mobile devices is almost impossible Learned lessons: Memory protection of processes Protected kernel rings File access control Authentication of principles to resources Differentiated user and process privileges Sandboxes for untrusted code Biometric authentication WMLScript : WMLScript Scripting is heavily used for client-side processing to offload servers and reduce demand on bandwidth Wireless Markup Language (WML) is the equivalent to HTML, but derived from XML WMLScript is WAP’s equivalent to JavaScript Derived from JavaScript™ WMLScript (cont.) : WMLScript (cont.) Integrated with WML Reduces network traffic Has procedural logic, loops, conditionals, etc Optimized for small-memory, small-CPU devices Bytecode-based virtual machine Compiler in network Works with Wireless Telephony Application (WTA) to provide telephony functions Risks of WMLScript : Risks of WMLScript Lack of Security Model Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!! WML Script is not type-safe. Scripts can be scheduled to be pushed to the client device without the user’s knowledge Does not prevent access to persistent storage Possible attacks: Theft or damage of personal information Abusing user’s authentication information Maliciously offloading money saved on smart cards Bluetooth : Bluetooth Bluetooth is the codename for a small, low-cost, short range wireless technology specification Enables users to connect a wide range of computing and telecommunication devices easily and simply, without the need to buy, carry, or connect cables. Bluetooth enables mobile phones, computers and PDAs to connect with each other using short-range radio waves, allowing them to "talk" to each other It is also cheap Bluetooth Security : Bluetooth Security Bluetooth provides security between any two Bluetooth devices for user protection and secrecy mutual and unidirectional authentication encrypts data between two devices Session key generation configurable encryption key length keys can be changed at any time during a connection Authorization (whether device X is allowed to have access service Y) Trusted Device: The device has been previously authenticated, a link key is stored and the device is marked as “trusted” in the Device Database. Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device Database Unknown Device: No security information is available for this device. This is also an untrusted device. automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop New Security Risksin M-Commerce : New Security Risksin M-Commerce Abuse of cooperative nature of ad-hoc networks An adversary that compromises one node can disseminate false routing information. Malicious domains A single malicious domain can compromise devices by downloading malicious code Roaming (are you going to the bad guys ?) Users roam among non-trustworthy domains New Security Risks (cont.) : New Security Risks (cont.) Launching attacks from mobile devices With mobility, it is difficult to identify attackers Loss or theft of device More private information than desktop computers Security keys might have been saved on the device Access to corporate systems Bluetooth provides security at the lower layers only: a stolen device can still be trusted New Security Risks (cont.) : New Security Risks (cont.) Problems with Wireless Transport Layer Security (WTLS) protocol Security Classes: No certificates Server only certificate (Most Common) Server and client Certificates Re-establishing connection without re-authentication Requests can be redirected to malicious sites New Privacy Risks : New Privacy Risks Monitoring user’s private information Offline telemarketing Who is going to read the “legal jargon” Value added services based on location awareness (Location-Based Services) You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
itsk aSGuest16810 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 119 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: April 15, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Mobile Commerce : Mobile Commerce CMSC 466/666 UMBC Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Commerce: Overview : Mobile Commerce: Overview Mobile commerce (m-commerce, m-business)—any e-commerce done in a wireless environment, especially via the Internet Can be done via the Internet, private communication lines, smart cards, etc. Creates opportunity to deliver new services to existing customers and to attract new ones Mobile commerce from the Customer‘s point of view : Mobile commerce from the Customer‘s point of view The customer wants to access information, goods and services any time and in any place on his mobile device. He can use his mobile device to purchase tickets for events or public transport, pay for parking, download content and even order books and CDs. He should be offered appropriate payment methods. They can range from secure mobile micropayment to service subscriptions. Mobile commerce from the Provider‘s point of view : Mobile commerce from the Provider‘s point of view The future development of the mobile telecommunication sector is heading more and more towards value-added services. Analysts forecast that soon half of mobile operators‘ revenue will be earned through mobile commerce. Consequently operators as well as third party providers will focus on value-added-services. To enable mobile services, providers with expertise on different sectors will have to cooperate. Innovative service scenarios will be needed that meet the customer‘s expectations and business models that satisfy all partners involved. M-Commerce Terminology : M-Commerce Terminology Generations 1G: 1979-1992 wireless technology 2G: current wireless technology; mainly accommodates text 2.5G: interim technology accommodates graphics 3G: 3rd generation technology (2001-2005) supports rich media (video clips) 4G: will provide faster multimedia display (2006-2010) Terminology and Standards : Terminology and Standards GPS: Satellite-based Global Positioning System PDA: Personal Digital Assistant—handheld wireless computer SMS: Short Message Service EMS: Enhanced Messaging Service MMS: Multimedia Messaging Service WAP: Wireless Application Protocol Smartphones—Internet-enabled cell phones with attached applications Attributes of M-Commerce and Its Economic Advantages : Attributes of M-Commerce and Its Economic Advantages Mobility—users carry cell phones or other mobile devices Broad reach—people can be reached at any time Ubiquity—easier information access in real-time Convenience—devices that store data and have Internet, intranet, extranet connections Instant connectivity—easy and quick connection to Internet, intranets, other mobile devices, databases Personalization—preparation of information for individual consumers Localization of products and services—knowing where the user is located at any given time and match service to them Outline : Outline M-Commerce Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Computing Infrastructure : Mobile Computing Infrastructure Screenphones—a telephone equipped with color screen, keyboard, e-mail, and Internet capabilities E-mail handhelds Wirelined—connected by wires to a network Cellular (mobile) phones Attachable keyboard PDAs Interactive pagers Other devices Notebooks Handhelds Smartpads Hardware Slide 11: Mobile Computing Infrastructure(cont.) Unseen infrastructure requirements Suitably configured wireline or wireless WAN modem Web server with wireless support Application or database server Large enterprise application server GPS locator used to determine the location of mobile computing device carrier Mobile Computing Infrastructure (cont.) : Mobile Computing Infrastructure (cont.) Software Microbrowser Mobile client operating system (OS) Bluetooth—a chip technology and WPAN standard that enables voice and data communications between wireless devices over short-range radio frequency (RF) Mobile application user interface Back-end legacy application software Application middleware Wireless middleware Mobile Computing Infrastructure (cont.) : Mobile Computing Infrastructure (cont.) Networks and access Wireless transmission media Microwave Satellites Radio Infrared Cellular radio technology Wireless systems Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Service Scenarios : Mobile Service Scenarios Financial Services. Entertainment. Shopping. Information Services. Payment. Advertising. And more ... Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation. : Early content and applications have all been geared around information delivery but as time moves on the accent will be on revenue generation. Entertainment Music Games Graphics Video Pornography Communications Short Messaging Multimedia Messaging Unified Messaging e-mail Chatrooms Video - conferencing Transactions Banking Broking Shopping Auctions Betting Booking & reservations Mobile wallet Mobile purse Information News City guides Directory Services Maps Traffic and weather Corporate information Market data Classes of M-Commerce Applications : Classes of M-Commerce Applications Mobile Application: Financial Tool : Mobile Application: Financial Tool As mobile devices become more secure Mobile banking Bill payment services M-brokerage services Mobile money transfers Mobile micropayments Replace ATM’s and credit cards?? Financial Tool: Wireless Electronic Payment Systems : Financial Tool: Wireless Electronic Payment Systems “transform mobile phones into secure, self-contained purchasing tools capable of instantly authorizing payments…” Types: Micropayments Wireless wallets (m-wallet) Bill payments Examples : Examples Swedish Postal Bank Check Balances/Make Payments & Conduct some transactions Dagens Industri Receive Financial Data and Trade on Stockholm Exchange Citibank Access balances, pay bills & transfer funds using SMS Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service Shopping from Wireless Devices Have access to services similar to those of wireline shoppers Shopping carts Price comparisons Order status Future Will be able to view and purchase products using handheld mobile devices Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service Targeted Advertising Using demographic information can personalize wireless services (barnesandnoble.com) Knowing users’ preferences and surfing habits marketers can send: User-specific advertising messages Location-specific advertising messages Mobile Applications : Marketing, Advertising, And Customer Service : Mobile Applications : Marketing, Advertising, And Customer Service CRM applications MobileCRM Comparison shopping using Internet capable phones Voice Portals Enhanced customer service improved access to data for employees Mobile Portals : Mobile Portals “A customer interaction channel that aggregates content and services for mobile users.” Charge per time for service or subscription based Example: I-Mode in Japan Mobile corporate portal Serves corporations customers and suppliers Mobile Intrabusiness and Enterprise Applications : Mobile Intrabusiness and Enterprise Applications Support of Mobile Employees by 2005 25% of all workers could be mobile employees sales people in the field, traveling executives, telecommuters, consultants working on-site, repair or installation employees need same corporate data as those working inside company’s offices solution: wireless devices wearable devices: cameras, screen, keyboard, touch-panel display Mobile B2B and Supply Chain Applications : Mobile B2B and Supply Chain Applications “mobile computing solutions enable organizations to respond faster to supply chain disruptions by proactively adjusting plans or shifting resources related to critical supply chain events as they occur.” accurate and timely information opportunity to collaborate along supply chain must integrate mobile devices into information exchanges example: “telemetry” integration of wireless communications, vehicle monitoring systems, and vehicle location devices leads to reduced overhead and faster service responsiveness (vending machines) Applications of Mobile Devices for Consumers/Industries : Applications of Mobile Devices for Consumers/Industries Personal Service Applications example airport Mobile Gaming and Gambling Mobile Entertainment music and video Hotels Intelligent Homes and Appliances Wireless Telemedicine Other Services for Consumers Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Mobile Payment for M-Commerce : Mobile Payment for M-Commerce Mobile Payment can be offered as a stand-alone service. Mobile Payment could also be an important enabling service for other m-commerce services (e.g. mobile ticketing, shopping, gambling…) : It could improve user acceptance by making the services more secure and user-friendly. In many cases offering mobile payment methods is the only chance the service providers have to gain revenue from an m-commerce service. Mobile Payment (cont.) : Mobile Payment (cont.) the consumer must be informed of: what is being bought, and how much to pay options to pay; the payment must be made payments must be traceable. Mobile Payment (cont.) : Mobile Payment (cont.) Customer requirements: a larger selection of merchants with whom they can trade a more consistent payment interface when making the purchase with multiple payment schemes, like: Credit Card payment Bank Account/Debit Card Payment Merchant benefits: brands to offer a wider variety of payment Easy-to-use payment interface development Bank and financial institution benefits to offer a consistent payment interface to consumer and merchants Payment via Internet Payment Provider : Payment via Internet Payment Provider WAP GW/Proxy SSL tunnel MeP GSM Security SMS-C Browsing (negotiation) Mobile Wallet CC/Bank IPP Payment via integrated Payment Server : Payment via integrated Payment Server WAP GW/Proxy ISO8583 Based CP Mobile Commerce Server GSM Security SMS-C Browsing (negotiation) CC/Bank Mobile Wallet Voice PrePaid VPP IF SSL tunnel Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Limitations of M-Commerce : Limitations of M-Commerce Usability Problem small size of mobile devices (screens, keyboards, etc) limited storage capacity of devices hard to browse sites Technical Limitations lack of a standardized security protocol insufficient bandwidth 3G liscenses Limitations of M-Commerce : Limitations of M-Commerce Technical Limitations… transmission and power consumption limitations poor reception in tunnels and certain buildings multipath interference, weather, and terrain problems and distance-limited connections WAP Limitations Speed Cost Accessibility Limiting technological factors : Limiting technological factors Mobile Devices Battery Memory CPU Display Size Networks Bandwidth Interoperability Cell Range Roaming Localisation Upgrade of Network Upgrade of Mobile Devices Precision Mobile Middleware Standards Distribution Security Mobile Device Network Gateway Potential Health Hazards : Potential Health Hazards Cellular radio frequecies = cancer? No conclusive evidence yet could allow for myriad of lawsuits mobile devices may interfere with sensitive medical devices such as pacemakers Outline : Outline M-Commerce Overview Infrastructure M-Commerce Applications Mobile Payment Limitations Security in M-Commerce Security in M-Commerce: Environment : Security in M-Commerce: Environment WAP1.2(WIM) (SIM) WAP Architecture : WAP Architecture Comparison between Internet and WAP technologies : Comparison between Internet and WAP technologies WAP Risks : WAP Risks WAP Gap Claim: WTLS protects WAP as SSL protects HTTP Problem: In the process of translating one protocol to another, information is decrypted and re-encrypted Recall the WAP Architecture Solution: Doing decryption/re-encryption in the same process on the WAP gateway Wireless gateways as single point of failure Platform Risks : Platform Risks Without a secure OS, achieving security on mobile devices is almost impossible Learned lessons: Memory protection of processes Protected kernel rings File access control Authentication of principles to resources Differentiated user and process privileges Sandboxes for untrusted code Biometric authentication WMLScript : WMLScript Scripting is heavily used for client-side processing to offload servers and reduce demand on bandwidth Wireless Markup Language (WML) is the equivalent to HTML, but derived from XML WMLScript is WAP’s equivalent to JavaScript Derived from JavaScript™ WMLScript (cont.) : WMLScript (cont.) Integrated with WML Reduces network traffic Has procedural logic, loops, conditionals, etc Optimized for small-memory, small-CPU devices Bytecode-based virtual machine Compiler in network Works with Wireless Telephony Application (WTA) to provide telephony functions Risks of WMLScript : Risks of WMLScript Lack of Security Model Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!! WML Script is not type-safe. Scripts can be scheduled to be pushed to the client device without the user’s knowledge Does not prevent access to persistent storage Possible attacks: Theft or damage of personal information Abusing user’s authentication information Maliciously offloading money saved on smart cards Bluetooth : Bluetooth Bluetooth is the codename for a small, low-cost, short range wireless technology specification Enables users to connect a wide range of computing and telecommunication devices easily and simply, without the need to buy, carry, or connect cables. Bluetooth enables mobile phones, computers and PDAs to connect with each other using short-range radio waves, allowing them to "talk" to each other It is also cheap Bluetooth Security : Bluetooth Security Bluetooth provides security between any two Bluetooth devices for user protection and secrecy mutual and unidirectional authentication encrypts data between two devices Session key generation configurable encryption key length keys can be changed at any time during a connection Authorization (whether device X is allowed to have access service Y) Trusted Device: The device has been previously authenticated, a link key is stored and the device is marked as “trusted” in the Device Database. Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device Database Unknown Device: No security information is available for this device. This is also an untrusted device. automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop New Security Risksin M-Commerce : New Security Risksin M-Commerce Abuse of cooperative nature of ad-hoc networks An adversary that compromises one node can disseminate false routing information. Malicious domains A single malicious domain can compromise devices by downloading malicious code Roaming (are you going to the bad guys ?) Users roam among non-trustworthy domains New Security Risks (cont.) : New Security Risks (cont.) Launching attacks from mobile devices With mobility, it is difficult to identify attackers Loss or theft of device More private information than desktop computers Security keys might have been saved on the device Access to corporate systems Bluetooth provides security at the lower layers only: a stolen device can still be trusted New Security Risks (cont.) : New Security Risks (cont.) Problems with Wireless Transport Layer Security (WTLS) protocol Security Classes: No certificates Server only certificate (Most Common) Server and client Certificates Re-establishing connection without re-authentication Requests can be redirected to malicious sites New Privacy Risks : New Privacy Risks Monitoring user’s private information Offline telemarketing Who is going to read the “legal jargon” Value added services based on location awareness (Location-Based Services)