Mobile Commerce meets the Real World - Mobile Ticketing


Published on

A presentation given by Ben Whitaker of Masabi Ltd at the Mobile Content Conference and Awards 2009 in Seoul, Korea.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Masabi have been producing downloadable mobile applications for over 7 years,
    and today Masabi secure mobile applications process millions of dollars worth of transactions every year
  • Our applications are built on three core principals –

    Make the application usable and relevant to the end user, and make the default use cases quick and easy on the mobile. (I’ll show you some sides of that later)

    Then, PORTABILITY to all popular handsets, including the older handsets that many developers avoid, to ensure the largest possible user-base for your service.

    For Mobile commerce – security, on all phones, to modern public standards.
  • [The screenshots above are animated, to show useful UI widgets helping the user to select from large lists, or input Credit Card numbers correctly]

    WAP and WEB services are Thin Clients ; good when you have a reliable, low latency connection.
    Mobile is not like that. – inside buildings, moving vehicles and in remote locations: connections are often dropped or unavailable.

    Mobile Java allows us to build FAT clients, and not just glorified mini-browsers!

    Applications should provide most of the interaction while OFF-LINE and then only require an occasional connection at the end to make transactions, or get updates.
    e.g. you should be able to review your bank account and create new payment instructions while on the metro, not only when stood still in good

    Here are screenshots showing how you can quickly select one station from a list hundreds long, and also how to perform local validation of credit card numbers before sending to reduce the number of unecessary network connections

    SMS Failover:
    Many users (more than half, we reckon) cannot make network connections from Java using WAP, because they need to switch to the correct INTERNET settings.
    To provide these users with an out-of-the-box instant purchase, the application can automatically detect the lack of functioning GPRS and switch to encrypted SMS instead.
  • Hold up 3510i or old Nokia S40 phone
    When you provide transactional software for these old phones, we find that significant numbers of people use them. Can you afford to throw away 10-20% of your users?
    (By way of comparison Microsoft and iPhones represent around 1% of the market)

    To provide Portability, we use our own porting Framework: DevelopME

    We’ve seen many mobile products that are either attractive, but high-end only; or basic-looking and available on all handsets.
    Through DevelopME we are able to provide attractive apps on all Java phones.

    You have to work hard to build full function applications that work on the older phones, and you can’t out-source it, or think about it late in your dev cycle – it has to be at the core of how you build everything.

    It’s not just different graphics sizes and bugs, you have to build variations of UI’s that make the best use of very different input mechanisms on the different phones, and not expect the end consumer to re-learn new UI concepts that they don’t already use on their phone every day.
  • Standard GSM services are not secure to Financial Services or Payment Card Industry regulations.

    You shouldn’t use SMS or WAP to send payment instructions, bank passwords or credit card details because too many individuals can gain access to them in transit.

    (True end-to-end https is only available on the latest handsets – slow and not usable from Java or SMS.)

    "The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept“
    Nick Jones, Gartner Research 2002

    “It would not be enough for a financial institution to provide mobile banking services relying on de-facto GSM protocol security”
    Pakistan State Bank, Guidelines for Branchless Banking 2007

    We built EncryptME to the latest standards for new secure web services, and it is still the world’s only US Government Certified mobile java security library.

    At 3kb, it can provide security on the oldest java handsets, including the black and white Nokia 6310i (show legendary retro business phone)

    Most importantly, it allows SMS data to be encrypted too!

    Servers can continue to use standard cryptography from Sun or Microsoft etc – they don’t need to use custom or proprietary security libraries.
  • We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.

    The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.

    Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element.
  • 75% (roughly) UK airline tickets purchased online,
    Yet only 2% of heathrow express tickets bought on-line
    Because people only think and act on their public transport needs as they approach the station.

    Mobile can give every user their own ticket machine, that never has a queue.
  • Simple – simply put in your car, your credit card, and how long you want to park.

    Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)

    Extend your parking without returning to the vehicle.
  • Credit Card details entered just once into the application.

    Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.
  • Come see me after for live demos,
    or to chat about building secure mobile applications for

    Read our blog for more details on security.
  • Mobile Commerce meets the Real World - Mobile Ticketing

    1. 1. Just because you can do something with mobile technology -  Does not mean that customers will want to use it  Does not mean that corporations will promote it
    2. 2. Normal people will only try to use new technology to do a regular daily activity… …if the old way of doing it is painful enough to make them try something new. At that moment: offer them a better way.
    3. 3.  Make a clear business case first  Must make more money  Reduce Costs or  Increase Sales  Must pay for itself in the first year  Capital is not easy to raise right now $$$
    4. 4. 2002 •First in-game micropayments 2004 •First mobile viral apps 2006 •Playtech mobile casino •750+ handsets •6 languages 2007 •First certified mobile security •3Kb EncryptME •Award winning 2008 •Ticketing •Money transfers •Banking • 20 currencies • 4 alphabets • 2 Factor Authentication • Secure messaging • UK Rail Ticket Standard
    5. 5. Transport Finance & Banks Entitlement & Venues Gaming
    6. 6. Security Portability Usability • Public certification • End-to-end • Fast and small • Popular handsets • All form factors • Fragmentation • Offline functions • Interactive experience • Slick and attractive
    7. 7.  WAP / xHTML  Browser based, like on the web  No javascript or Ajax on most mobiles  Application  Installed on the phone  Dedicated, customised
    8. 8.  Still useful without a continuous data connection  Optimised data entry  Faster responses  Catch mistakes quicker  SMS failover from GPRS  Avoid settings, reception & roaming problems  Cheaper + faster for the user  Send only the data  Flat rate data is still not common
    9. 9.  Support the popular handsets  Not just the “easy” ones  Adapt content and graphics to screen size  Automatic handling of handset bugs  Optimise experience for form factor
    10. 10.  To Enable Payments  Credit Card Transactions  Bank Transactions  WAP and SMS alone are not PCI/DSS secure  Why not use pSMS / Operator?  Too expensive for many industries (cost of Operator Billing>40%; only 1% to 3% for Visa)
    11. 11.  US Government Certified  British Telecom validated  IET Security Award  Latest Encryption Strength  1024bit RSA, 256bit AES  Standard Server Cryptography  Tiny 3Kb library  Works on all Java phones  Extremely fast  Secures any medium  SMS, GPRS, Bluetooth, NFC  On-phone storage
    12. 12.  Only 12% of UK rail tickets sold on the internet – most bought at station  Over 2/3 of mobile users do not complete registration if it’s on the web  So: Sign up the users when they need it  in a queue  in a hurry  next to a broken ticket machine
    13. 13.  No sign-up process  no usernames  no passwords  Mostly off-line interface, SMS backup  Fast repeated regular purchases  Auto-show tickets, full screen barcodes
    14. 14.  Contactless RF  Smart-Card (Oyster, Mi-Fare)  NFC Phones  Barcodes  Self-print  Mobile Dependant on scanning hardware Soft rollout option with visual inspection
    15. 15.  Avoid up-front capital cost of full barcode scanner rollout  Visually inspect at launch  Staff report barcode ticket usage levels each week  Occasional SMS or scan checks  Staged scanner rollout for routes with significant adoption
    16. 16. RSPS3001 Approved in December 2008 as the UK standard for self print and mobile barcode rail ticketing
    17. 17.  Share self-print and mobile barcodes between Operators and 3rd party retailers  Public and open security  Based on PKI, standard SSL certificates  Decentralised system - robust
    18. 18.  Any barcode scanner, online or off-line, must support: 2D Aztec with CCD imager  Handheld  Small basic scanners for door staff  Advanced PDA based scanners for service staff  Bluetooth scanner upgrade for Avantix Mobile 2  Cash Register/EPOS Scanners  Connect via USB or as “keyboard wedge” in between keyboard and EPOS like a normal scanner  Fixed Scanners for gates or check-outs  Retro-fit to existing gates, user places phone on rubber face to scan  Or built in at manufacture by gate supplier Retro-fit Fixed / gate scanner EPOS Scanner Basic Advanced Bluetooth
    19. 19.  Customer  Sign-up in the queue (no usernames or passwords)  No queues ever again  Quicker re-purchase  Tickets same price  Corporation  Lower cost per sale  No need to expand stations (major cost)  Staged capital expense on scanners
    20. 20.  Adaptive layout, size, rotation, DRM
    21. 21.  Payments straight from phone  No need for explicit sign-up or passwords  Just type CVV again for future purchases  All user data entry and validation performed off-line by application  Secure SMS for users without data settings or with poor reception  New user can sign-up and pay in just one SMS 95% of surveyed users said: “better than the IVR system we used until now”
    22. 22.  Buy anywhere  No paper, no queues - barcode tickets  Tunnels aren’t showstoppers!  Auto-detects SMS or GPRS  1-2 SMS per ticket  Doubles the consumer uptake by removing Data issues  Quick repeat tickets  Customer loyalty and lock-in Chiltern Railways with YourRail User feedback: “Better than the web!”
    23. 23. People will only try to use new technology to do a regular daily activity… …if the old way of doing it is painful enough to make them try something new. At that moment: offer them a better way.