Embed Size (px)
DESCRIPTION
Citation preview
KReSIT IIT Bombay
1
Survey onSmart Card & Mobile Payment
Tijo Thomas ( 03229401)
Guided by Prof: Bernard Menezes
KReSIT IIT Bombay
2
Contents
Introduction Methodology of Study Existing Payments Schemes Business Drivers Relation between SIM card & Smart Card Technological Trends Business Trends Conclusion
KReSIT IIT Bombay
3
Introduction
Motivation To understand the existing payment schemes. To understand the role of smart card in retail
payment. To understand the security issues.
Goal To understand the future of retail payment.
KReSIT IIT Bombay
4
Methodology of Study Collected the details about the existing
payment schemes. Surveyed Industry Standards for Payments. Collected responses to questionnaire from
focus groups. Studied various types of smart cards. Analyzed the relationship between smart card
and SIM card. Surveyed the Business Trends of M-
Commerce and its future.
KReSIT IIT Bombay
5
Existing Payment Scheme
Based on Value• Micro payments – less than 5$
• Medium Payments – Between 5$ - 25$
• Macro payments - above 25$
Based on Location• Remote Transaction – SMS, GPRS
• Proximity Transaction – Bluetooth, RFID
Based on Technology• Magnetic Strip card
• Smart Card
KReSIT IIT Bombay
6
Smart card Payments
What is smart card?
Smart card is a tamper proof plastic card with an embedded microchip that can be loaded with data.
Why smart card?• Security
• Processing power
• Memory
KReSIT IIT Bombay
7
Smart Card Security
OS and File SecurityFile hierarchy – MF,DF,EF
File security attributes
Access RightsAlways(ALW)
Card holder Verification 1 (CHV1)
Card holder Verification 2 (CHV2)
Administrative (ADM)
KReSIT IIT Bombay
8
Smart Card Security
Hardware Security
All the data are store in EEPROM, so can be erased using unusual voltage
Data can be erased by exposure to UV rays Heating the card in high temperature Statistical Attack like Differential power analysis
(DPA)
KReSIT IIT Bombay
9
Java Card
The Java Card platform was designed and developed from the beginning specifically to enhance the security of smart cards.
Advantages Open Architecture Designed with Industry Experts Java runtime environment (JRE) Security Enhancements – transaction atomicity, Cryptography,
Applet firewall
Code reusability (OOPS) & data integrity Proven platform - Passed security evaluation by financial
agencies, US Dept of Defense and US national security Agency.
KReSIT IIT Bombay
10
Mobile Commerce
Definition:
“Mobile commerce is the use the of mobile hand held devices to communicate, inform, transact and entertain using text and data via connection to public and private networks”
(Lehman Brothers)
“Mobile Commerce refers to any transaction with monetary value that is conducted via a mobile telecommunications network.” (Durlacher)
KReSIT IIT Bombay
11
Scheme of Mobile Payments
SMS Based Payments WAP/GPRS Reverse SMS Billing Proximity Payments
KReSIT IIT Bombay
12
SMS Based Payments
Secure message in the form of SMS are used to transfer money from one user account to another
Use of PKI Implementation e.g.: mCheque Advantage: No account information is
revealed
KReSIT IIT Bombay
13
WAP/GPRS based payments
Wireless Application Protocol (WAP) over GPRS mobiles are used
Similar to e commerce Less risk involved Cost for GPRS connectivity is reducing. No changes in the existing business
model
KReSIT IIT Bombay
14
Reverse SMS Billing
Definition:Provider over charge SMS from special numbers -
(Premium SMS)
Separate Business Models are to be realized Only small change in the existing set up Advantage: No additional infra structure is
required. Applications: Digital contents like ring tones,
music , video...etc
KReSIT IIT Bombay
15
Proximity Payments
Definition:
The trading parties are in the same vicinity. Standardized interfaces e.g. Infra red , Blue tooth
Supported Offline transaction Cheaper solution for micro payments High Risk Separate Business Models & Infrastructure
need to be implemented
KReSIT IIT Bombay
16
Business Drivers
Wider acceptance for GPRS/WAP enabled mobile devices
Mobile operators are looking for new revenue streams
Population of mobiles devices over PC Average time to detect a mobile theft is 68 min
over 26 hours for credit cards More secure than conventional credit cards
KReSIT IIT Bombay
17
Relationship between SIM card and smart card
GSM specification11.11 defines the interface between Subscriber Identification Module (SIM) and the Mobile Equipment for use during the network operation as well as the internal organization of SIM.
Any implementation of this standard can act as a SIM card in Mobiles.
Implementation:• Java Card
• Native Card
KReSIT IIT Bombay
18
Technology Trends
Research organizations & Focus groups are working on the effective standards.
Different Business Models (OSS & BSS) are being evaluated for its feasibility.
Emerging Wireless Technology - 3G, 2.5G
Advancement Mobile Phone Technology
KReSIT IIT Bombay
19
Business Trends
Taken from “Towards A Holistic Analysis of Mobile Payments: A Multiple Perspectives Approach” by Jan Ondrus &Yves Pigneur
KReSIT IIT Bombay
20
Business Trends
Research reveals high potential market New revenue stream for MNO’s Opportunity for new comers - application
developer, content providers …etc High Penetration of mobile device Lack of security in existing credit/debit
card system
KReSIT IIT Bombay
21
Conclusion
High Potential Market
High Demand for “Killer Applications”
MNO are looking for new revenue stream
Customers willingness to experiment
Merchants are looking for a standard OSS and standard based products
Opportunity for new comers
KReSIT IIT Bombay
22
Thank You
KReSIT IIT Bombay
23
GSM Specifications
KReSIT IIT Bombay
24
GSM Specification
Defines the interface between Subscriber Identification Module (SIM) and the Mobile Equipment for use during the network operation as well as the internal organization of SIM.
Any implementation of this standard can act as a SIM card in Mobiles
KReSIT IIT Bombay
25
GSM Characteristics Physical Characteristics- electronic signals, supply voltage,
transition protocol Logical Model- logical structure of SIM, file structure. Security Feature File access condition Description of Functionalities- functional description of
commands and respective response, status condition, error code Description of Commands- mapping the functions to APDU Contents of Elementary files- elementary files for GSM
session, access condition..etc Application Protocol- list of standard operation between SIM
and ME.
KReSIT IIT Bombay
26
GSM SIM Security
Subscriber Identity Authentication authenticate the identity of the mobile subscriber The network issues a random challenge Mobile Subscriber (MS) computes the response–using a one-way hash
fn (A3 algo) using a authentication key which is unique to each subscriber
The Network also compute the response and compare with the response it receive from MS
The same mechanism is used to establish a cipher key Kc
This key is used to encrypt data and radio signal. (A8 Algo) The two algorithms are combined into single algorithm called A38
KReSIT IIT Bombay
27
GSM SIM Security
User Signalling Data Confidentiality The data is exclusive-or’d with the key Kc and transferred over the
radio path.
Subscriber Identity Confidentiality This service is to hide the International Mobile Subscriber Identity
(IMSI) The service is based on Temporary MSI (TMSI) The IMSI is mapped to TMSI The TMSI is then encrypted with the cipher key Kc and send
KReSIT IIT Bombay
28
Smart Card Standards
KReSIT IIT Bombay
29
Smart card Standards
International Standards• ISO 7816: physical and elecrical characteristics as well as
format and protocol for information exchange between the smartcard and reader.
• European Telecommunication Standards Institute (ETSI): Standard for the GSM SIM to communicate with the mobile device
KReSIT IIT Bombay
30
Smart card Standards Industry Standards
• EMV: Euro pay, Master Cards & Visa defines a standard to allow safe ,easy electronic commerce standard
• Mobile 3D: Visas international new global specification that ensure security of internet payments made over mobile phones.
• Open card Framework: Provides an architecture and a set of API that enable application developer to build application in java which use smart card reader.
• PC/SC: Personal computer/ Smartcard is a win 32 based specification to allow the manufactures to develop products independently.
• CEPS : Common Electronic Purse Standard
• Java Card
