In recent years the amount of business transactions that occur online has skyrocketed worldwide. Wireless technology has expanded so rapidly that business transactions online can take place on so many different devices. Mobile commerce, or M-Commerce, is the practice of using a mobile device to make a wireless business transaction over the internet. M-commerce is undoubtedly a multi-billion dollar industry, but with its popularity comes challenges in keeping information secure as it travels through different networks by wireless means. How can we secure our financial transactions done by mobile commerce? In this article, we will explore the security situation and challenges of e-commerce and how we can mitigate these threats.
It’s very important to maintain data security because online transactions process so much personal and financial data, including bank accounts and resources. There are security methods implemented to make sure the information processed and data received remains private, including authentication. Authentication processes serve to confirm the identity of the relevant parties and is often done via a digital signature. When a business develops in the online sphere, it has to be able to certify and secure its transactions. Integrity and quality are of utmost importance here, so they have to make sure the data stays intact and secure. There are three main parts to a mobile commerce transaction and each has their own security impacts: the user (the person going to the site to make a purchase), the server (the business owner), and something connecting the former two components. Business owners should build a security matrix that identifies risks and vulnerabilities to target security solutions that work for them.
Security Threats that Arise from M-Commerce
Because mobile commerce is operated on a platform for radio frequency, it’s prone to passive or active attacks, including snooping or eavesdropping on a certain network. More and more frequently these days consumers have expressed their concern about what information and how much information they should divulge online with another party, which includes their personal and financial data but also voice and text messages. Consumers know that what they put online is at risk of an authorized party gaining access to this information, even with the developments in identification authentication and message communication integrity. The bad news is that mobile security is currently built on a platform that doesn’t allow for the full-scale security measure that we might wish for, especially when it comes to the integrity of our transactions.
Mobile networks, in particular, have limitations which we need to consider before we continue. The first of these is transaction management. Transaction management can be hard to enforce and intermittent disconnections in the network are inevitable and will undoubtedly affect secure m-commerce services. In this scenario, the outage would lead the secure connection to fail and the transaction would be unfinished and will have no choice but to be aborted.
According to Jim Thorne, a tech blogger at Academized and Paper Fellows, “the second limitation is the delivery of service. Because adhoc wireless networks have unique characteristics and can be quite complex, the protocols for service discovery and delivery that currently exist are not sufficient for an adhoc network. Therefore, m-commerce situations will need to find alternatives such as a mix of store and forward strategies or local solutions.
The third limitation is the trust system, which is one of the most important factors in secure communications online. The trust system lets both participants enter into a secure transaction under the reduced chance of a data breach or attack, lowering but not eliminating the risk. In the case of mobile commerce, though, the network service provider cannot be relied upon entirely to provide security services like a certification authority. Self-reliance in secure m-commerce transactions can be obtained through various different means, such as authentication, confidentiality, integrity, non-repudiation, and attestation. We’ll go into more detail on each of these presently.
Authentication is the first step to mobile commerce security as both entities are legitimized to make sure there is no illegal third party that is pretending to be one of the two participants. In brief, it ensures that someone is who they say they are. The second step is confidentiality, which makes sure that the data sent over the network during a transaction cannot be accessed by a third party without authorization like the snoopers previously mentioned. The third step, integrity, makes sure that the data, the information itself, isn’t tampered with and arrives at its destination the same as it was entered into the system. The fourth step, non-repudiation, means that the message sent from the sender to the receiver cannot be rejected or repudiated. Finally, attestation means that an m-commerce peer can vouch for the reputation of another peer to build a network of trustworthy partners.
How to Increase M-Commerce Security
With all these threats in mind, it is possible to increase the security of m-commerce transactions. The first step is exchanging information and expertise about known vulnerabilities of various software tools and systems between all the users and m-commerce platforms. It’s also important to create a platform which can provide m-commerce services and promotes cooperation between all the critical groups, as well as protection of infrastructure that is necessary to have integrated into all the institutions that handle m-commerce transactions. It’s also necessary to create a culture of security that benefits the users and the administrators of these platforms. In terms of the administrators, they need to be trained and aware of the cyber risks and impacts and mitigate and respond to that risk accordingly. It’s also highly important that research is put into how to address vulnerabilities for m-commerce security platforms.
It needs to be clear for all users that the security and safety of the mobile commerce transaction are of the utmost priority so that they continue to make these transactions on their mobile devices. The only way businesses will attract more users is by increasing the security of their services and building trust and confidence in their security systems. Because attackers are targeting users of mobile devices and tablets, hardware needs to be created to heighten the security in the m-commerce world, especially with securing online accounts. Many users are saving their passwords in documents or browsers and these can easily be lost or stolen, making it very easy for malicious people to access users’ accounts. To counter this, it’s preferable that any electronic shopping transaction that’s made using a mobile device uses an entirely new method of authentication or add an additional level of security, including requesting a password that is not currently stored in the mobile device’s browser history and cache.
The possibility of applying smart cards for m-commerce exists, which would include an embedded and integrated microchip similarly to prepaid phone cards, banking cards, or even public transportation passes. These can even be bio-metrically enhanced to allow for features such as voice recognition, retinal or facial scans, and fingerprint authentication. Wireless banking or interactive TV are already creating ways that the user can interact with a program, like with video on demand or video recording. Companies are more frequently allowing users to track stocks, access portfolios, or even trade using these methods. Business-to-business models and business-to-consumer applications are increasingly using these formats to access and share information. In fact, Robert Hope, an M-commerce expert at State of writing and Australian help, states that “in the military and defense field, mobile and wireless technologies have been around for years already, since the technologies existed and they are now a crucial aspect. However, because cyber terrorism has become so prevalent in recent years, cybersecurity is the new hot button issues with intelligence services around the world because so many of them use mobile technology as well as wireless networks for all communications and commerce, electronic or mobile.”
Security Concerns with M-Commerce
M-Commerce brings together two existing technologies, traditional e-commerce, and wireless communications, but both of these come with their own set of security problems. The risks are incredibly high when combining the lapses in voice and data communications, the pollution of external networks, and transactional issues. The three main components of m-commerce when it comes to security is the transaction itself, and the importance of protecting both parties and their data through a security system, the information, which is the sensitive and potentially valuable information that customers input into the network, and the infrastructure, which is the protection against attack on the infrastructure itself.
An example of a new initiative in the m-commerce field is Mobile 3D, Visa International’s security system that will ensure the protection of internet payments made on mobile devices. This allows authentication initiatives to occur in the m-commerce field so that visa card companies can validate the user of the cardholder in real-time, in addition to protecting the payment data sent by open networks. Furthermore, customers can protect their accounts from unauthorized access and builds trust in the process.
Wireless communications make it very difficult to detect snooping and eavesdropping. Like wired communications, wireless communications require three security aspects to be met: confidentiality of information, integrity or the information, and availability of the service if the right privileges are met. However, for m-commerce there are additional layers of security required, including device, language, wireless, and cryptographic security. Fingerprint scanning and other biometric devices that have recently been developed to increase the security of a device and Wireless Application Protocol is being looked at to increase the security of the open network. New alternatives to WAP are being investigated to provide authentication, encryption, and integrity to the service. This comes with three levels of privacy and integrity, but WAP is still needed as a gateway. Sensitive information still has to be translated into its unencrypted form, known as the WAP gap. There is also the option of public-key cryptography, which can be used to exchange a key by certificate and then all further transmissions are encrypted, but there are power limitations to this option as well.
Security of Mobile Devices
Mobile devices are already designed and built with many high-quality security systems and tools. These include features we are so used to we don’t even notice anymore, like built-in password protection that locks out after a few failed attempts and a smart card which has been approved by the industry and can resist tampering, known to us as a SIM card (Subscriber Identification Module). However, because the SIM card is stored on the phone, when the phone is lost or stolen the SIM card is as well along with the phone. Additionally, many people don’t activate the time out or key lock features on their devices, which means that if their phone remains turned on, as it usually does, the password system is completely irrelevant. All the key data in most mobile phones are stored in the memory of the phone and not in the SIM card, including logins and passwords that are stored. This means that the built-in security measures of the phone become nearly useless. The benefit of the SIM card, however, is that it can be used as a microprocessor which can be employed to make mobile commerce transactions easier. That’s because it has a digital signature and encryption that’s embedded in the card.
In conclusion, m-commerce security is a hot button topic that needs to be researched in-depth to be able to reach solutions that work for both the business and the user. This article highlighted the concerns that exist around m-commerce transactions and what is being developed or researched to try to address these. There are many advantages and alternatives to make m-commerce more secure, but they haven’t quite been ironed out yet. The main issue at this time is the lack of understanding around certain security systems, the trouble with getting accurate data about possible vulnerabilities, and slow verification of online signatures. With time, we’ll be able to get a clearer picture of where the security of m-commerce is heading.