ePayments, mPayments and Security

1
e-Payments, m-Payments and Security
MIS 460 Wireless Information Systems Dr. A.T.
Jarmoszko
2
Anatomy of an On-line Credit-Card Transaction
3
Mobile Electronic Transaction Standard
4
Standardization of m-Payments Principal
Organizations

• Global Mobile Commerce Interoperability (GMCIG)
• Vendors Nokia and Ericsson
• Banks Deutsche Bank
• Credit Card Companies MasterCard
• European Telecommunications Standards Institute
  (ETSI)
• Countries
• Big telecom operators
• WAP Forum
• Mobile Electronic Transaction Group
• The Mobey Group

5
m-Wallet Transaction Model
6
Transaction Enablers

• Trintech Solutions Wireless Operators
• 724 Solutions Homepage
• http//www.cellenium.com/

7
e-Payment and m-Payment solutions

• Digital currency
• e-Wallet and m-wallet (one click shopping)
• Wearable computers and POS (via PDA or cell
  phone)
• Peer-to-Peer payments
• Micropayments

8
Qpass Transaction Process
9
Debit Payment Process
10
Security Introduction

• Security is a major networking concern. 90 of
  the respondents to the 2000 Computer Security
  Institute/FBI Computer Crime and Security Survey
  reported security breaches in the last 12 months.
  
• Information Week estimates the annual cost of
  security losses worldwide at 1.6 trillion.
• It means more than preventing a hacker from
  breaking into your computer, it also includes
  being able to recover from temporary service
  problems, or from natural disasters

11
Security Problems Are Growing

• The Computer Emergency Response Team (CERT) at
  Carnegie Mellon University was established with
  USDoD support in 1988 after a computer virus shut
  down 10 of the computers on the Internet.

• In 1989, CERT responded to 137 incidents.
• In 2000, CERT responded to 21,756 incidents.

• By this count, security incidents are growing at
  a rate of 100 per year.

• Breaking into a computer in the U.S. is now a
  federal crime.

12
Encrypting and decrypting using a secret key
13
Asymmetric or Public Key Encryption

• A second popular technique is asymmetric or
  public key encryption (PKE).
• PKE is called asymmetric since it uses two
  different one way keys
• a public key used to encrypt messages, and
• a private key used to decrypt them.
• PKE greatly reduces the key management problem
  since the private key is never distributed.
• The most popular form of PKE is called RSA named
  after the initials of its inventors.

14
Public Key Encryption

• Public key encryption works as follows
• B (the message recipient) makes his/her public
  key widely available (say through the Internet).
• A (the sender) then uses Bs public key to
  encrypt the message to be sent to B.
• B then uses the Bs own private key to decrypt
  the message.
• No security hole is created by distributing the
  public key, since Bs private key has never been
  distributed.

15
Digital Signatures

• PKE also permits authentication (digital
  signatures), which essentially uses PKE in
  reverse. The digital signature, is a small part
  of the message, and includes the name of the
  sender and other key contents.
• The digital signature in the outgoing message is
  encrypted using the senders private key
• The digital signature is then decrypted using the
  senders public key thus providing evidence that
  the message originated from the sender.
• Digital signatures and public key encryption
  combine to provide secure and authenticated
  message transmission.

16
(No Transcript)
17
Certificate Authorities (CA)

• One problem with digital signatures involves
  verifying that the person sending the message is
  really who he or she says they are.
• A certificate authority (CA) is a trusted
  organization that can vouch for the authenticity
  of the person of organization using
  authentication.
• The CA sends out a digital certificate verifying
  the identity of a digital signatures source.
• For higher level security certification, the CA
  requires that a unique fingerprint (key) be
  issued by the CA for every message sent by the
  user.

18
(No Transcript)
19
Security Measures Firewalls

• Firewalls are used to prevent intruders on the
  Internet from making unauthorized access and
  denial of service attacks to your network.

• The two main types of firewalls are packet level
  firewalls and application-level firewalls.

20
Encryption Techniques SSL

• Secure Sockets Layer (SSL) is a technique used on
  the Web that operates between the application and
  transport layers.
• SSL combines symmetric encryption with digital
  signatures. SSL has four steps
• Negotiation browser and server first agree on
  the encryption technique they will use (e.g.,
  RC4, DES).
• Authentication the server authenticates itself
  by sending its digital signature to the browser.
• Symmetric Key Exchange browser and server
  exchange sym. keys used to encrypt outgoing
  messages.
• Sym. Key Encryption w/ Dig. Signatures encrypted
  messages are then sent that include digital
  signatures.

21
Encryption Techniques IPSec

• The IP Security Protocol (IPSec) technique works
  between the transport and network layers.
• First, sender and receiver exchange two numbers
  using Internet Key Exchange (IKE). These are
  combined to create encryption keys, which are
  then exchanged.
• Next, sender and receiver negotiate the
  encryption technique to be used, such as DES or
  3DES.
• Sender and receiver then begin transmitting data.
• IPSec transmits using either transport mode, in
  which only the IP payload is encrypted, or
  tunnel mode, in which the entire IP packet is
  encrypted.