Global Messaging 2009 - Mobile Ticketing and Payments


Published on

Talk given by Tom at the Global Messaging 2009 conference in London on 24th June 2009. It coverred the essence of what makes a good mobile service, using Masabi's UK rail work as a case study.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year
  • SMS purchase from a vending machine isn’t going to work – people use cash. The fact that the vending machine oepratopr may be able to shave a few % off vandalism repairs and reduced theft doesn’t matter to the user.
  • Source: Strategy Analytics ( 2.6m vsiPhone 3.8mNokia about 25x sales of Apple – bad quarter for Nokia
  • TODO new screenshots
  • By ‘other payments’ => should never send credit card number over a normal text
  • Wap “https” not the same as web https
  • TODO new screenshots
  • It’s a great system, but worth considering why – need to consider the bigger picture
  • Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on
  • Global Messaging 2009 - Mobile Ticketing and Payments

    1. 1. Secure Payment and Ticketing Applications<br />Tom Godber - CTO Masabi<br />
    2. 2. Agenda<br />Who Are Masabi<br />The Mobile Experience<br />Mobile Ticketing<br />Taking Mobile Payments<br />
    3. 3. About Masabi<br /><ul><li> 20 currencies
    4. 4. 4 alphabets
    5. 5. 2 Factor Authentication
    6. 6. Secure messaging
    7. 7. UK Rail Ticket Standard</li></li></ul><li>The Mobile Experience – All Sweetness and Light?<br />
    8. 8. Mobile Masochism<br />The mobile experience is about PAIN<br />Texting on a Moto…<br />Pretty much anything at all onNokia’s touchscreen S60…<br />User experience is becoming important<br />Ex-RAZR users often won’t Moto again<br />But nothing is perfect, even Steve<br />
    9. 9. Many Services Will Fail<br />Good ideas are common<br />Good ideas which actually work aren’t<br />Given handset constraints…<br />Given real world conditions…<br />Compared to existing alternatives…<br />
    10. 10. Pick Your Battles<br />A successful service must offer a significant advantage to the user<br />An mPaymentmust be easier than cash and cards<br />Just because a user can do something, doesn’t mean they will<br />Offer net pain relief<br />
    11. 11. Considerations<br />User probably moving<br />Must be simple<br />Must be resilient<br />Has user got alternatives?<br />Cash<br />Debit/credit cards<br />PC<br />
    12. 12. Connecting With The RealWorld<br />
    13. 13. UK Rail Barcodes<br />Reliable, fast<br />Offline scanning<br />Tickets still work when Internet doesn’t!<br />Open security<br />PKI signatures prevent modification<br />Public Key verification is cheap, easy<br />Royalty free, open barcodes<br />Aztec scans best on a handset screen<br />
    14. 14. UK Train Ticketing<br />Phone becomes your ticket<br />Today’s reality:<br />Only supported on a few routes<br />Eg. our National Express trial<br />3-6 months:<br />Train franchises start to go live<br />Some rollout of barcode reading gates<br />
    15. 15. Not Just a Ticket<br />UK Rail Barcode has space for other entitlements<br />Eg. Free coffee<br />Bundle other sales together with ticket<br />Barcodes have plenty of other uses<br />Remove cash from high-risk environments to reduce ‘shrinkage’<br />
    16. 16. Mobile<br />Ticket<br />Delivery<br />
    17. 17. Handset Support<br />Chiltern Railways ticket app trial showed:<br />Adopted outside young male demographic<br />Often user’s first transaction with a phone<br />Tickets must be supported on everything!<br />Smartphones are a niche<br />
    18. 18. Not All About The iPhone<br />
    19. 19. Ticket Delivery<br />SMS tickets<br />Wap tickets<br />Local application ticket wallet<br />
    20. 20. Pure SMS Ticketing<br />Picture messaging can carry small barcodes<br />3 SMS per picture is expensive<br />Too small for new rail ticket barcodes<br />Simple insecure 1D or 2D barcodes only<br />No text details for visual inspection<br />Scanner always required<br />Can be forwarded and reused<br />
    21. 21. Wap Ticketing<br />Wap Push with ticket URL<br />User downloads ticket<br />Saves image like a wallpaper<br />Must trust OMA DRM<br />A lot of effort to size image<br />Handsets often rescale an image that is slightly too big or small<br />This plays havoc with barcode scanners!<br />
    22. 22. Java Ticket Wallet<br />User installs local ticket wallet<br />Server sends tickets over SMS<br />One encrypted binary msg/ticket Delivered directly to wallet app<br />App can display ticket details and barcode<br />Better barcode rendering &gt; faster scanning<br />Details readable to an inspector<br />
    23. 23. BUT<br />
    24. 24. Address Customer Needs!<br />UK Rail Tickets – mainly bought in the station!<br />
    25. 25. User Needs<br />Ticket delivery is an extension of online<br />Fairly useful for users without printers<br />BUT most train tickets not bought online<br />Sell from phone<br />Buy in taxi / on street / in station<br />Avoid queues<br />
    26. 26.
    27. 27. Mobile Payment Channels<br />SMS<br />Premium SMS &gt; phone bill<br />Credit card over SMS<br />Payment through the browser<br />Payment through a local app<br />
    28. 28. SMS<br />Premium SMS payment<br />Good for simple transactions<br />Easy to set up, works on everything<br />30-60% operator cut<br />Best for low-value high-margin items<br />SMS insecure for any other payment<br />Messages be read on stolen phones<br />Messages be read on the network<br />
    29. 29. Mobile Browser Purchase<br />Wap purchase is multi-step<br />Repeat page loads slow and expensive<br />Requires continuous connection<br />Data mis-entry becomes painful<br />Limited opportunity to help user with validation etc – not like full web AJAX<br />Often insecure<br />Wap1 inherently insecure<br />Transcoders can mess with Wap2 and the mobile web<br />
    30. 30. Mobile Browsers<br />Wap security<br />Wap2 security<br />Inherently insecure:<br />Used on older browsers, “Wap” settings<br />Like the web:<br />Most handsetsuse this with “Internet” settings<br />
    31. 31. Transcoders with HTTPS<br />Some transcoders leave HTTPS alone<br />Others will insert themselves in the connection<br />Handset cannot verify end certificate<br />Just like a man-in-the-middle attack!<br />
    32. 32. Java Ticket Sales App<br />Ticket purchase in UK<br />Aimed at repeat users<br />Intelligent client<br />Helps user with data entry=&gt; minimises resends<br />After 1st purchase, just enter CVV<br />Submits credit card purchase with one encrypted SMS<br />Good when signal strength low<br />Integrated into ticket wallet<br />
    33. 33. Technology Notes<br />
    34. 34. Java (someone has to like it)<br />You don’t have to be the ‘best’<br />Sometimes being the only option is good enough<br />NOT suitable for everything<br />Remember, pick your services<br />Good for:<br />Recurring purchases<br />Flaky connections<br />Retries, SMS fallback, fat intelligent client<br />
    35. 35. Near Field Communication<br />A lot like “Oyster on your phone”<br />(Almost) no handset support<br />Common by 2013?<br />NFC already embedded on cards<br />Habit: you pay with a card, why use a phone?<br />Who will pay for the infrastructure?<br />
    36. 36. NFC – Not Today<br />NOKIA HANDSETS<br />NOKIA NFC HANDSETS<br />
    37. 37. Some Notes On Oyster<br />Great in London<br />Almost everyone has to usepublic transport<br />Locals ‘bribed’ to adopt with lower fares<br />Large government subsidies<br />Not economically viable to roll out elsewhere<br />Even London overground train lines required £40m subsidy to support it<br />
    38. 38. 7967 551670@tomgodber<br />