Security Issues of M. Commerce

¶ … wireless Web is truly' the next major wave of Internet computing

A its potential for bringing people together and expanding commerce is even greater than that of the wired Internet."

Edward Kozel, board member and former CTO of Cisco systems (AlterEgo, 2000, p. 12)

The integration of the Internet into our modern culture as a driving force behind business, convenience, services and merchandise acquisition has created a new set of desires for modern consumers. The trend started with the ease and availability of services and products being offer4ed through radio and television advertising, and then infomercials and shopping channels. The internet brought the availability to purchase products, goods, and information from our desks and kitchens. Now trough wireless hotspots and wireless devices, society is following their desires toward a marketing distribution channel which motivates them to pay for internet access, and mobile commerce (m-commerce) anytime, anywhere, and instantly. These sets of desires, which growing numbers of consumers are willing to pay for, is creating a market-based demand for increased availability to wireless networks.

According to Nadel, (2002) by 2005 more than 500 million m-commerce users worldwide will be generating revenues of over 130 billion [pounds sterling] for those using the m-commerce value chain,. Those organizations sharing in this evolving revenue stream include the network operator, and technology supplier, to the content provider and online merchants.

If even the most conservative forecasts are to be believed, communications professionals involved in developing end user technology applications should take the business imperative of m-commerce seriously. Mobile technology enables a unique customer communications channel which is based solely on the desires of that customer. Nowhere is the impetus stronger for this level of individualized control over marketing than at the point of delivery, in the palm of the consumer's hands, and among the mobile network operators for whom m-commerce means direct access to the consumer. In addition, when combined with the power of proactive, predictive customer relations management, (CRM) presents a real opportunity to counter the ongoing effects of customer churn and focus on boosting average revenue per user for all wireless systems. (Nadel, 2002)

Currently, there are 4 factors which affect the development of an effective, reliable global m-commerce industry. Lagging behind the development curve are individual facets of the M-commerce industry which are all needed in order to form the glue which will hold this evolving value chain together. In order to make this shift to m-commerce possible on a global scale, the factors which need to work together are technology, culture, availability, and security.

Technology Development curve

Technology which is currently available is not sufficient to handle the expected demands of broad-based m-commerce. The wireless networks currently offer little in the way of personalized and easy to use content. Using a wireless device with scaled down features to browse a standard internet website is cumbersome, and not likely to satisfy the customer. If m-commerce means anything, it means simplicity and instant availability. Devices which do not supply this kind of instant interactivity will not be favored by consumers who have become used to finding instant access to goods and services through a desk top, or laptop PC. The service providers need to address, and offer a similar experience, convent, reliable, and instantaneous if they are to engage the desires of the growing wireless m-commerce community.

Culturally, consumers' experience in e-commerce is setting the standard for how shoppers will perceive m-commerce. When the Internet came of age in the late 1990's businesses were convinced that personal interaction could be replaced by flashy internet access to goods and services. However, the bricks and clicks model proved superior to a strictly internet-based business model. Customers want to have access to individual attention when in need of customer service, verification of purchase, etc. An m-commerce model must also meet these desires for the customer if he is to be satisfied with the experience.

Availability is a significant issue. Current wireless devices make up a minority of internet broad band traffic. According to Neil Montrefiore, executive of Singapore mobile operator M1 "Within five years, individual e-commerce services will be primarily delivered by wireless and the wireless terminal will become the window of choice to the transactional e-world," (Hoffman, 2000, p.20). If this is true, then wireless networks will have to be able to handle the bandwidth without coverage brownouts if they are to attract and build the confidence of new customers. In the new decade, the call for information technology will be information, any time, any place and on any device.

Finally, security will be the backbone of the new system. Many internet customers are just becoming confident enough to enter their financial information online and make internet purchases. The future of m-commerce will depend on developing a reliable and hack resistant wireless security system. This aspect of the wireless m-commerce revolution will be the most difficult for the companies to negotiate. Currently internet-based e-commerce solution providers operate independently, and can take a number of hours to place, verify, and record transactions. The entire system is based on wireline transmissions, and is connected by computers which have the power of land-based connections, desktop hardware etc. The wireless community, and m-commerce which will be taking place in the wireless community, want to be able to transact the same kind of business transactions from devices which fit in a shirt pocket. The communication protocols, interconnectivity, and bank transactions will need to be real time and secure in order to enable the m-commerce systems.

E-commerce is poised to witness an unprecedented explosion of mobility, creating virtually a new domain of mobile commerce. The ability to purchase goods anywhere through a wireless Internet-enabled device will slowly transform our social culture in the same way fax machines and cell phones did in the last decade. Mobile commerce, which refers to any transaction with monetary value that is conducted via a mobile network, will allow users to purchase products over the Internet without the use of a PC. This proliferation of wireless capability has created an emerging opportunity for e-commerce to expand beyond the traditional limitations of the fixed-line personal computer, and evolve into a completely mobile commerce delivery system.

The magnitude of the m-commerce Internet revolution will pressure current e-commerce business models, create opportunities for new mobile Internet companies, engender a stream of change among established e-commerce paradigms, and lead to a reconfiguration of value propositions in many industries (Evans & Wurster, 1997). M-commerce is still not without its limitations. According to Clarke (2001) the problems it must overcome include:

uniform standards: in order for devices to communicate with diverse networks, a set of uniform standards must be devised for the industry.

A ease of operation: devices need to have simple operating systems, which may become unique to the industry, rather than scaled down versions of traditional desktop applications.

A security for transactions: Digital authorization at the point of purchase, authorization at the delivery end of the purchase, and encrypted communications are each an important piece of the m-commerce system.

A minimum screen size: mobile devices must be able to deliver detailed content with ease.

A billing services: merchants will have to be able to verify bank records in real time in order to verify purchases.

Due to current technological limitations, limited service availability, and varying mobile consumer behavior patterns, business strategies developed for m-commerce applications will need to emphasize characteristics which are unique from traditional e-commerce strategies (Barnett, Hodges & Wilshire, 2000). Rather than building on the e-commerce identity, and simply adapting it to mobile devices, m-commerce will need to have its own identity, with unique offerings. The old marketing strategy of offering different and better solutions is a part of the motivators to adapt consumer behaviors. If a system is only different, consumers have no reason to change. If the system claims to be better, again, consumers have no reason to take the risk of leaving what is familiar and reliable to verify the claims of better. However, a system which is different and better has the capacity to deliver new customers.

Successful m-commerce providers will need to understand that consumers are unwilling to spend long periods "surfing' on these inherently less user-friendly wireless devices (Albright, 2000) in order to facilitate their m-commerce transactions. Wireless users will demand packets of personalized information, not scaled-down versions of generic information. Therefore, technology-focused wireless Internet business models will likely be replaced by models which best integrate the unique characteristics of wireless m-commerce - such as personal customization, instant access, and reliable transactions. As such, the long-term success of e-commerce may be partially dependent upon the successful development of consumer-oriented m-commerce business strategies. "Mobile commerce is per se not included in the traditional e-commerce market models. M-commerce will be able to increase the overall market for e-commerce, because of its unique value proposition of providing easily personalized, local goods and services anytime and anywhere" (Durlacher, 2000, p. 12).

This level of constant connectedness will be empowered by the security of wireless internet services providers. Customers, while they are willing to gain instant access to online information and commerce, are not willing to trade their safety, or security of their financial data for the convenience. While the m-commerce system is evolving in hardware technology, shaping customer culture and expectations, and moving toward truly global delivery systems, the security of individual transactions are perhaps the most important aspect of the evolution.

Security Elements and Protocols

Smart Cards.

E-commerce and emerging technologies of m-commerce are motivating the financial services industry to explore smart cards as a portable means of authenticating online identities. At the same time, smart cards are being used to provide value-added services to cardholders, says Carl Stefannelli, vice-president, global e-business, MasterCard International.

Recent studies indicate growing consumer interest in using smart cards for e-commerce. By using a card with confidential data encoded in the on board chip, soon consumers perceive a higher level of security in their transactions. But, countering this to some extent, the major reason given by consumers for not shopping online is their concern about using payment cards and entering their information online. While a recent study of consumers said that a majority of consumers believe that a cashless society is coming at some point in the future, more relevant to the smart card payment industry is "the fact that 86% thought the tool that most improved their financial performance was the debit/check card. Another significant feature is that 350m units of the 1790m smart cards sold by Schlumberger went to the banking and retail sector. Given these figures and the fact that fraud in internet credit card transactions is higher than in traditional commerce, it is no surprise that the smart card industry is burgeoning." (Bansal, 2001)

The acceptance of smart cards has been dependent on the development of global standards for reader applications, security and operating system compatibility. With a consistent set of specifications for payment cards now being adhered to and multi-application operating systems becoming available, the smart card is open to a much larger market. Industry leaders predict that payment cards with standard-compliant chips will be an important differentiator for financial institutions to win over and retain clients. The deployment of international industry standards has ensured that cards, readers and software can work together securely.

Resistance to smart cards has come mainly from retailers, who cite such issues as infrastructural upgrade costs, implementation costs and fears that the smart card will increase the transaction processing time, as authentication and data transfer would require the card to be connected to the server for longer. Many of the nation's larger retailers invested a high amount in developing their own proprietary POS and authentication systems. Although points of sale (POS) terminals with a high functionality that connect to a central database are being developed, most retailers have their own custom POS systems. This means upgrading costs are high and incentive to change is low.

Today's intelligent smart cards have a larger storage capacity and are capable of handling multiple applications simultaneously. Unlike the simple smart card, commonly used as pre-paid, disposable telephone cards, the new "smarter" cards can store and secure information. They offer read/write capability and more advanced versions may also incorporate a special processing circuit for cryptographic digital signature to validate information. Intelligent smart cards are capable of making independent computations needed to increase security and perform application functions. The microprocessor chip card has proven to be more secure than the simple magnetic strip, as the intelligence is now embedded within the integrated circuit chip rather than in a central database. The IC chip protects the information being stored from theft and damage. This improved capability makes it an ideal choice for mobile and online payments.

Another driver for the smart trend is that chip technology makes it possible for banks to integrate their products across traditional POS and ATM channels, as well as emerging e-business channels such as the internet and m-commerce. The smart card greatly decreases the capital costs currently incurred for maintaining loyalty records and sending out vouchers. (Bansal, 2001)

Wireless Application Protocol (WAP)

At the heart of successful wireless delivery is a set of unified application codes which all subscribers, service providers, banking institutions and merchants can use in order to create a universal and seamless experience. Users must be able to use their wireless devices universally in order to continue to drive the high demand toward m-commerce. WAP, making its appearance in 2000, was highly touted as the universal savior as devices sought an unfettered and universal device communication channel.

The idea behind WAP was to develop wireless Internet solutions that were open, non-proprietary to devices or delivery systems, and fully interoperable.

True WAP technologies did not depend on a single mobile device or network operator. They worked seamlessly across independent wireless networks and allowed applications to scale easily across multiple transport options and mobile devices. The multiple steps which are included in the m-commerce communication channel are the very issue which created the difficulty of developing a universal WAP standard. The WAP 1.0 standard integrated terminal-resident and network services to telephony, communications applications, information services and operator services. The initial WAP architecture was able to constitute the standard software to hardware dock with the World Wide Web.

In order to be effective and universal, WAP dealt with two levels of interoperability: device-to-device compatibility and application-level issues. At the device to device, or gateway level, manufacturers now focused their attention toward working to ensure interoperability among their handsets and network terminals. Work also was done at the application level to ensure that various devices, which may render content in dramatically differing ways, all operated smoothly and seamlessly.

By creating a single, open standard, WAP also decreased the barriers and risk to market entry for new equipment manufacturers. Open interoperability encouraged the development of WAP-enabled wireless content, including news, entertainment, financial updates and other time sensitive applications which will likely drive the m-commerce evolution. Therefore WAP interoperability had to allow carriers to offer customized services to narrow market segments, to build brand loyalty and to reduce subscriber churn. (Hamed, 2000)

In 1999, Forrester Research predicted that wireless application protocol (WAP), the standard at the time for reformatting web content for display on mobile devices, would be in use on seven million mobile phones by the end of 2000. Enthusiastic projections concluded that more than 20 million customers would be using WAP enabled devices by 2003. These projections suggested that roughly half the adult population should be shopping, banking, chatting, and surfing on its mobile phones by the end of next year. (Darling, 2001)

However, these fell hopelessly short of actual users. WAP compatible phones which entered the marketplace in 2000 were not well received by consumers. Reports from Nokia, T-Mobile, and the mobile arm of Deutsche Telekom reported that less than one per cent of its subscribers used WAP enabled services and devices with the average user accessing the service just once or twice per-month. (Darling, 2001) The initial setback centered on the consumers desire to continue to purchase inexpensive phones which are simple to operate. However, even though the initial WAP setback hit the market hard, WAP 2.0 has recreated the enthusiasm for manufacturers and service providers.

The entry of Wireless Application Protocol version 2 (WAP 2.0) plays an important role in enabling the mobile operators to continue to advance toward fully integrated m-commerce. The WAP 2.0 standard includes support for mobile multimedia messaging services (MMS), expansion of the capabilities of wireless devices, and support for features and functions to improve the user experience. WAP 2.0 is an evolutionary step and allows application developers to create compelling mobile content using the same tools and techniques they're already familiar with for other Internet applications.

The functions and features in WAP 2.0, which are enhanced, have moved the industry toward better navigation, configuration and adaptation, and security. Navigation Is Enhanced with WAP 2.0 by allowing for rich and interactive content which can be sent to subscribers in a messaging context. Configuration and adaptation is also enhanced with WAP 2.0 by using the MMS standard to sets out interfaces for servers transcoding content, and companies are already preparing products to ease multi-device support. Most importantly, security is enhanced with WAP 2.0 By addressing specific security lapses which were present in WAP 1.0; WAP 2.0 creates a straightforward end-to-end security for content providers. This is made possible without requiring customized infrastructure at the enterprise because WAP 2.0 built into the protocol the concept of secure proxy tunnels which are identical to Internet proxy tunneling.

Thus the advances in WAP establish transaction integrity at its core. The WAP 2.0 builds the network's value, and attracts new services. Secure payments place the mobile operator in the center of every mobile transaction and can result in increased revenue opportunity. The end-to-end security supported in WAP 2.0 together with enhancements made to the Wireless Identity Module (WIM) specifications make it possible for secure transaction services such as brokerage, banking, and card-based payment solutions without the additional costs of deploying enterprise hardware. (Green, 2003)

Biometrics

Biometrics is the science of using digital technology to identify individuals based on the individual's unique biological qualities. Biometrics can be used to verify a person's identity by electronically capturing a physical characteristic, a personal trait, or other non-duplicatable aspects of the individual.

The science of biometrics is not limited to high tech movie thrillers, and secret government installations. Biometrics has been used throughout history, even dating back to the time of the pharaoh's. Fingerprints have been used by law enforcement agencies for more than a century. The first modern biometric device was introduced commercially in the late 1960s when a machine called the Identimat, which measured finger length, was installed for a time-keeping application at Shearson Hamil on Wall Street. Today, with the decreasing cost associated with biometric solutions, the speed with which a biometric transaction can be completed, and the non-obtrusive nature of biometric scanners, the field of biometrics is emerging as a high-tech solution to the question of positive individual identification and verification.

Fingerprinting is by far the most widely used method of verifying a person's identity. This method of identification has been in use for over 100 years, mainly by law enforcement agencies. With advances in computer technology and communication networks, fingerprinting and digital recognition of fingerprints is spreading rapidly. Digital fingerprinting is now so inexpensive that some companies are incorporating it into PCs. For example, Compaq is piloting a fingerprint ID system on computers that are being marketed in Japan, with a price tag of about $135.00. The system uses a camera to capture an image of your fingerprint, which is later used to authenticate your identity during log-on. (Strassberg, 1998) Fingerprint verification combined with a pin number or password seems to be a logical choice for in-house computer systems operating in a controlled environment.

The combination of a fingerprint scanner and a digital database could be one of less obtrusive applications for biometric identification. With the combination of a digital scanner, fingerprints could be encoded and used as verification for purchases across m-commerce delivery channel. However, even this simple method of verification has its limits. The key to m-commerce is the ease of use, and the simplicity of the device. While merchants may be likely to invest in fingerprint scanners, the m-commerce client, who wants to purchase things directly from his or her mobile device, is unlikely to want to spend time and money on additional hardware. For this reason, what holds a more likely adaptation for biometric verification is the use of Keystroke Dynamics

Keystroke software can be utilized for continual authentication or as an initial identifier to gain computer access. When used as a password, the application software can monitor both the rate of typing a specific work, as well as and the intervals between the letters -- the keystroke dynamics. Even if someone were to gain a person's password, they probably could not type it with the proper rhythm unless they had heard and memorized the key clicks. This type of application can also be adapted for measuring a person's signature. Both the structure of the signature and the rate at which certain strokes are made can be used as verification of the person's identity. In the event of forgery, or even a forced purchase, if the person's signature did not match the digital file on record the purchase could be denied.

Biometrics is perhaps the oldest "new" technology in personal identification today. Biometric devices have been around for 25 years and control access at some 20,000 installations in the U.S. Electronic fingerprint matching is the greatest use of biometric technology. Advocates have predicted for years that biometric technology is ready to take off and become a universal method of verifying a person's claim that she is who she says she is.

Biometrics is very accurate, and can be inexpensive if adopted in large enough quantities. They can be convenient to use when they don't intimidate users. Given the preoccupation with security in today's m-commerce business environment, the biometrics application most likely to get the attention of bankers is its potential role in controlling access to customers' accounts via ATM or a personal computer. Ben Hammel, a senior sales engineer at systems provider Keyware, predicts that "some" big banks will be using biometrics for its high-end customers by the end of this year, and "many" big banks will follow suit in the next two years. (Orr, 2000)

Prices are the main barrier to a mass market for biometrics devices. Between 1993 and 1999, the average price per access point fell by more than 90%. And when built into PCs, as is now happening, the cost will be negligible. Microsoft and other service providers have committed themselves to coming up with standard software interfaces for various devices. The International Biometric Industry Association is also working to insure that national legislation such as 1999's financial services modernization provides a level playing field for biometrics devices.

In the near future, the spreading use of public key infrastructure (PKI) technology in support of digital signatures and comprehensive e-commerce security systems will generate demand for user-friendly methods of personal authentication. That's because present PKI systems authenticate the digital certificate that is related to a private key, not necessarily the person who need to have his or her private verified. Another pressure for biometrics comes from users who would welcome a single personal access code to replace the myriad of passwords and PINs that millions of users are asked to memorize between banks, internet access, and other applications. Bank IT departments, too, would welcome relief from the considerable expense of handling lost and stolen cards or forgotten PINs if they could be replaced by biometric devices. With biometrics, nobody but the true owner could access an account or use a credit, debit, or smart card.