Global Messaging 2009 - Mobile Ticketing and Payments

Secure Payment and Ticketing Applications
Tom Godber - CTO Masabi

Agenda
Who Are Masabi
The Mobile Experience
Mobile Ticketing
Taking Mobile Payments

About Masabi

20 currencies
4 alphabets
2 Factor Authentication
Secure messaging
UK Rail Ticket Standard

The Mobile Experience – All Sweetness and Light?

Mobile Masochism
The mobile experience is about PAIN
Texting on a Moto…
Pretty much anything at all onNokia’s touchscreen S60…
User experience is becoming important
Ex-RAZR users often won’t Moto again
But nothing is perfect, even Steve

Many Services Will Fail
Good ideas are common
Good ideas which actually work aren’t
Given handset constraints…
Given real world conditions…
Compared to existing alternatives…

Pick Your Battles
A successful service must offer a significant advantage to the user
An mPaymentmust be easier than cash and cards
Just because a user can do something, doesn’t mean they will
Offer net pain relief

Considerations
User probably moving
Must be simple
Must be resilient
Has user got alternatives?
Cash
Debit/credit cards
PC

Connecting With The RealWorld

UK Rail Barcodes
Reliable, fast
Offline scanning
Tickets still work when Internet doesn’t!
Open security
PKI signatures prevent modification
Public Key verification is cheap, easy
Royalty free, open barcodes
Aztec scans best on a handset screen

UK Train Ticketing
Phone becomes your ticket
Today’s reality:
Only supported on a few routes
Eg. our National Express trial
3-6 months:
Train franchises start to go live
Some rollout of barcode reading gates

Not Just a Ticket
UK Rail Barcode has space for other entitlements
Eg. Free coffee
Bundle other sales together with ticket
Barcodes have plenty of other uses
Remove cash from high-risk environments to reduce ‘shrinkage’

Mobile
Ticket
Delivery

Handset Support
Chiltern Railways ticket app trial showed:
Adopted outside young male demographic
Often user’s first transaction with a phone
Tickets must be supported on everything!
Smartphones are a niche

Not All About The iPhone

Ticket Delivery
SMS tickets
Wap tickets
Local application ticket wallet

Pure SMS Ticketing
Picture messaging can carry small barcodes
3 SMS per picture is expensive
Too small for new rail ticket barcodes
Simple insecure 1D or 2D barcodes only
No text details for visual inspection
Scanner always required
Can be forwarded and reused

Wap Ticketing
Wap Push with ticket URL
User downloads ticket
Saves image like a wallpaper
Must trust OMA DRM
A lot of effort to size image
Handsets often rescale an image that is slightly too big or small
This plays havoc with barcode scanners!

Java Ticket Wallet
User installs local ticket wallet
Server sends tickets over SMS
One encrypted binary msg/ticket Delivered directly to wallet app
App can display ticket details and barcode
Better barcode rendering > faster scanning
Details readable to an inspector

BUT

Address Customer Needs!
UK Rail Tickets – mainly bought in the station!

User Needs
Ticket delivery is an extension of online
Fairly useful for users without printers
BUT most train tickets not bought online
Sell from phone
Buy in taxi / on street / in station
Avoid queues

Mobile Payment Channels
SMS
Premium SMS > phone bill
Credit card over SMS
Payment through the browser
Payment through a local app

SMS
Premium SMS payment
Good for simple transactions
Easy to set up, works on everything
30-60% operator cut
Best for low-value high-margin items
SMS insecure for any other payment
Messages be read on stolen phones
Messages be read on the network

Mobile Browser Purchase
Wap purchase is multi-step
Repeat page loads slow and expensive
Requires continuous connection
Data mis-entry becomes painful
Limited opportunity to help user with validation etc – not like full web AJAX
Often insecure
Wap1 inherently insecure
Transcoders can mess with Wap2 and the mobile web

Mobile Browsers
Wap security
Wap2 security
Inherently insecure:
Used on older browsers, “Wap” settings
Like the web:
Most handsetsuse this with “Internet” settings

Transcoders with HTTPS
Some transcoders leave HTTPS alone
Others will insert themselves in the connection
Handset cannot verify end certificate
Just like a man-in-the-middle attack!

Java Ticket Sales App
Ticket purchase in UK
Aimed at repeat users
Intelligent client
Helps user with data entry=> minimises resends
After 1st purchase, just enter CVV
Submits credit card purchase with one encrypted SMS
Good when signal strength low
Integrated into ticket wallet

Technology Notes

Java (someone has to like it)
You don’t have to be the ‘best’
Sometimes being the only option is good enough
NOT suitable for everything
Remember, pick your services
Good for:
Recurring purchases
Flaky connections
Retries, SMS fallback, fat intelligent client

Near Field Communication
A lot like “Oyster on your phone”
(Almost) no handset support
Common by 2013?
NFC already embedded on cards
Habit: you pay with a card, why use a phone?
Who will pay for the infrastructure?

NFC – Not Today
NOKIA HANDSETS
NOKIA NFC HANDSETS

Some Notes On Oyster
Great in London
Almost everyone has to usepublic transport
Locals ‘bribed’ to adopt with lower fares
Large government subsidies
Not economically viable to roll out elsewhere
Even London overground train lines required £40m subsidy to support it

tom@masabi.com+44 7967 551670@tomgodber