M-Payments Issues and Concepts

Informatica Economică vol. 16, no. 3/2012 117

Cristian TOMA Department of Economic Informatics and Cybernetics Academy of Economic Studies Bucharest [email protected], [email protected]

The paper has four sections. First section has an intro for the mobile payments requirements for a reliable service. Second section shows types and models of mobile payment service but not taking into account the service patterns and the electronic money systems. In section three as a case study is shown an author solution may be improved taking into account the security and ergonomic issues presented in the first two sections. The last section presents a summary of technologies available for improvement of the mobile payment services. Keywords: 2D Barcode, DOV – Data over Voice, NFC – Near Field Communication, Mobile Micropayments, Ticketing System

M-Payments Introduction vice should be able to interact with other 1The paper Mobile payment (M-Payment) systems and it should be based on open is a field with an economical grows support- standards and technologies. ed by the decreasing costs of GSM commu- Security, Privacy & Trust: nications, devices and applications. An im- • As an objective the mobile payments portant factor for m-payments grow is the have to be as anonymous as cash end-user awareness and the products and ser- transactions. vices compliancy to fast and simple pay- • If the mobile payments system is not ments methods. anonymous, then a customer must be The products and goods that can be achieved able to understand how his or her pri- with the m-payments methods could be: vate information is protected and the Electronic content: Applications, e- client must be sure that is hard or im- Books, games, VOD – Video on De- possible to expose this information mand, music, ringtones, wallpapers, etc. (e.g. credit or debit card) to other en- Hard goods: Concerts tickets, Books, tity from the payment system (other journals, magazines, etc. than the client, merchant or bank). Services access: transportation fare – • Also, when mobile payments transac- bus, subway or train, parking meters, tions are recorded, the customer pri- cinema access and other services. vacy should not be openly available According with [1], a mobile payment ser- for the public access – the credit his- vice should meet the following conditions in tories and spending patterns of the order to be trustworthy within the markets: customer. Simplicity & Usability: The m-payment • The system should be “bullet-proof”, application should have an ergonomic resistant to inside or outside attacks. GUI – Graphical User Interface with A solution is to use public key infra- small learning curve to the customer. structure security, specialized crypto- The application’s personalization is a chips (embedded or external to the criterion for the end-user satisfaction. mobile device), biometrics and pass- Universality: M-payments service should words integrated into the mobile be possible for low value micro- payment solution architectures. payments and high value macro- Cost: From macro and micro systems payments and it should include domes- point of view the costs of the usability tic, regional and global environments. and deployment for the m-payments sys- Interoperability: The m-payments ser- tems should be lower than the existing

118 Informatica Economică vol. 16, no. 3/2012

payment mechanisms. bank to the customers for the mobile Speed: The speed of the mobile pay- payment transaction achievement and ments execution should be acceptable to the bank provides to the merchants the customers and merchants. compliant point-of-sale (POS). Mobile Cross border payments: The m-payment network operators are used as simple application and transactions should be carriers or device providers. available globally, in order to be widely Collaboration Model: The banks, mobile accepted – regional or world-wide. operators and a trusted third party are Also the mobile payments methods are dy- collaborating for providing the mobile namically modified by the technological evo- payment service, including the issuing of lutions and by the end-user experiences. In co-branded devices that ensures the cus- the following sections, there are presented tomer loyalty. various types of mobile payments methods Peer-to-Peer Model: A private/public in- and systems. stitution or company, independently from financial institutions and mobile 2 Types and Models of Mobile Payments network operators, is the mobile pay- One of the main problems is which entity is ment service provider. going to provide the support for the financial The mobile payments service may or may infrastructure: the bank, the mobile operator, NOT include electronic money (also known other private or public company, or a consor- as e-currency, e-money, electronic cash, digi- tium. According to [2], there are three differ- tal money, digital cash, cyber currency) ex- ent models available for m-payment solutions change. on the basis of payment: Examples of electronic money are [5]: EFT – Bank account based Electronic Funds Transfer, direct deposit, Credit card based digital gold currency and virtual currency Telecommunication Company billing united under the term of “financial cryptog- based. raphy”. There are three types of electronic Mainly, the mobile payment service is pro- money systems: vided taking into account one of the follow- Centralized Systems – sell their electron- ing models [3]: ic money directly to the customer (e.g. Operator-Centric Model: The mobile PayPal, WebMoney, netCash.is, Pay- payment service is deployed inde- oneer, cashU, Hub Culture's Ven, Octu- pendently by a MNO – mobile network pus Card, Eagle Cash – private for U.S. operator. An independent mobile wallet army, and other local systems in E.U. with electronic cash or money (stored in and U.S.A for canteens, sport areas and the SIM, internal/external crypto-chip to library access) the mobile device or software applica- Decentralized Systems – will sell their tion) may be provided by the mobile op- electronic money through third party erator. The charging of the electronic digitally exchangers (e.g. Ripple mone- wallet may be done through the user tary system, Bitcoin, Loom) mobile account (telephony company bill) Offline "anonymous" systems – eCash / and the money withdraw may be done DigiCash (“pure anonymous”), “semi- using specialized offices with mobile anonymous” and based on electronic operator agreement. Mobile network op- purse/wallet (not 100% electronic mon- erator should be interoperable with the ey) – Mondex - UK, Visa Cash – U.S, bank network in order to provide ad- Geldkarte - Germany, Chipknip - Neth- vanced mobile payment service in erlands, Proton - Belgium, FeliCa – Ja- banked and under banked environment. pan, Moneo – France, Quick – Europay Bank-Centric Model: The mobile appli- Austria, MintChip – Canada, MiniPay - cations or devices are provided by a Italy).

Informatica Economică vol. 16, no. 3/2012 119

The electronic money payment systems are Picture messaging (SMS, EMS, WAP out of scope of this paper (because just few of Push and MMS) - usually uses a barcode them have deployments for mobile environ – 2D barcode – QR ments – see FeliCa) and the focus in these Contactless – Especially for access to sections is on the mobile payments transac services provided by systems that use till tions. now exclusively contactless ICC – Inte- No matter which model of payment service grated Circuits Cards as NXP Philips provider is adopted, there are four primary Mifare/DESfire/JCOP, Calypso, Sony models for execution of the mobile payment FeliCa, etc. Now the merchants are using transactions: compliant devices that exchange data Premium SMS based transactional pay- through radio connection in proximity ments ranges with the customer mobile devic- Direct Mobile Billing es, through the device RFID embedded Mobile web payments (HTTP vs. old chipset capabilities that runs under NFC WAP – with secure layers) – Near Field Communication specifica- Contactless – OCR (Optical Character tion. A sample of NFC implementation Recognition) from images/text, NFC of Mobile FeliCa (the mobile phone is in (Near Field Communication), NFC 2.0 a contactless ICC emulation mode) is or DOV – Data over Voice. Japanese Osaifu-Keitai – “Wallet Mo- The entire process of the mobile payment bile” a trademark of NTT DoCoMo. An may include various technologies for com- alternative to radio communication are munications between the client and the mer- the technologies NSDT (Near Sound Da- chant, “money transfer” and / or ticket deliv- ta Transfer), DOV (Data Over Voice) ery (but it is dependent by the implementa- and NFC 2.0 which produce audio signa- tion) [4] – Figure 1 and Figure 2: tures that allows the microphone of the Text messaging (SMS), USSD - Un- mobile device to play a certain “sound” structured Supplementary Service Data in order to trigger electronic transac- and messages through WAP Push - visu- tions. al inspection or OCR

Fig. 1. Presenting a Data matrix 2D barcodes instead of a ticket to the validation device in a subway station – Metrorex Bucharest, Romania

120 Informatica Economică vol. 16, no. 3/2012

Fig. 2. Presenting a DOV audio signal to the validation device in a subway station – Metrorex Bucharest, Romania

Independently by the communications meth- and render barcodes delivered via SMS or ods between the customers mobile devices GSM connection GPRS/UMTS/LTE. The and the validation devices or POS, the trend barcodes are rendered on the device by the in the mobile market is to provide a dedicat- dedicated application, which is especially ed mobile application that runs within the useful for transport tickets. smart phone OS (Google Android, Apple iOS, RIM Blackberry OS, Microsoft Win- 3 Improvement to the Subway 2D Barcode dows Mobile, MeeGo – Intel Tizen, Palm OS Automatic Ticketing System – 2D BATS – Garnet OS, HP WebOS – deprecated, The details of implementation can be ob- Symbian – obsoleted but with a large number tained from the author of the paper or via of devices in the market) or the mobile hand- web from the international conference pro- set frameworks (JME – Java Micro Edition ceedings from SECITC 2010 [8] and from or .Net Compact Framework or “flavors” of the extended paper version published in [7]. them – Dalvik Java virtual machine within The 2D BATS architecture is presented in Android). The mobile application can store Figure 3.

Fig. 3. 2D BATS Architecture

Informatica Economică vol. 16, no. 3/2012 121

As an improvement to the solution from this SOAP – Simple Object Access Protocol re- section, it is under development a mobile sponses. The encrypted and encoded infor- JME and Android application that use web mation related to the electronic ticket is ex- services within SOA – Service Oriented Ar- tracted from the XML message and then, it is chitecture instead standard MMS with DRM rendered on the display as QR – Quick Re- – Digital Rights Management capabilities. sponse code or as Base64 text. The ticket in Now, the mobile application receives en- QR code format is presented in Figure 3. crypted ticket encapsulated within GZIPed

Table 1. Text Preparation of anonymous ticket before Base64 METICKET: N: -;ADR: -;TEL: -;EMAIL: -; ENCINFO: Base64 ( En- crypt(line:blue;sdate:20101101Z112345;edate:20101201Z112345;nojrns:1) ); PTSYS: Bosto n Subway; URL: http://www.mbta.com/;

Table 2. Text Preparation of anonymous ticket after Base64 METICKET: N: -; ADR: -; TEL: -; EMAIL: -; ENCIN- FO: bGluZTpibHVlO3NkYXRlOjIwMTAxMTAxWjExMjM0NTtlZGF0ZToyMDEwMTIw MVoxMTIzNDU7bm9qcm5zOjE=; PTSYS: Boston Subway; URL: http://www.mbta.com/;

Fig. 4. QR code for one journey ticket scale 2:1

The significantly difference between the im- Google Android, Apple iOS, RIM proved solution and the old one, it is the ex- Blackberry OS, Microsoft Windows istence of a mobile dedicated application that Mobile, MeeGo – Intel Tizen, Palm OS pays the access for a special APN within the – Garnet OS, HP WebOS – deprecated, MNO bills to the provider (including prepay Symbian – obsoleted but with a large through the operator billing system) and also number of devices in the market or the displays the encrypted and encoded electron- mobile handset cross-platform frame- ic ticket to the mobile device display. works: JME – Java Micro Edition or .NET Compact Framework) 4 Conclusions SIM-based Application Summarizing, the following technologies Near Field Communication (NFC) / NFC may be used for the mobile payment service 2.0 – including Data over Voice. solutions: Dual Chip or SIM HW modified Short Message Service (SMS) / Multi- In the future the application from section media Message Service (MMS) / Un- three should implement new features as NFC structured Supplementary Services De- 2.0 and DOV – data over voice and user livery (USSD) friendly GUI for electronic ticket manage- Web Applications over WAP/GPRS/3G ment and GUI personalization. (UMTS) & 4G (LTE) Data Connections The designers, developers and the company Mobile Device Application (OS based: involved in mobile payment services should

122 Informatica Economică vol. 16, no. 3/2012 be concerned by the technical security related ticle/view/Security-Issues-for-2D- to the technologies depicted above, but also Barcodes-Ticketing-Systems/pdf with the customer trust, privacy and security [8] http://www.secitc.eu – International Con- in terms of social experience [15]. ference on Security for IT&C - extended Parts of this paper have been presented at papers in Journal of Mobile, Embedded Advanced Study School (SSA) ’’Challenges and Distributed Systems – in Cyber Security – from Paradigm to Im- www.jmeds.eu plementation” in August 2012. [9] DataMatrix 2D barcode standard ISO/IEC 16022:2006 References [10] QR 2D barcode standard ISO/IEC [1] S. Karnouskos and F. Fokus, “Mobile 18004:2000 Payment: a journey through existing [11] H. E. Burke, Automating Management procedures and standardization initia- Information Systems: Barcode Engineer tives,” IEEE Communications Surveys ing and Implementation , Thomson and Tutorials , Vol. 6, No. 4, 2004, pp. Learning Publishing House, ISBN 0- 44-66. 442-20712-3. [2] A. S. Lim, Interconsortia battles in mo [12] R. C. Palmer, The Bar Code Book , bile payments standardization, Electron Helmers Publishing, ISBN 0-911261-09- ic Commerce Research and Applica 5. tions , 2007, doi:10.1016/ [13] C. Toma, Security in Software Distrib j.elerap.2007.05.003 uted Platforms , ASE Publishing House, [3] http://en.wikipedia.org/wiki/Mobile_ Bucharest, 2008, ISBN 978-606-505- payment 125-6 [4] http://www.intercom.ee/mobile-ticketing- [14] Tan Jin Soon, QR Code , Automatic Data works Capture Technical Committee Presenta- [5] http://en.wikipedia.org/wiki/Electronic_ tion money [15] M. Popa, A Calugaru, “On-line Payment [6] http://www.sony.net/Products/felica/ System Survey – eCash,” Journal of about/index.html Mobile, Embedded and Distributed Sys [7] C. Toma, “Security Issues for 2D Bar- tems , Vol. 1, No. 2, 2009, pp. 95-103, codes Ticketing Systems,” Journal of Available at: http://jmeds.eu/ in- Mobile, Embedded and Distributed Sys- dex.php/jmeds/article/view/On-line- tems, Vol. 3, No. 1, 2011, pp. 34-53, Payment-System-Survey Available at: http://www.jmeds.eu/index.php/jmeds/ar

Cristian TOMA has graduated from the Faculty of Cybernetics, Statistics and Economic Informatics, Economic Informatics specialization, within Academy of Economic Studies Bucharest in 2003. He has graduated from the BRIE master program in 2005 and PhD. stage in 2008. In present, he is lec- turer at Economic Informatics and Cybernetics Department and he is member in research structures such as ECO-INFOSOC. Since the beginning - 2005 - he is scientific secretary of IT&C Security Master Program from Academy of Economic Studies from Bucharest, www.ism.ase.ro and since 2006, he is in the editorial board of the SECITC – The International Conference on Security for Information Technology and Communications – www.secitc.eu and JMEDS – Journal of Mobile, Embedded and Dis- tributed Systems – www.jmeds.eu. His research areas are in: distributed and parallel compu- ting, mobile applications, smart card programming, e-business and e-payment systems, network security, computer anti-viruses and viruses, secure web technologies and computational

Informatica Economică vol. 16, no. 3/2012 123 cryptography. He is teaching object oriented programming, data structures, distributed applications development, viruses and anti-viruses technologies, smart-cards and biometrics technologies, mobile applications systems, e-payment systems development and advanced programming languages in Department of Economic Informatics and Cybernetics – www.dice.ase.ro, and IT&C Security Master program. He has published 3 books and over 50 papers in indexed reviews and conferences proceedings.