This document discusses technology challenges in mobile payments. It begins by classifying mobile payments based on value, charging method, location, and validation of tokens exchanged. It then discusses enabling mobile technologies like user interfaces, platforms, security, and transport layers. The document outlines several technology challenges including those at the device level, application level, communication level, user level, security level, standards level, and consolidation level. It provides examples of some of these challenges. Finally, it discusses some innovative mobile payment solutions developed in India and provides an overview of a mobile ad-hoc network ecosystem used to enable financial inclusion through mobile payments.

1. Technology Challenges in
Mobile Payments
Dr.V.N.Sastry
Professor, IDRBT &
Executive Secretary, MPFI
Road No.1, Castle Hills, Masab Tank,
Hyderabad 500057
E-Mail : vnsastry@idrbt.ac.in
Ph: 91-40-23534981
Test : 9440803813 (M) & MMID : 9211933
January 30, 2012 at IDRBT for the EDP

2. March 29, 2012
Outline
• Mobile Payment Technologies
• Technology Challenges
• Some innovative developments
2

3. Classification of Mobile Payments
Based on
Value
Micro
Payments
Based on
Charging
method
Based on
Location
Based on the
validation of the
tokens exchanged
Macro
Payments
Mini
Payments Proximity
Payments
Remote
Payments
Pre-paid
Post-paid Online
Payments
Offline
Payments
(ex: e-coins
in P2P
transfers)
March 29, 2012 3

4. March 29, 2012
Enabling Mobile Technologies
User
Interface
Platforms
Security
enablers
Transport
Short-
range
Long-
range
GSM
GPRS
RFID
Bluetooth
Infrared
3G
SAT
Java ME
Java Card
Voice
SMS
USSD
WAP
Dual
slot
phones
WPKI/
WIM
SIM
4G
NFC
4

5. March 29, 2012
Technology Challenges
• Device Level
• Application Level
• Communication Level
• User Level
• Security Level
• Standards Level
• Consolidation Level
5

6. March 29, 2012
Device Level Challenges
• Variation in Features and
Functionalities, look and feel, text
size, recharging frequency, OS
• User Awareness and Education
• Voice, Data, MMS, interactivity, real
time response, location aided
feature etc. properly used ?
6

7. March 29, 2012
Mobile Application Level
Challenges
• Is the Mobile Payment Application
Developed in Conformance to standards ? Is
it interoperable ?
• On which folder client application is to be
downloaded ? how to install and run a
mobile payment application ?
• Is the design optimized for execution in
limited phone memory?
• Has it been Tested and certified by Trusted
entity ?
• Can the customer wait for the delay to get it
for his/her new model ? 7

8. March 29, 2012
Communication Level
Challenges
• Which channel to use : SMS, USSD,
GPRS, DTMF ?
• What way mobile banking
convenience is enhanced by 2G,
3G, 4G ?
• When and how to use Wireless
Communication Technologies :
Bluetooth, Zigbee, Wi-max, Wi-fi ,
LTE ?
8

9. Mobile Communication
Architecture
Mobile Stations Base Station
Subsystem
Exchange
System
Network
Management
Subscriber and terminal
equipment databases
BSC MSC
VLR
HLR
EIR
AUC
OMC
BTS
BTS
March 29, 2012 9

10. March 29, 2012
Bank - A Bank -B
Switching
(NPCI)
Settlement
(CCIL)
Interbank Mobile
Payment Service
(IMPS)
Payer-X Payee- Y
10

11. March 29, 2012
User Level Challenges
• Local language support on Mobiles
• Generation of Transaction report
• Mobile Application on Phone memory or
SIM or memory card ?
• Trace of transaction data or critical
personal data : access by others
• Mobile Wallet : risk of multiple cards in
the device and value offload for cash
exchange in local currency
• Mobile based Financial Inclusion services
• Complaint registration and Grievance
resolution
11

12. BC Micro ATM ATM /
Merchant PoS
Bank A Bank B
Switching
(NPCI)
Biometric
Authentication
( UIDAI )
Settlement
(CCIL)
Customer
Mobile based Financial Inclusion
and
Mobile Wallet
March 29, 2012 12

13. March 29, 2012
Security Challenges
• Authentication
– User, Device, Application, Transaction
– Direct, Indirect
– Factors : You Know (UK), You Have (UH), You Are (UR)
– One Way from source (S) to destination (D)
– Mutual between source, destination or intermediate entities
as Telco , Mobile Payment Provider, Bank Server, Switching
agency.
• Encryption & Decryption Using Cryptoghaphy
– Symmetric key ( Password, m-Pin )
– Asymmetric key (PKI , WPKI )
• Layers of OSI Model
• Access Control Models
• Between Source (S) and Destination (D)
– MPP to Bank : SSL / TCP
– Bank to NPCI : SSL/TCP
13

14. Major 3 Sections of a Mobile Phone
–Power Section
• Power distribution
• Charging section
–Radio Section
• Band Switching
• RF Power Amplification
• Transmitter
• Receiver
–Computer Section
• CPU (central processing unit)
• Memory (RAM,FLASH,COMBO CHIP)
March 29, 2012 14

15. Some reported attacks on
Mobile Phones
• Phishing
• Botnet
• Fake Player
• Trojan horse
• Bluejacking
(Symbian )
• BlueBug
• BlueSnarfing
• BluePrinting
•Cabir (First in 2004 )
•Comwar
•Skulls
•Windows CE virus
March 29, 2012 15

16. Mobile Station
• Mobile Equipment (ME) is identified by
– International Mobile Equipment Identity (IMEI) Number
• Subscriber Identity Module (SIM) Card has keys,
identifiers and algorithms
• Identifiers
– Ki – Subscriber Authentication Key
– IMSI – International Mobile Subscriber Identity
– TMSI – Temporary Mobile Subscriber Identity
– MSISDN – Mobile Station International Service Digital Network
– PIN – Personal Identity Number protecting a SIM
– LAI – location area identity
• STK ( SIM Application Toolkit) allows applications in
the SIM to interact with any ME
• ETSI GSM 11.14 standard defines the interface
between the SIM and the interoperable ME .
March 29, 2012 16

17. SIM Card
• Mobile Payment Application can be installed on either ME or
SIM .
• The application burnt on the SIM card gives by far the most
secure application environment. The mobile application can be
stored on its own security domain and hence prevented from
others having access to it.
• Forensic tools and procedures exist that can be used to
bypass built-in security mechanisms and recover the contents
of a device.
• Both software and hardware-based methods are available for
data recovery, including those that exploit existing
vulnerabilities.
• A number of GSM mobile phones allow acquisition with a
forensic tool, if a PIN-enabled (U)SIM is missing or removed
from the device. It is also possible to create substitute (U)SIMs
for certain models of phones that fools them into treating the
(U)SIM as the original, and allowing access.
•
March 29, 2012 17

18. Security at Mobile Channel Level
• Voice Channel : DTMF for IVRS
• Text Channel : SMS, USSD
• MMS Channel : GPRS
• GSM Security Mechanisms
• Equipment Identity Register (EIR)
– Black list – stolen or non-type mobiles
– White list - valid mobiles
– Gray list – local tracking mobiles
• Central Equipment Identity Register (CEIR)
– Approved mobile type (type approval authorities)
– Consolidated black list (posted by operators)
March 29, 2012 18

19. Security at Mobile Application level
• Client Application developed by the
Mobile Payment Provider (MPP)
• Server Application of the MPP at the
Bank level
• Security Testing
• Key Generation and storage process
• Check Sum implemented
• Reaching to the destined address only ?
March 29, 2012 19

20. March 29, 2012
Multiple Standard
Challenges
• ISO Standards
• IEEE Standards
• PCI DSS Standards
• Regulatory Standards
• Global platform Standards
• EMV Standards
• NIST Standards
• SFMS, SWIFT Standards
• NFC Standards 20

21. Mobile ad hoc network technologies
March 29, 2012
Technology
Standard
Theoretical Bit Rate Frequenc
y
Range Power
Consumptio
n
IEEE 802.11b 1,2,5.5, 11 Mbits/s 2.4 GHz 100m-500m 30mW
IEEE 802.11g Upto 54 Mbits/s 2.4 GHz 25-50m 79mW
IEEE 802.11a Upto 54 Mbits/s 5 GHz 40m 250mW
Bluetooth
IEEE
802.11.15.1
1 Mbits/s 2.4 GHz 10 m-100m 1mW
UWB (IEEE
802.15.3)
110 - 480 Mbit/s 10 GHz 10m 200 mW
Hiper LAN2 Upto 54 Mbits/s 5 GHz 150m 200 mW
IrDA 4Mbits 850 nm 10 m 200mW
IEEE 802.11n 600 Mbits/s 5 GHz 100m - 250m 1500W 21

22. March 29, 2012
Consolidation Level
Challenges
• Server capabilities to handle high
volume mobile payment transactions
• Periodic and round the clock clearing
services for mobile payments
• Net and Real time funds settlement
between Banks
• Cash management issues at ATMs on
account of high velocity mobile
payments.
• Offering Mobile Banking Application as
a Cloud Service
22

23. Some Innovative solutions of
Mobile Payments in India:
• Bringing all stakeholders of Mobile Payments into
one platform by the Mobile Payment Forum of India
(MPFI) in 2006
• Use of Mobile Phone Number and MMID only for
Mobile Payments
• Use of AADHAR number and BIN for Mobile
Payments
• Use of USSD based Mobile Payments
• Development of MANETS for Financial Inclusion by
IDRBT
• And many other solutions reported in the workshop
March 29, 2012 23

24. MANET Ecosystem for
Mobile Payments
 MANET nodes.
 Gateway.
 Backbone Network.
 Bank Server.
 Fixed Relay.
March 29, 2012 24

25. Mobile ad-hoc Network (MANET)
 It is a Mobile wireless network.
 MANET nodes are rapidly deployable, self
configuring and capable of doing autonomous
operation in the network.
 Nodes co-operate to provide Connectivity and
Services.
 Operates without base station and centralized
administration.
 Nodes exhibit mobility and the topology is dynamic.
 Nodes must be able to relay traffic sense.
 A MANET can be a standalone network or it can be
connected to external networks(Internet).
March 29, 2012 25

26. MANET based Mobile Payments
I
Cellular
Network
/Satellite
Technology
Internet /
Private LAN
Gateway
Fixed Relays
Bank Server
Mobile ad hoc Network
Village
MANET
node
Backbone
March 29, 2012 26

27. Testbed
Mobile Node C
192.168.1.3
Mobile Node B
192.168.1.3
Mobile Node D
192.168.1.4
Mobile Node A
192.168.1.2
Gateway
192.168.1.1
Fixed Relay
MANET in a
Village
Cellular Network/
ISDN/PSTN/ LLN/
Satellite Network
Bank-A
Server
172.16.0.8
Bank-B
Server
162.16.6.124
March 29, 2012 27

28. March 29, 2012 28