This paper focuses on Mobile e-commerce and the benefits of m-commerce, the elements that encompasses its processes, m-commerce security issues; analysis of its major vulnerability on data privacy and internal system implementation.
It goes further to proposes an improved security solution so at to curtail the security risks that is attached to it using some proposed model like Dynamically Controlled Model, WIM Bluetooth earphone, and the use of WAP gateway based on encryption model.
This paper focuses on Mobile e-commerce and the benefits of m-commerce, the elements that encompasses its processes, m-commerce security issues; analysis of its major vulnerability on data privacy and internal system implementation.
It goes further to proposes an improved security solution so at to curtail the security risks that is attached to it using some proposed model like Dynamically Controlled Model, WIM Bluetooth earphone, and the use of WAP gateway based on encryption model.
This paper focuses on Mobile e-commerce and the benefits of m-commerce, the elements that encompasses its processes, m-commerce security issues; analysis of its major vulnerability on data privacy and internal system implementation.
It goes further to proposes an improved security solution so at to curtail the security risks that is attached to it using some proposed model like Dynamically Controlled Model, WIM Bluetooth earphone, and the use of WAP gateway based on encryption model.
1 Master of Business Administration. Cyprus International University, Nicosia, Cyprus. okonkwohenry39@yahoo.com
Osamede Sarah Adenomo 2
Department of Computer Engineering. Cyprus International University, Nicosia, Cyprus. sarahosa@yahoo.com Abstract this paper focuses on Mobile e-commerce and the benefits of m-commerce, the elements that encompasses its processes, m-commerce security issues; analysis of its major vulnerability on data privacy and internal system implementation. It goes further to proposes an improved security solution so at to curtail the security risks that is attached to it using some proposed model like Dynamically Controlled Model, WIM Bluetooth earphone, and the use of WAP gateway based on encryption model. Keywords Mobile commerce, Security, Solutions.
INTRODUCTION 1. Electronic commerce This is a type of business whereby buying and selling of product are conducted over the electronic system such as internet and other computer network, a modern electronic commerce uses the World Wide Web (www) at one point in the transactions life cycle, it may not encompass a wide range of the technology such as E-mail, social media, mobile devices and telephones [2]. Internet and all other type of telecommunications have being progressively more public in our daily life aspect since 1990s. It was research that about 964 million internet user and also 2,168 million mobile phone users worldwide [11]. Electronic commerce is mainly considered to be the sales aspect of electronic business, E- commerce also consists of exchanging of data to facilitate the financing and payment aspects of a business transactions. It is an actual way of communicating within an organization and also most effective and useful way of doing business. E- Commerce also applies to business to business transactions (b2b), for example, between manufacturers and suppliers or manufactures and distributors [2], [12], [1]. Electronic commerce can be categories into Electronic tailing or virtual storefronts on websites with online catalogs Buying or selling on various websites or online marketplaces The gathering and use of demographic data through social media and Web contacts Electronic Data Interchange (EDI) this the business-to- business exchange of data E-mail and fax (for example newsletters) Business to business buying and selling [4] The growth of internet and other related technologies moved us to a variety of new opportunities for business, providing businesses with new ways to demeanor trade and exchange and interconnect information through the development and enlargement of e-commerce market(OECD,2001)[12]. Hence, a new sort of communication services using internet formerly with mobile devices, and that lead to emergent of new opportunities and to carry diverse digital content or services called mobile commerce. [12]
Benefits of mobile commerce. A) Mobile commerce can be carried out from any location using phones. B) It creates for enterprises to expand and improve their market reach, down on cost and give customers a better service. C) The experiences of M- commerce provide for a user to personalize his/her data for the purpose of convenience. D) It creates for parameters where users can buy ringtones and games online and also do some mobile parking payments and, E) provide for the ease of purchasing land, houses and cars more conveniently in the future [12].
M-commerce ecosystem A leveling m-Commerce solution should have robust ecosystems which comprehend a number of elaborate elements including: a transparent Transaction Process with necessary official permissions and transfers covering all the vital Stakeholders (Subscribers, Mobile Networks Operators (MNO), Merchants, Retailers, Banks, Micro Finance Institutions, Service Industries and Utilities, Government).with an immediate feedback, clearing, payment and risk management practice; a progressive Regulatory Framework and, a well-built and upbeat Data Security Framework[2].
Tested m-commerce technologies Below is a table that puts forward the various technologies identified for m-commerce transaction and could be used by any operator [2]:
Table 1. M-commerce Technology
E-COMMERCE SECURITY ISSUES E-commerce security strategies deals with two major issues: protecting the integrity of the business network and its internal systems; and also accomplishing transaction security between the customer and the business. The main method or tools businesses use to protect their internal network is the firewall. Firewall is the hardware and software system that allows only those external users with specific characteristics to access a protected network. Although the original design was supposed to allow only specific Services (e.g., email, web access) between the Internet and the internal network. This firewall has now become the main point of defense in the business security architecture. However, firewalls should be used as a small part of the business security infrastructure. There are hacker tools such as SMTPTunnel and ICMPTunnel that hackers can use to pass informations through allowed port one of those port is the ILOVEYOU virus which has successfully penetrated firewalled networks because firewall allows the pass through of inbound and outbound email. The Code Red and NIMDA worms can pass through firewalls because they can access systems through the standard WEB server ports. Example operating system like Windows 9x or Marcos 8.x. Operating systems such as Windows NT, Windows 2000, are still vulnerable to this attack because they do not have the capability of restricting who can activate the virus. [5], [1][6][7] Transaction security Transaction security is becoming a critical support or strength of a consumer confidence in a particular internet business site. Transaction security depends on the organizations ability to ensure total privacy in all areas of security, authenticity, integrity, availability and the blocking of unwanted intrusions. Transaction privacy is threatened by unauthorized network monitoring software devices called sniffer programs. These programs are commonly found at the endpoints of the network connection. Mobile Agent mobility Mobile Agent mobility this has brought a lot of uncertainty, if Mobile Agent should be widely accepted and successfully applied to e-commerce, we must first solve the Mobile Agent's security issues. Mobile Agent structure mainly consists of three par2ts: the implementation of the code segment, data segment and the implementation status segment. Security holes in application model in short message services The security link in this access part is from the mobile user to SMSC contains two sections, the wireless link layer between mobile user and base station, and the wire network from base station to MSC and then to SMSC. The short massage data packet sent in air link layer has been plaintext transmitted, and it has the security risk because it is easier to intercept the signal sent form air by the simple equipments. And this will cause a security hole of information about business secret and other transactions. Also in hand held devices short massage data are saved as plaintext in the database of the SMSC. If the database is attack the important data will stole and this will cause a security bridge to the application based on SMS.[5],[12]
Cyber crime Internet fraudsters can access a web site like www.mapquest.com and enter the enter address of a client to get information or access the person's personal web page and most likely get a phone number, photograph and personal address to build composites about the person for a malicious act. For example one can access a person at www.switchboard.com[1],[4]
Trojan horses The Trojan horses this program the Back Orifice, Net bus, BO2K hackers they allow a remote user to control, examine, monitor any information on a target PC. Reason because they are especially beguiling is that they are also capable of using the target PC to send information to the net as if the legitimate user or administrator had done so. There are other commercial tools that can perform this same function e.g VNCviewer and CUCme. Examples of hacker exploit web sites are www.portwolf.com, www.rootshell.com and www.cuitdeadcow.com Hackers can install these Trojan horse program for nefarious purposes e.g. like forgery, eavesdropping and data modification.[5]
Social engineering techniques This is one of the most exist and profitable attacks base on tracking the client behavior and gather information about the client like mother maiden name, password and users name when visiting sites. Then the attacker call the client pretending to be a representative of one the site visited and get information from the client. One technique to scan a client computer is the SATAN tools.[1],[3]
Snopping Most client computer are added to the internet without the vulnerabilities of the system, in addition to this software and hardware vendors in quest to ensure that their product are easily installed will ship their product security features and the client most likely do not bother to check the security features.[1],[6]
SOLUTIONS TO MOBILE COMMERCE AND SECURITY Mobile Commerce is faced with many security and privacy challenges. It is in view of this fact; solutions are proffered so as to address the shortcomings associated with it. We shall consider the solutions from three strands, namely: 1. Dynamically controlled routing [11]. 2. WIM Bluetooth earphone [9] 3. 3rd Generation Mobile Communication [10]. Dynamically controlled routing: This is an offshoot from the Wireless Application Protocol. Dynamically controlled routing comes with the benefit of an end to end security in that messages when disseminated by a WAP client, passes the wireless network, his mobile network operator, a private IP network of the network provider, the internet and a lastly access data from the Private network of the content provider. In short, it provides for an end to end security between mobile client and the content provider. It is a more advance WAP protocol security for Mobile Commerce. The WAP comes with more than 20 protocols and is calculated to work with diverse bearers; GSM, SMS, or GPRS [11]. Unlike the previous situation, the inclusion of the Dynamically Controlled Routing makes the utilization of WAP applications, cheaper to afford with better security attached to it. In the bid to ensure that there is no leakage or intruding into vital information that flows between and along end to end points, the Dynamically Controlled Routing comes with an interconnectivity of activities of a RAS server and a default WAP gateway as well as a NAT router and are all hosted by the mobile network provider [11]. The content provider is expected too, to host another WAP gateway. Encrypted messages coming from the mobile client are expected to be authenticated from the RAS server in connection with the AAA server and then forwarded to the WAP server all within the same network before it is then sent to the WAP gateway of the content provider [11].
WIM Bluetooth earphone The prop up of WPKI is crucial to all personality-based authentications in mobile commerce, and this is considered a more potent way of securing the flow of information, since messages are meant to move around varying routes in an encrypted form [9]. However, it is important to note that WPKI is also a security solution that is chosen and followed by WAP. Our centre of concentration is the use of Bluetooth earphones as an enhanced tool towards achieving a true end to end security model [9]. The Bluetooth earphone exist to address Security Gap problem that arises as a result of the decryption of messages into plain text which are later re-encrypted along wireless/ wired transmission lines. To this effect, the use of WIM Bluetooth earphone is to protect messages at the application layer and the avoiding of security problems to in other to attain an end to end security [9]. The core competence of WIM Bluetooth earphone is Embedded Secure Access Module (ESAM) connect Bluetooth chip through ISO-7816 protocol; a secure WPKI security function, with Smartphones is easily accessing it [9]. Unlike situations where almost all clients makes use of PINS in m-commerce, with clients having to identify themselves using different PINS and Passphrase especially when they are entering into varying transaction in all sort of mobile commerce (which is rather tasking as they will have to remember all of it), the WPKI Bluetooth establishes a certificate with a passphrase stored on a Bluetooth earphone. Thus, creating for a reduced burden on the part of the clients. 3rd Generation Mobile Communication: 3rd Generation Mobile Communication comes to one in three forms, namely; software-only, hardware-based or biometrics solutions [10]. The use of biometric identification is a practice; lacking of evidence and experience [10]. Many banks take to hardware, and Individuals software encryption. But security solutions lie where encryption key is stored [10]. Other than the use of Mobile device or SIM in storing encryption key, recent development now brings one to the use of interface and rapid data interface of (IrDA, Bluetooth, COMM and USB) possessing isolated external electronic security key (ekey) with a security enhancement mechanism towards achieving; User confidentiality, Mutual authentication, Data integrity, Data confidentiality and ekey development with all algorithms realized based on two encryption modules: KASUMI and AES [10]. Fig. 1 Sequence diagram for dynamically controlled routing
Figure 2. Flow of information along a WPKI with earphone
REFERENCES
1. Ackerman, M. S., & Davis, D. T. (n.d.). Privacy and Security Issues in E-Commerce.
2. Irohilla, N. (n.d.). A scaleble M- Commerce solution/ WP. Retrieved from www. scrbd.com: www. scrbd.com/mobile/doc/67131821 3. Khusial, D., & McKegney, R. (2005, April 13). e- Commerce security: Attacks and preventive strategies. 4. Leeger, P., & Charles, P. (n.d.). A good introduction to computer security: Security in computing. (2. Edition., Ed.) Prentice Hall. 5. Li, Y., Chen, M., & Nie, J. (2011). Mobile Commerce Security Model Construction Based on SMS. 6. Li, Y., Fu, M., & Yu, L. (2010). E-Commerce Security Model Construction Based on Mobile Agent. International Conference on Networking and Digital Society, 55-58. 7. Marchany, R. C., & Tront, J. G. (2002). E- Commerce Security Issues. Proceedings of the 35th Hawaii International Conference on System Sciences, 1-9.
8. Schneier, & Brue. (n.d.). Learn about social factors in computing Secret and light: digital security in Network world.
9. Tiejun, P., & Leina, Z. (2012). New Mobile Commerce Security Solution Based on WPKI. 2012 International Conference on Communication Systems and Network Technologies, (pp. 485-488). Retrieved from https://ieeexplore.ieee.org/xpl/articleDetails.jsp?arn umber=6200687&contentType=Conference+Public ations 10. Tiejun, P., Leina, Z., Fang, C., Wenji, H., & Leilei, F. (2008). M-commerce Security Solution Based on the 3rd Generation Mobile Communication. 2008 International Symposium on Computer Science and Computational Technology, (pp. 364- 367). Retrieved from http://www.computer.org/csdl/proceedings/iscsct/2 008/3498/02/3498b364-abs.html 11. Tzvetkov, V., & Cubaleska, B. (n.d.). WAP Protocol Security Solutions for Mobile Commerce. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi= 10.1.1.175.7944&rep=rep1&type=pdf 12. Yazdanifard, R., & Elkhabir, M. S. (2011). Mobile commerce and related mobile Security Issues. International Conference on Software and Computer Applications (pp. 198-201). Singapore: IACSIT Press