Analysis of Payment Transaction Security in

Seema Nambiar, Chang-Tien Lu Lily R. Liang Department of Computer Science Dept. of Computer Science Virginia Polytechnic Institute and State University Universig of the District of Columbia 70.54 Haycock Road, Falls Church, VA 22043 Washington, DC 20008 fsnambiur, ctlu)@vt.edu [email protected]

Abstract exchanging financial value using a in return for goods or services. Security is an essential Mobile payment is the process of hy~parties consideration for mobile payment which can be exchanging jnancial value using a mobile device in challenged during sensitive payment information return for goods or services. This paper is un analysis of handling or transmission. Comparing to E-commerce, the security issues in mobile payment for m-commerce. We introduce m-commerce and mobile payment, discuss mobile payment has particular security and privacy challenges due to the differences between their the public key infrastructure as a busis for secure mobile technologies, and study rhe features for difjkrent security underlying technologies. The major difference is that the technologies employed in current m-commerce market, transport of payment involves wireless service provider. including WAP, SIM application toolkit nnd J2M In The ability to address the issue is a major factor affecting the customer confidence, market penetration, and long- addition, we compare #he effectiveness of these security technologies in supporting a secure mobile payment, and term success of M-commerce applications. discuss research issues to enhance the securi9 of mobile Four properties have always been essential for secure payment for large scale deployment of m-commerce. transaction, including authentication, confidentiality, integrity, and non-repudiation[4]. Authentication is 1. Introduction concerned about verifying the identities of parties in a A mobile device is a wireless communication tool, communication and confirming that they are who they including mobile phones, PDAs, wireless tablets, and claim to be. Confidentiarity is about ensuring that only mobile computers. Mobile commerce (M-commerce) can the sender and intended recipient of a message can read be defined as any electronic transaction or information its content. Integrity is concerned about ensuring the interaction conducted using a mobile device and of the messages and transactions not being networks, which leads to transfer of real or perceived altered, whether accidentally or maliciously. Non- value in exchange for information, services, or goods. repudiation is about providing mechanisms to guarantee M-commerce offers consumers convenience and that a party involved in a transaction cannot falsely claim flexibility of mobile services anytime and at any place, later that she did not participate in that transaction and is playing an increasingly important role in In this paper, we discuss the background on public payments and banking. The global m-commerce market key infrastructure as a basis for security in different is expected to be worth a staggering US$200 billion by mobile technologies, and study the security measures in 2004[1]. WAP, SIM application toolkit, and J2ME, which are the M-commerce applications differ from E-commerce technologies employed in the current M- applications in the following factors: limitations of the commerce market. Effectiveness of WAP, SIM mobile devices, portability of mobile devices, allowance application toolkit and J2ME in supporting a secure M- of pervasive computing, capability of location commerce payment application are analyzed and awareness, and portability of merchant machines[2]. The compared. Several research issues in M-commerce security challenges in mobile commerce are related to payment security are also discussed. but not limited to the mobile devices, the radio interface, the network operator infrastructure and the type of 2. Public key infrastructure mobile commerce appIication[3]. Public key infiastructure (PIU) is a system of digital Mobile payment, a major component of M- certificates, certification authorities, and other commerce, is defined as the process of two parties registration authorities that provides solutions to enable a secure mobile commerce. The theory of PIU is presented as follows.

0-7803-8819-4/04/$20.00 02004 IEEE. 475 The above technologies together help in setting up Public Key Cryptography: Public key infrastructures are secure environments for mobile payment, which we based on public key cryptography, which uses two keys: introduce in the next section. a private key that is kept a secret, and a public key that can be divulged publicly. An interesting property of this 3. Mobile security technologies pair of keys is that to decrypt messages encrypted with The following protocols and technologies facilitate one, the other is needed. The keys are said to be the handling and transmitting of sensitive payment asymmetric. The most popular algorithm for public key information to and from the mobile devices in an M- cryptography is RSA. Elliptic curve cryptography payment transaction. algorithms are starting to gain acceptance into mobile devices. They rely on different mathematical properties 3.1 Wireless applcation protocol (WAP) that allow for shorter keys, which enable faster The WAP forum has specified a series of protocols, computations, lower power consumption, less memory which cover all the protocol layers from the transport and bandwidth requirements, and hence are quite level to the presentation layer. The functional areas appealing for mobile devices. related to security in WAP considered include Wireless Transport Layer Security (WTLS), Wireless Identity Digifal Signatures: Digital signatures can ensure the Module, WAF Public Key Infrastructure, WML Script authenticity of transaction parties, integrity, and non- signText, and End-to-End Transport Layer Security, repudiation of transmissions. A digital signature is The WTLS (Wireless Transport Layer Security) created when the document to be transmitted is protocol is a PKI-enabled security protocol, designed for enciphered using a private key. The process of securing communications and transactions over wireless enciphering the document using the private key networks. It is used with the WAP transport protocols to authenticates the document, since the document could provide security on the transport layer between the WAP only have been enciphered using the private key of the client in the mobile device and the WAP server in the owner. A digitally signed document or message is WAF' gateway. The security services that are provided unalterable after the signature. The recipients can verify by the WTLS protocol are authentication, confidentiality the signature by deciphering using the public key. In real and integrity. WTLS provides functionality similar to the world, documents are not completely encrypted to save Internet transport layer security systems TLS (Transport time. In such cases one-way hash functions are used. A Layer Security) and SSL (Secure Sockets Layer), and hash uses a one-way mathematical hction to transform has been largely based on TLS, but has been optimized data into fixed length digest called a hash, which is for narrow-band communications and incorporates subsequently enciphered. The verification of the datagram support. WTLS is implemented in most major signature involves reproducing the hash generated from micro-browsers and WAF' servers. WAP 1.x series use the received message and comparing it with the the WTLS protocol to protect messages in the wireless deciphered original hash[5]. network part and someway into the wired network, that is, between the wireless device and WAF Gateway. The Digital Certificutes: Digital signatures are not sufficient WAP gateway transforms the WAP I .x stack to/from the means for automatic verification since even if a signature wired TCP/IP stack, relays the data between the wireless can be verified; there is no guarantee of the fact that the and wired network, and communicates with the Web person who made the signahrre is who he claims io be. Server that the mobile device is accessing. Public key certificates are a powerful means of establishing trust in public key cryptography. A Wireless Identity Module [7] (WIM) is used in certificate is someone's public key, signed and packaged performing functions related to WTLS and application for use in a public key infrastructure [SI. In general, a level security by storing and processing information like certificate contains the following three pieces of secret keys and certificates needed for authentication and information: i) the name of the subject for whom the non-repudiation. To enable tamper resistance, WIM is certificate has been issued, ii) the public key associated implemented as on a microprocessor-based with the subject, and iii) a digital signature signed by the . WMLScript [XI signText includes support for issuer of the certificate. The digital signature will verify digital signatures of WML (display format of data in the information of the certificate, and if the verification wireless world analogous to HTML) coded content. succeeds it is assured that the public key in the certificate SignText function allows a wireless user to digitally sign does in fact belong to the entity the certificate claim[6]. a transaction in a way that can be verified by a content A certificate may also contain information related to the server. This provides end-to-end authentication of the secret key and the signed public key. The trustworthy client, together with integrity and non-repudiation of the party naturally signs this extra infomation along with transaction. the key.

476 WPKJ [SI is an optimized extension of a traditional certificate in the mobile client is stored in the wireless PKI for the wireless environment. WPKI requires the identity module (WIM) in the €om of a compact same components as a traditional PKI: an End-Entity certificate called WTLS certificate. For security the Application (EE), a Registration Authority (RA), a mobile client should also be able to check whether the Certification Authority (CA) and a PKI Repository. In WAP gateway certificate has been revoked. Even there WPKI, the end entities (EE) and the registration are a number of solutions for checking certificate authority (RA) are implemented differently, and a new revocation in the wired world, the same cannot be entity, referred to as the PIU Portal, is introduced. The applied to the wireless world due to its many constraints, EE in WPKI runs on the WAP device. It is responsible and hence the solution is to issue short-lived WTLS for the same hctions as the EE in a traditional PKI. The certificates to the gateway. For mobile client PKI Portal can be a dual-networked system, like a WAP authentication, two methods can be applied: i) using gateway. It functions as the RA and is responsible for WTLS class 3 between the client and the gateway, ii) translating requests of WAP clients to the RA and using WMLScript digital signatures between the mobile interacts with CA over wired network. The RA validates client and the merchant’s server. These methods require the EE’s credentials to approve or reject the request to a private key and a digital certificate to be stored in a receive a digital certificate. WIM. For client authentication, the client should have an The WAP PKI defines three levels of transport layer URL pointer to the location of the complete SSL session security, WTLS classes 1, 2 and 3, and a certificate, which is too large to store in a . signText --WMLScript functionality for digital All the members involved in a mobile payment system signatures. WTLS Class 1 provides encryption; WTLS can access the full version of the SSL certificates, Class 2 provides encryption and gateway authentication; WTLS Class 3 provides encryption and two-way 3.2 SIM Application Toolkit (SAT) authentication. The WMLScript signText is a The GSM (Global System for Mobile functionality that the user interface can utilize for Communications) Subscriber Identity Module (SIM), creating digital signatures. The signText uses the which stores personal subscriber data, can be underlying security element WIM (Wireless Identity implemented in the form of a smart card called SIM Module} that actually performs the cryptographic card. SIM toolkit is a specification of SIM and terminal procedures and stores the secret keys securely, Basically, functionalities that allow the SIM to take control of the WPKI is concerned with the requirements on a PKI mobile terminal for certain functions. SIM application imposed by WTLS and the sign Text function. The toolkit (SAT} is used to create Short Message Service WPKI architecture for WAP 1.x series is shown in (SMS) based mobile payment applications. In SM Figure 1, Application toolkit based systems, the communication between the mobile client and the payment server occurs using SMS. The SMS is used to initiate and authorize payments. The user is identified and authenticated by GSM authentication service and hence the GSM acts as an intermediary between the mobile client, the payment server, and the merchant [lo]. SAT provides confidentiality, authentication, integration, and message replay protection, but does not Lookup Certificate provide denial of service or non-repudiation. This lack of r-? support for non-repudiation is a major hindering factor webserver for the adoption of SAT mobile commerce appIications. U SAT has built in support for data encryption standards including triple DES. The service provider places the Figure 1 : WPKI architecture for WAP 1.x series encryption key before the SIM is issued to the customer. This ensures that secret key never goes over the air The merchant server authenticates itseIf by sending its interface. Authentication is provided by strong digital certificate (SSL certificate) to the WAP gateway, authentication algorithms, which can be chosen by the which will have the root certificate of the CA that issued payment provider. . Data integrity is realized using the merchant servers digital certificate. Similarly the message digests like SHA and MDS 5. Other than not WAF gateway will authenticate itself to the mobile client providing support for prevention of non-repudiation, the by passing its digital certificate to the mobile client. The SAT also has another flaw caused by its usage of the mobile client in turn will have the root certificate of the mobile clients PIN code. PIN codes are usually 4 digit CA that issues the gateway’s certificate. The root numbers, which can be guessed and entered into stolen

477 or lost mobile phones, and undo the security provided by Wireless Toolkit version 1.0.3. Encryption relies on a encryption algorithms or large keys. Security corresponding key (symmetric or private key) that is requirements of SIM Toolkit [ 1l] cover the transport accessible to the MIDlet (J2ME payment application) layer security issues, such as peer authentication, during runtime. J2ME provides facilities to use and store message integrity, replay detection and sequence encryption keys. Keys can be stored and updated in the integrity, proof of receipt, and message Confidentiality. record store or in a unique resource file generated at Each payment application message is divided into deployment. packets that are individually secured by protecting the payload and adding security headers. Proof of execution 4. Analysis and discussion is required as well, to assure the Sending application In contrast to many areas, research and development (e.g., a application) that the receiving application in the area of M-commerce are mainly initiated and done (e.g., the home banking application on a SIM card) has by industry. The reason is that mobile devices are performed an action initiated by the sending application. already widespread in use and hence vendors are This proof should be provided at the application layer, so developing new value-added services. In the course of no mechanism for it is defined in the GSM this process, the old concepts such as the Web are specifications. basically being accommodated. This allows faster development and immediate customer acceptance. 3.3. Java 2 Platform, Micro Edition (J2ME) However, many privacy concerns and advanced security There are two relevant JSRs (Java Specification concepts still need to be addressed. This section provides Requests) in relation to cryptography and secure m- an analysis of the current mobile payment security and payments according to the Java community process discusses security issues for mobile payment. program: Mobile Information Device Prujile, MLDP 2.0 [ 121 and Security md Trust Services API fur RME [ 131. 4.1. Analysis of current techniques MIDP 2.0 is a specification of a security framework for In WAP, security is provided through Wireless Java applications designed to run within the MIDP Java Transport Layer Security (WTLS) protocol (in WAP 1.0) environment. MIDP uses a Java Virtual Machine of and IETF standard Transport Layer Security (TLS) reduced complexity designed specifically for mobile protocol (in WAP 2.0). They provide data integrity, devices. MDP 2.0 specifies how a signed Java privacy, and authentication. The feature of data integrity application can be verified to belong to a domain defined ensures that the content of messages is not altered during by a root certificate and an associated policy file. The transmission. Privacy makes sure that only the intended policy file specifies the capabilities of Java applications recipients can read the original content. Authentication within that domain. verities the identities of communication participants. M-payment solutions based on MIDPiSIM APls, SSL One security problem, known as the “WAP gap,” is and the Java Card platform provide greater transaction caused by the existence of a WAP gateway in a security security and network efficiency. JZME combined with session, in which encrypted messages sent by end MIDP is used to create a number of java based mobile systems might temporarily become clear text on a WAP applications for various types of mobile devices. J2ME gateway when messages are processed. can be used together with other protocols like WTLS to In SIM toolkit, security requirements cover the usual be used in WAP enabled phones. J2ME’s MIDP transport layer security issues such as peer platform is said to have the following advantages as authentication, message integrity, replay detection and regards to security, which makes it attractive: sequence integrity, proof of receipt, and message Trunsactiun protection, in which the complete confidentiality. Each application message is divided into transaction is encrypted and with the support of packets that are individually secured by protecting the WAPlWTLS, the entry session can be protected as being payload and adding security headers. Proof of execution performed across SSL3 .O.; Cryptography, which is required to assure the sending application that the provides a Security and Trust Services API for JZME receiving application has performed an action initiated ~41. by the sending application. This proof should be Security and Trust service API aims to develop provided at the application layer and hence it is not application-programming interfaces for cryptographic standardized. SIM toolkit is based on SMS. The sender operations, which support the payment method, and also and receiver of an SMS are identified, and an attacker provides data integrity and confidentiality. This API will cannot forge without brealung the network security be a part of MIDP 2.0. Given the importance of HTTPS mechanisms such as cloning a SlM card. Hence, SMS in relation to M-commerce, Sun Microsystems had messages can be used for authentication. Furthermore, added an unofficial support for HTTPS (kssl) as a part of SMS data is transmitted in the network-signaling plane, the MIDP 1.0.3 reference implementation and the J2ME which ensures the confidentiality of messages. However,

47 8 the protection ends in the network, there is no end-to-end We address several research issues, including access to security, and the network operator and its infrastructure network without prior relationship, security standard, (SMSC, Short Message Service Centre) must be trusted and PM complexity management, which will enhance when no other security mechanisms are applied to the the security of mobile payment for large-scale SMS message. deployment and further development of M-commerce. J2ME provides several levels of security, such as class loader, byte code verifier, and security manager. 4.2.1. Access to a network without prior relationsh@. These security levels protect client systems from PKI, tailored for wireless environments, is currently used unreliable programs. The security advantages of JZME by a number of security protocols to enable (end-to-end) over WAP are end-to-end security, less use of network security for services and applications such as WAP. In and content-based encryption. these systems, PKI is not used for securing network access, because there always exists a relation between 1)End-to-end security. JZME supports end-to-end the service provider and the mobile subscriber, allowing encryption, authentication, and verification. In the use of symmetric key based methods, which are WAP, a request from a wireless device is encrypted efficient to be used in a mobile environment. Future in WTLS and this request needs to be decrypted as concepts for mobile devices accessing networks will be Transport Layer Security (TLS) data. While this by gaining access to a network without a prior conversion takes place, the data is unencrypted relationship to the network provider. This may be making it highly vulnerable. J2ME does not need a achieved by using account-based payment protocols, a gateway between the device and the server. This joint-signature scheme, or by following a policy based allows J2ME to provide end-to-end security. There mobile payment architecture. is no conversion of data fiom WTLS to TLS, thereby eliminating the chance of the data being Account-based payment protocol: Account based unencrypted at any point of time. End-to-end payment protocol uses symmetric key techniques, such security is through SSL (kssl). as Message Authentication code (MAC) and hash 2)Less use of network J2ME allows data to be functions ClS]. This protocol not only reduces the processed locally, unlike WAP that needs to connect amount of computation to be performed, but also to the network for any kind of data processing. This satisfies all the transaction security properties, including feature in J2ME in turn reduces the possibility of non-repudiation property, which is only available to PKI data loss or theft. protocols, 3)Content-based encryption. JZME applications process data before sending it across a network. A A joint-signature scheme: A joint-signature scheme acts J2ME application can set the security policy based as an alternative to traditional digital signatures [16]. on the content. This scheme is based on collaborative use of one-way hash functions and traditional digital signatures with the HTTPS is required in the MIDP 2.0 MI, released in network operator. This scheme not only reduces the 2002. The best possible implementation of HTTPS mobile computation costs, but also provides lower should be coordinated between manufacturers to ensure communication cost as opposed to other digital signature homogeneity across devices and compatibility of all security schemes. This joint-signature scheme is based secure J2ME applications. The implementation should on the hypothesis that if a third party, like the network also avoid the WTLS specification to ensure end-to-end provider which has with ample computation and and independency of WAP-gateways. Compared to communication resources, signs a digital signature WAP and SAT, the MlDP 1.0 API provides enhanced containing a secret that is only shared between the GUI and U1 possibilities. Since graphics are used and customer and the merchant, then the merchant can treat generated locally on the device, network bandwidth the digital signature as a joint signature originated from usage will be reduced and the performance be enhanced. the customer and signed by the third partyhetwork Compared to WAP-based payment, a11 business logic is provider. fetched from the web server and usually no new software or hardware is required on the device. New hardware Policy-based mobile payment architecture: The may be required for SATNAP-payment, if the information model and architecture €or policy based application logic depends on a wallet or keys stored in a mobile payment server is based on a number of policy- SIhUWIM. The end-user could then be compelled to related constraints and rules for customers, merchants, upgrade the SIM. and payment providers. The information model is based on PCIM (Policy Core Information Model) developed by 4.2. Discussion the IETF (Internet Engineering Task Force) Policy group. This information model describes the concepts of

479 policy groups like rules, conditions, actions, repositories, J2ME in supporting a secure M-commerce payment and relationships. The policy-based payment server application, and address several research issues in M- consists of policy rule repository, which stores the policy commerce payment security. Our future research work rules, conditions, actions, and other related policy data. will be concentrating on the formal analysis of the Policy-based payment engine evaluates the policy security strength and effectiveness of these supporting conditions and triggers appropriate actions. Future technologies. research on this architecture will focus on the mobile payment specific extension of this model. Reference

4.2.2. Security standards: Currently, there is no D. Lonergan, "Mobile Commerce Market common agreement as to how PIU-related tasks should opportunity," pp. 48, 1999. be divided between the mobile devices and network S. Chari, P. Kermani, S. Smith, and L. Tassiulas, "Security Issues in M-Commerce: A Usage-Based agents. As mobile devices are constantly gaining in Taxonomy," in E-Commerce Agents, Marketplace processing power, the network agents will probably Solutions, Securily Issues, and Supply and Demand. cover less PKI functionality. This issue creates London: Springer-Verlag, 2001, pp. 264 - 282. instability for wireless PIU clients. Hence, there is an Securiwfor Mobilify. London: The Institution of obvious need for standardizing wireless PKI clients. In Electrical Engineers, 2004. addition, an open security standards are required to N.-J. Park and Y.-J. Song, "M-Commerce security ensure that the wireless infrastructure can be created for platform based on WTLS and J2ME," presented at secure transactions between parties that have had no Industrial Electronics, 2001. Proceedings. ISIE 2001. prior relationship [ 171. lEEE International Symposium on, 2001. There is only limited serious standardization work in C. Peikari and S. Fogie, Maximum Wireless securiw, 1st Edition ed: Sams Publishing, 2002. this area, and the implementation of wireless PKI leads S. Oaks,Java Securiv, I st ed: O'Reilly & to soIutions that are not open to other PKI software Associates, Inc, 1998. providers. The Security Group of the Wireless WAP Forum, "Wireleas Identity Module,Candidate Application Forum (WAP Forum) is a good example of Version I .2," vol. 2004; Ltd, attempts in standardization work. But forums of this type 2004. concentrate on specific environments like WAP, with WAP Forum, "WMLScript Crypt0 Library," in other potential mobile devices and WPKI environments Wireless Application Protocol, vol. 2004, Version remain undefined. More and more organizations are now 05-Nov-1999 ed, 1999. aware that by ensuring interoperability across solutions, K. Raina and A. Harsh, mCommerce Securiw: A Beginner's guide, I st ed: McGraw-Hill Companies, services, and platforms, we can create more significant a 2002. impact on the security of payments. There is increasing S. F. Mjpllsnes and C. Rong, "On- e-wallet system appeal for adopting international standards and with decentralized credential keepers," Mob. Netw, specifications produced by open industry consortia. Appl., vol. 8, pp. 87--99,2003. ETSI, "Digital cellular telecommunications system 4.2.3 PKI complexity management: PIU is a solid (Phase 2+): Security mechanisms for the SIM concept for providing security. However, a number of Application Too1kit;Stage lGSM 02.48 version 8.0.0 challenges have to be overcome for widely adoption in Release 1999," vol. 2004: ETSI TS 101 180 V8.0.0, hture mobile systems, which are highly heterogeneous 1999. in nature. These challenges include complexity Sun Microsystems Inc., "JSR 118: Mobile management of PKI in limited devices like mobile Information Device Profile 2.0," vol. 2004,2002. Sun Microsystems Inc, "Security and Trust Services phones, complexity control for limited of PKI API for J2METM,"vol. 2004,2003. bandwidth, and interoperability and organization issues R. Vichr, "Tips & tricks: m-payments with JZME," for deploying PKI in large-scale heterogeneous mobile vol. 2004,2002. systems. S,Kungpisdan, B.Srinivasan, and P. D. Le, "A secure account-based mobile payment protocol," presented 5. Summary at Information Technology: Coding and Computing, In this paper, we introduce mobile commerce and 2004. Proceedings. ITCC 2004. International mobile payment, discuss the backgrounds on public key Conference on Volume: 1 , April 5-7,2004. infrastructure as a basis for security in different mobile L.4. He and N. Zhang, "A new signature scheme: joint-signature," presented at Proceedings of the 2004 technologies, and study the security measures in mobile ACM symposium on Applied computing, Nicosia, security technologies which employed in the current M- Cyprus, 2004. commerce market. In addition, we compare the S. Pugh, "MasterCard Leads the Way in Securing effectiveness of WAP, SIM application toolkit, and Mobile Payments," in Wireless Business & Technology, vol. 3,2003.

480