Global Messaging 2009 - Mobile Ticketing and Payments

1,477 views

Published on

Talk given by Tom at the Global Messaging 2009 conference in London on 24th June 2009. It coverred the essence of what makes a good mobile service, using Masabi's UK rail work as a case study.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,477
On SlideShare
0
From Embeds
0
Number of Embeds
78
Actions
Shares
0
Downloads
110
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year
  • SMS purchase from a vending machine isn’t going to work – people use cash. The fact that the vending machine oepratopr may be able to shave a few % off vandalism repairs and reduced theft doesn’t matter to the user.
  • Source: Strategy Analytics (http://iphone.tmcnet.com/topics/iphone/articles/55332-global-handset-shipment-falls-record-rate-during-q1.htm)5800 2.6m vsiPhone 3.8mNokia about 25x sales of Apple – bad quarter for Nokia
  • TODO new screenshots
  • By ‘other payments’ => should never send credit card number over a normal text
  • Wap “https” not the same as web https
  • TODO new screenshots
  • It’s a great system, but worth considering why – need to consider the bigger picture
  • Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com
  • Global Messaging 2009 - Mobile Ticketing and Payments

    1. 1. Secure Payment and Ticketing Applications<br />Tom Godber - CTO Masabi<br />
    2. 2. Agenda<br />Who Are Masabi<br />The Mobile Experience<br />Mobile Ticketing<br />Taking Mobile Payments<br />
    3. 3. About Masabi<br /><ul><li> 20 currencies
    4. 4. 4 alphabets
    5. 5. 2 Factor Authentication
    6. 6. Secure messaging
    7. 7. UK Rail Ticket Standard</li></li></ul><li>The Mobile Experience – All Sweetness and Light?<br />
    8. 8. Mobile Masochism<br />The mobile experience is about PAIN<br />Texting on a Moto…<br />Pretty much anything at all onNokia’s touchscreen S60…<br />User experience is becoming important<br />Ex-RAZR users often won’t Moto again<br />But nothing is perfect, even Steve<br />
    9. 9. Many Services Will Fail<br />Good ideas are common<br />Good ideas which actually work aren’t<br />Given handset constraints…<br />Given real world conditions…<br />Compared to existing alternatives…<br />
    10. 10. Pick Your Battles<br />A successful service must offer a significant advantage to the user<br />An mPaymentmust be easier than cash and cards<br />Just because a user can do something, doesn’t mean they will<br />Offer net pain relief<br />
    11. 11. Considerations<br />User probably moving<br />Must be simple<br />Must be resilient<br />Has user got alternatives?<br />Cash<br />Debit/credit cards<br />PC<br />
    12. 12. Connecting With The RealWorld<br />
    13. 13. UK Rail Barcodes<br />Reliable, fast<br />Offline scanning<br />Tickets still work when Internet doesn’t!<br />Open security<br />PKI signatures prevent modification<br />Public Key verification is cheap, easy<br />Royalty free, open barcodes<br />Aztec scans best on a handset screen<br />
    14. 14. UK Train Ticketing<br />Phone becomes your ticket<br />Today’s reality:<br />Only supported on a few routes<br />Eg. our National Express trial<br />3-6 months:<br />Train franchises start to go live<br />Some rollout of barcode reading gates<br />
    15. 15. Not Just a Ticket<br />UK Rail Barcode has space for other entitlements<br />Eg. Free coffee<br />Bundle other sales together with ticket<br />Barcodes have plenty of other uses<br />Remove cash from high-risk environments to reduce ‘shrinkage’<br />
    16. 16. Mobile<br />Ticket<br />Delivery<br />
    17. 17. Handset Support<br />Chiltern Railways ticket app trial showed:<br />Adopted outside young male demographic<br />Often user’s first transaction with a phone<br />Tickets must be supported on everything!<br />Smartphones are a niche<br />
    18. 18. Not All About The iPhone<br />
    19. 19. Ticket Delivery<br />SMS tickets<br />Wap tickets<br />Local application ticket wallet<br />
    20. 20. Pure SMS Ticketing<br />Picture messaging can carry small barcodes<br />3 SMS per picture is expensive<br />Too small for new rail ticket barcodes<br />Simple insecure 1D or 2D barcodes only<br />No text details for visual inspection<br />Scanner always required<br />Can be forwarded and reused<br />
    21. 21. Wap Ticketing<br />Wap Push with ticket URL<br />User downloads ticket<br />Saves image like a wallpaper<br />Must trust OMA DRM<br />A lot of effort to size image<br />Handsets often rescale an image that is slightly too big or small<br />This plays havoc with barcode scanners!<br />
    22. 22. Java Ticket Wallet<br />User installs local ticket wallet<br />Server sends tickets over SMS<br />One encrypted binary msg/ticket Delivered directly to wallet app<br />App can display ticket details and barcode<br />Better barcode rendering &gt; faster scanning<br />Details readable to an inspector<br />
    23. 23. BUT<br />
    24. 24. Address Customer Needs!<br />UK Rail Tickets – mainly bought in the station!<br />
    25. 25. User Needs<br />Ticket delivery is an extension of online<br />Fairly useful for users without printers<br />BUT most train tickets not bought online<br />Sell from phone<br />Buy in taxi / on street / in station<br />Avoid queues<br />
    26. 26.
    27. 27. Mobile Payment Channels<br />SMS<br />Premium SMS &gt; phone bill<br />Credit card over SMS<br />Payment through the browser<br />Payment through a local app<br />
    28. 28. SMS<br />Premium SMS payment<br />Good for simple transactions<br />Easy to set up, works on everything<br />30-60% operator cut<br />Best for low-value high-margin items<br />SMS insecure for any other payment<br />Messages be read on stolen phones<br />Messages be read on the network<br />
    29. 29. Mobile Browser Purchase<br />Wap purchase is multi-step<br />Repeat page loads slow and expensive<br />Requires continuous connection<br />Data mis-entry becomes painful<br />Limited opportunity to help user with validation etc – not like full web AJAX<br />Often insecure<br />Wap1 inherently insecure<br />Transcoders can mess with Wap2 and the mobile web<br />
    30. 30. Mobile Browsers<br />Wap security<br />Wap2 security<br />Inherently insecure:<br />Used on older browsers, “Wap” settings<br />Like the web:<br />Most handsetsuse this with “Internet” settings<br />
    31. 31. Transcoders with HTTPS<br />Some transcoders leave HTTPS alone<br />Others will insert themselves in the connection<br />Handset cannot verify end certificate<br />Just like a man-in-the-middle attack!<br />
    32. 32. Java Ticket Sales App<br />Ticket purchase in UK<br />Aimed at repeat users<br />Intelligent client<br />Helps user with data entry=&gt; minimises resends<br />After 1st purchase, just enter CVV<br />Submits credit card purchase with one encrypted SMS<br />Good when signal strength low<br />Integrated into ticket wallet<br />
    33. 33. Technology Notes<br />
    34. 34. Java (someone has to like it)<br />You don’t have to be the ‘best’<br />Sometimes being the only option is good enough<br />NOT suitable for everything<br />Remember, pick your services<br />Good for:<br />Recurring purchases<br />Flaky connections<br />Retries, SMS fallback, fat intelligent client<br />
    35. 35. Near Field Communication<br />A lot like “Oyster on your phone”<br />(Almost) no handset support<br />Common by 2013?<br />NFC already embedded on cards<br />Habit: you pay with a card, why use a phone?<br />Who will pay for the infrastructure?<br />
    36. 36. NFC – Not Today<br />NOKIA HANDSETS<br />NOKIA NFC HANDSETS<br />
    37. 37. Some Notes On Oyster<br />Great in London<br />Almost everyone has to usepublic transport<br />Locals ‘bribed’ to adopt with lower fares<br />Large government subsidies<br />Not economically viable to roll out elsewhere<br />Even London overground train lines required £40m subsidy to support it<br />
    38. 38. tom@masabi.com+44 7967 551670@tomgodber<br />

    ×