SECURITY OF MOBILE

PAYMENTS
 Electronic Payment Model
• Payer - customer
• Payee – merchant
• Issuer - financial organization
• Acquirer - verifies the validity of
the deposited payment
• Clearing - receives the payment
transcripts from the acquirers and
verifies them

2
 Security Requirements
• Payer requirements
 Collection
 Withdrawal
 Payment Sub-transactions

• Payee requirements
 Payment
 Deposit Sub-transactions.

• Issuer requirements
 Collection
 Withdrawal
 Deposit transactions.
 The balance of the payer’s account should be increased unless the payer explicitly transfers money to the
3
issuer during collection
 Electronic Payment Systems

Electronic payment systems can be made based on a classification into four

categories:
1. Credit card–based payments
Secure Electronic Transaction (SET)
SSL-Based Payment Systems
SET-Based Payments

2. Electronic cash
3. Electronic checks
4. Account transfer
4
 SSL-Based Payment Systems or (SET)

SET offers three basic services:

1. It provides a secure communication channel for all entities involved in a
payment transaction.
2. It provides a high level of trust between payers and payees by the use of
X.509 v3 digital certificates issued by trusted certification authorities
3. It ensures privacy by allowing the transported information (related to payment
and credit card) to be only available to the different parties in a transaction when
and where it is necessary.

5
 6 Steps Performed to Protect the Privacy of a Payment
Transaction
1. The customer opens an account.
2. The customer receives a certificate.
3. The payer places an order.
4. The payer sends the order and payment.
5. The payee requests payment authorization.
6. The payee confirms the order.

6
Steps performed to protect the privacy of a payment
transaction using the SET protocol.

7
 Electronic Checks, Transfer, and Cash

• Payment systems using electronic checks or account transfer have the following three
properties:
 Payers have central accounts
 During the payment phase, the payer authenticates himself to a central server and the correct amount of
money is deduced from his account
 The central server confirms the payment acceptance to the payer and sends him the correct amount of
money.

• The types of account is divided into four classes :

 Pre-paid account
 Account linked to a credit card or a bank account
 Direct bank account
 Third-party account 8
PRIVACY AND ANONYMITY
IN
ELECTRONIC PAYMENT
 Privacy and Anonymity Basics
• Privacy of personal data relates to the individual’s interest to restrain other
individuals and organizations from accessing his personal data.
• Anonymity focuses on hiding the identity of an individual relative to a certain set of
subjects.
• It can be provided and checked at different levels:
 The payment application
 Network
 Third party levels.
• Despite the link ability of actions related to a pseudonym, two situations may occur:
 The pseudonym can be linked to real user identifiers - pseudo-anonymity
 The pseudonym cannot be linked - full anonymity.
10
 Mechanisms for Unconditional Privacy and Anonymity

A payment system implementing this approach would have the following

features:
• The payments conducted from the same anonymous account are linkable
• The database needed for the anonymous accounts is relatively small
• The customer can have a large number of anonymous accounts

11
 Conditional Anonymity in Payment Systems
• Anonymity of electronic money can be misused by many types of malicious
customers to carry out attacks such as:
 Overspending
 Illegal purchase
 Blindfolding (i.e., Attacks engaging banks in non-standard protocols for withdrawal)
 Performing a high number of micropayments in a very short period of time.

• Typical mechanisms include the following:

 Traceability mechanisms
 Limitation of payment amounts
 Double/over spending transactions
 Transferability mechanisms

12
MOBILE PAYMENT SYSTEMS
Mobile Payment Model

14
 Mobile Payment

• Performing an e-payment transaction where at least one involved party is a mobile

user is called mobile payment.
• An m-payment can be characterized by the use of multiple attributes including,
(a) the transaction environment, which can be a remote, local, or personal Environment
(b) the transaction volume, which represents the amount of money transferred over the
mobile network from the payer to the payee.
(c) the time when the payment transaction is performed.
• Three categories of payments can be distinguished:
• Pre- Payment, Concurrent Payment, Post-payment.

15
 Limitations of Wireless Environment and the
Security of the Mobile System
• Computational capability of the processors included in the devices is comparatively lower than what it
provided by personal computer.
• Connection cost of wireless networks is higher compared to that of fixed networks.
• Data transmitted over wireless networks is easily eavesdropped.
• Solutions:
1. Proxy-based mobile payment solution
 Three-domain SET approach
 Dai and zhang’s scheme

2. Agent-based mobile payment solution

3. Non-proxy-based solutions
 Paybox
 The kim’s electronic cash

16
 1. Proxy-Based Solutions

1. The payer informs the payee that he/she is starting a SET-based payment.
2. The payee notifies the payer that the payment session is about to be built.
3. The payer is redirected to the issuer’s server, which contains all payer information,
including those related to the credit card.
4. The issuer requests the payee to provide the authentication information to confirm
the payment.
5. The payer provides the authentication information to the issuer. The issuer
completes the SET payment transaction on behalf of the payer.
6. After transaction completion, the payer is redirected back to the payee’s site

17
2. Agent-based mobile payment solution

Set/A payment system.

18
 3. Non-Proxy-Based Solutions

• It integrates a lightweight cryptographic technique to reduce the computational and the

communications loads of the customer’s mobile system.
• Paybox
 After the agreement of the payee to pay, the latter connects the Paybox server via the network and passes
the requested amount and the payer’s mobile phone number.
 The payer is called back to deliver the payment authorization by simply providing a predefined PIN
number.
 Upon receiving the payer’s authorization, the Paybox server transfers the account of money from the
payer’s account to the payee’s.
• The Kim’s Electronic Cash
 This protocol reduces the computation load of the mobile customers by deploying only hash computations
and digital signatures. 19
SECURING COPYRIGHT
IN
MOBILE NETWORKS
 Digital Signature and Cryptography

• Digital signature is commonly used to authenticate digital transmissions.

• By passing the media unit through a signing process, a unique identifier is
generated by producing a string referred to as the digital signature of the media
unit.
• The use of cryptographically secure license keys is another scheme to secure the
digital intellectual property.
• The content of the documents are protected from manipulation and theft during
delivery as the assessment of the document is only permitted to those who possess
the appropriate key.

21
 1. Copyright Requirements

• Imperceptibility
• Robustness
• Capacity and speed
• Blind detection
• Low false positives and false negatives
• Statistical imperceptibility
• Security
• Real-time detector complexity

22
 2. Watermarking

• Digital watermarking scheme is a procedure that embeds a “mark” in an object

so that,
 It is hard to remove the mark without modifying (or damaging) the object
 It can be detected or extracted later to make an assertion about the object.
• The verification algorithm authenticates the object by determining the real
owner and proving the integrity of the object.
• Watermarking scheme consists of three components:
 The watermark,
 The encoder (or the insertion algorithm) and the decoder
 Comparator (or the extraction and verification algorithm).

23
Watermarking

24
 3. Digital Fingerprinting

• Digital fingerprinting is a method by which a copyright owner can uniquely embed

a buyer-dependent, unremarkable serial number into every copy of digital data that
is legally sold.
• The buyer of a legal copy is then dissuaded from distributing further copies, because
the unique fingerprint can be used to trace back the origin of copy operation.
• Requirements:
Scrambled video signal
Unique fingerprinted videos
Watermarking scheme robustness
Encryption security

25
Fingerprinting in a Broadcast Channel

26