06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
E-commerce transaction validation using IMS
1. E-commerce transaction validation
by service providers
Dominique Sandraz+, Paul Serra+, Antoni Drudis+,
Claude Florin*
Hewlett-Packard
publication authors, presenter at ICIN 07 conference
+ *
2. Web e-commerce transactions
Payment
Buyers
Merchant
Shipment
Context
•
− Credit card and web clearing-house are widely adopted by e-commerce consumers and
merchants
− Mobile payment initiatives and services, using NFC, SMS, WAP, applications and IVRs
Investigation of possible improvements for IMS subscribers :
•
− Stronger authentication to prevent identity theft
− Enhanced privacy of buyer’s identity
− Support of anonymous transactions
− Enhanced fraud protection
2
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
3. Improving e-commerce security
Payment
Buyers
Merchant
Validation Shipment
service
− Trusted party to validate buyers and merchants transactions
• Enhances validation for specific applications using speech processing
• Protects from denial of service attacks, reduce order repudiation
− Protection of buyer’s privacy
• ID management
• Anonymous transactions
− Complement clearing house payment services
• Micro-payments, pre-paid debits, mobile 2.0 group split-billing
• Clearing-house, credit-card interface aggregation, reporting
3
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
4. IMS Architecture - mobile
Leveraging IMS for Web transactions
Payment
OSA AS
Merchant /
Charging HTTPS
clearing
OCS Parlay X
Buyers Web 2G SCPservice
WSDL
identity Rf
SIP
Application
HSS server
Sh/11
AuC Sf
User interaction NE
MS TANN
AKA ISC/12 CM
L
SIP
Cx/16 CC
XM
VX
Diameter ML L
Gm/hh Mw/dd Mw/dd Mr/24
PLMN P-CSCF I-CSCF S-CSCF MRF
UE / Transaction validation
Home
Visited
ISIM
domain
domain
Note : simplified view
4
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
5. Payment validation
Merchant
Order
AS
XML HTTP Request
Merchant DB
IP Confirmation
service
XML HTTP Response
Clearing
Web browser
AS
Payment
service
Validation
Validation
request
response
WSL
WSL
Service provider
Validation request Transaction
HSS
validation
SMS / voice
2-3G
OK Confirmation service
SMS / DTMF
DTMF SMS
ASR
Buyer interaction TTS
5
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
6. User authentication
Merchant
Order
AS
XML HTTP Request
Merchant DB
IP Confirmation
service
XML HTTP Response
Web Clearing
browser
AS
Payment
Ordering key
service
Validation
Validation
request
response
WSL
WSL
Service provider
Ordering key request - response
SMS / DTMF
Transaction
HSS
Validation request validation
2-3G
PIN service
SMS / voice
Confirmation
DTMF SMS
SMS / DTMF
ASR
TTS
6
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
7. Transaction micro-payment
Merchant
Order
AS
XML HTTP Request
Merchant DB
IP Confirmation
service
XML HTTP Response
Web browser Clearing
Debit
CDR
Validation request
Validation response
Communities
WSL
Service provider
WSL
Prepaid
Validation request Transaction
HSS
validation
SMS / voice
2-3G
OK Confirmation service
SMS / DTMF
DTMF SMS
Buyer interaction ASR
TTS
Note : many users may be sharing the order in a community using split-billing
7
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
8. Mobile clearing house validation
Merchant
Order
AS
XML HTTP Request
Merchant DB
IP Confirmation
service
XML HTTP Response
Clearing
Web browser
AS
Payment
service
Payment
request
Payment
response
WSL
WSL
Service provider
Payment request Transaction
HSS
validation
SMS / voice
2-3G
OK Confirmation service
SMS / DTMF
DTMF SMS
ASR
Buyer interaction TTS
8
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
9. Anonymous user validation
Hiding billing and shipment addresses
Merchant
Order
AS
XML HTTP Request
Merchant DB
IP Confirmation
service
XML HTTP Response
Web
Warehouse
browser
AS
Validation request
Validation response
Shipment
Ordering key
service
WSL
WSL
Shipping
Address
number
WSL
WSL
Service
Ordering key request - response
provider
SMS / DTMF
Validation request Transaction
2-3G
PIN HSS
validation
SMS / voice
Confirmation service
SMS / DTMF
DTMF SMS
ASR
Note : user is anonymous to the merchant
TTS
9
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
10. Telecom service providers added-value
• Ubiquitous service access : ~2.5 *109 mobile
users
− Voice interaction with low literacy consumers
− SMS, WAP, …
• Micro-billing and credit : > 500 *109 € / year
− Users < 18 years old, with low credit, P2P and C2B
− 3rd party billing for value-added services (premium SMS
and voice)
− Mobile commerce revenue 2006 > 25 *109 €
− Split billing to mobile 2.0 communities (games, sharing)
• Strong user authentication
− SIM / USIM authentication
10
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com
11. Investigation results :
• An application layer to validate e-commerce
transactions can be deployed over an IMS
architecture
• Telecom service providers can add value in
specific use cases to grow Web e-commerce :
− Trust, authentication
− Micro-payment
− Mobile clearing house validation
− Anonymous transactions
− Ubiquitous access
11
October 8, 2007 E-commerce transaction validation - claude.florin@hp.com