23
Securing Mobile Payment Systems: Using
Personal Identification Number (PIN) Method
Raphael Olufemi Akinyede,1,1 Olumide Sunday Adewale1 and Boniface Kayode Alese 1
1
Department of Computer Science, The Federal University of Technology, Akure, Ondo-State, Nigeria.
{ femi_akinyede!,!, osadewale1, and faalkad1} @yahoo.com
Abstract.Mobile payment is the process whereby two parties exchanging financial value using a mobile device in return for goods or services. In Nigeria, banking industry and citizens all incur a high overhead in using physical cash. However, mobile phone-based payment system is a viable alternative to physical cash since it incurs much lower overheads and offers more convenience as the users can transact business anytime of the day, 24/7. Because security is of paramount importance in any financial transactions, this paper therefore, focuses it attention on the security issues in mobile payment for m-commerce with emphasis on personal identification number (PIN). In the paper, we carryout a review of m-commerce, m-payment and its operational model, the technologies and standards for m-payment systems. Finally, the paper proposed a method and system for securing a payment transaction model.
Keywords: Mobile Payment, mobile commerce, PIN and cryptography.
1
INTRODUCTION
Electronic payment revolution has finally started and it is led by a large number of Nigerian institutions which comprises of banks, federal government, and individual organizations (Akinyede and Afolayan, 2006). These revolutions, which are at its initial stage, were possible because of the introduction of Internet. Internet is being embraced virtually in all areas of human activities because of its functionalities. Presently, the number of users of Internet has increased explosively as a result of the rapid growth in information technology (IT) industry. According to the World Telecommunication/ICT Indicators Database (2009, 6th ed), in 2000, the Internets users were 200,000 whereas in 2009 it was 11,000,000 which showed a increased in percentage of 5,400% in Nigeria. The emerging technologies such as broadband satellite, VSAT and wireless telephony provide wonderful opportunities for Nigeria to leapfrog in the information society age. These technologies have been exploited in order to accelerate information technology (IT) that leads to a cashless society development in Nigeria. However, this drive has also led to the evolution of payment modes other than paper or coin money, such as cards, electronic and wireless payment systems mainly to facilitate, expedite and secure transactions and wealth across the globe, and this has reduced the world into a global village. With Internet, the limitation posed to international trade by geographical distance is fast
24
crumbling and it is now possible to carryout transactions with people in remote areas of the world. In addition, the increasing use of the Internet has seen the growth of e-payment which is now graduating to mobile payment (m-payment) for business transactions (e-commerce or m-(e-commerce) conducted between geographically distant parties (i.e. consumers and merchants). Monetary values are transferred over networks, resulting in the development of e-payment systems. This has made a secure and efficient payment system to be one of the key drivers that would help the acceleration of the wheel of e-commerce in Nigeria. Therefore, the need for securing payment system for m-e-commerce in the light of the rise in Internet fraud.
2
M-PAYMENT OPERATIONAL
MODEL
Five principal participants are involved in m-payment operational model, and they are discussed as follows:
i. Customer (C): Holder of a payment card, in the proposed model a customer is required to have a GSM mobile phone with a Subscriber Identity Module (SIM). This card has software installed by an authorizer and this acts as a “credit card” that is recognized by the authorizer.
ii. Merchant (M): Merchant is the organization that sells goods/services to the cardholder through the Internet and accredited by a known trusted third party. iii. Acquirer (A): A financial institution, which processes payment card authorizations
and makes payments. The Acquirer provides electronic transfer of funds to the Merchant’s account from the Issuer I (customer’s bank account) over a secured payment network
iv. Issuer (I): A financial institution of the customer C. It also provides payment software to install.
v. Payment Gateway (PG): an additional entity that acts as a medium between acquirer/issuer at banking private network side and client/merchant at the Internet side for clearing purpose (Kungpisdan, et al., 2004)
25
Figure 1: M-payment Operational Model.In figure 1, we specify the links among the five entities of our scheme. Note that there is no direct connection involving the client and the issuer. Moreover, the connection between the customer C and the merchant M (denoted as the dotted arrow) is set up through a wireless channel.
However, the basic idea is that the transaction payment details are divided into two parts. Firstly, on Issuer’s (I’s) side, the only available information is that Customer C authorizes a payment to Acquirer (A) through the payment gateway, while no merchant (M) identity or account information is revealed, so that the Issuer (I) has no idea of what the Customer C buys. Secondly, an acquirer (A) should only know there is a payment waiting to be credited to the merchant’s (M) account, while knowing nothing about who makes the payment. Based on the assumption that Issuer (I) and Acquirer (A) never collude to sell out the private information of Customer C, we can achieve the privacy protection of Customer C during the electronic transactions through mobile network (Changjie and Ho-fung, 2005)
2.1 M-PAYMENT SYSTEM OVERVIEW
There are a number of steps involved in m-payment systems, but only one of them is hereby discussed:- Merchant (M) Customer (C) Acquirer (A) Issuer (I) Payment Gateway (PG)
26
Interactions between the entities involved- In m-payment system, where the customer C and the merchant M are at remote locations, a customer C will place an order from his station to a merchant M store (see figure 2). The steps are as follows:-
Step 1: A customer C browses the merchant M’s website and select item to purchase. During this phase, the merchant M and customer C reach an agreement upon a set of item’s information, such as the item’s price, that describes the purchase. The customer C then sends a payment request to a Payment Service Provider (PSP) over a wireless network. This request includes the details of the customer C and amount to be paid. A customer C selects the payment method from the merchant M webpage.
Step 2: A PSP verifies the credentials of the customer C and the merchant M (basically it checks whether the customer C and merchant M have registered for such an m-payment service).
Step 3: Optionally, the PSP might ask the customer C for some more details (like a password) for authentication.
Step 4: Once the credentials of the customer C have been established, the PSP requests the merchant M for confirmation by forwarding the payment details.
Step 5: The merchant M then sends a confirmation message to the PSP.
Step 6: After successful confirmation, the PSP performs backend processing to update the accounts of the customer C and the merchant M.
Step 7: It sends a payment receipt to the customer C. It might also optionally send a “Transaction completed” message to the merchant M.
27
Figure 2: Basic Architecture of a Remote M-Payment System (Source: www.csi-sigegov.org/2/14_310_2.pdf)3
TECHNOLOGIES AND STANDARDS FOR M-PAYMENT
SYSTEMS
According to Shivani, et al. (2008), in order to perform a security analysis of an e-payment scheme it is necessary to understand the underlying standards, technologies, protocols and platforms used. The two popular standards used for mobile communication are Global System for Mobile communications (GSM) and Code Division Multiple Access (CDMA). GSM based phones use a SIM (Subscriber Identification Module) card which is a detachable smart card containing the user's subscription key used to identify a user. In CDMA based phones, the phone itself stores the subscription key. A common technology for remote payment systems is SMS (Short Messaging Service) which is a low cost alternative to making calls. SMS is an attractive technology because of its ease of use and low cost. SMS based payment systems are of two types, namely, the ones which do not require a change in the device infrastructure (SIM card) and the ones which do. In the former case, the user can initiate or authorize a transaction by sending an SMS message using a standard SIM card. PayPal (2008) and SMS-Credit (Fong & Lai, 2005) are examples of such SMS based systems.
Internet
Customer C SMS SMS 4. Confirmation 3. Request for Confirmation Merchant M 1. Payment Request 6. Payment Receipt5. Back end processing
28
4
METHOD AND SYSTEM FOR SECURING A PAYMENT
TRANSACTION MODEL
Figure 3: Block diagram of a secure payment transaction system
Merchants Communicating Environment Merchants’ Side Financial Institutions (Banks’ ) DBMS Network
k
21
Mobile Payment Device CustomersC1
C2
C
n MySql DBMS PHP Payment Transaction(PT) Cryptographic Converter Hardware Security Module29
The symbols C, M, PG, I, A are used to denote Customer, Merchant, Payment Gateway, Issuer, and Acquirer respectively. According to
Coppinger
(2009), the method for securing a payment transaction, comprising the steps of:a. Customer/Merchant Interaction.
The system in figure 3 provides avenue for customer/merchant interaction. A customer C browses the merchant M’s website and select item to purchase. During this phase, the merchant M and customer C reach an agreement upon a set of item’s information, such as the item’s price, that describes the purchase. The customer C then sends a payment request to a Payment Service Provider (PSP) over a wireless network. This request includes the details of the customer C and amount to be paid. A customer C selects the payment method from the merchant M webpage
.
b. Mobile Payment Device
In figure 3 above, Mk (where k= 1, 2, …, k) are the merchants that maintain websites under a secure payment transaction and made sales of goods or services to customers Cn (where n = 1 ,2, 3, …, n) who maintain a mobile payment device (i.e. Personal Digital Assistant (PDA) or a mobile phone with advanced personal computing capabilities). The mobile payment device is configured in such a way that it will perform a secure payment transaction functions on the Internet. The mobile payment device has the following: a processor, memory, and other hardware elements operating in accordance with the system and application software appropriate to the functions it provides. Finally, it has a card reader through which data on a payment card (such as a credit or debit card) can be read and a user interface (i.e. keypad or touchpad) with which inputting of information is done. Operation of the mobile payment device. Both the merchant Mk and customer Cn communicate on the Net as shown above. Mobile payment device will obtain purchase information from merchant Mk, such as, the detail of goods or services ordered for by the customer Cn. It also obtains payment information and a password (PIN) from customer Cn. However, when certain types of payment cards such as a debit card or ATM card is used, some form of password/PIN must be provided by the customer Cn to authenticate the customer to the financial institution that will process the payment. When a PIN is obtained from customer Cn via the user input interface, the device stores the PIN in its volatile memory. Then the PIN will be encrypted using an asymmetric (public key) cryptography algorithm and the encrypted PIN will be transmitted via the network as shown in figure 3 to the cryptographic converter. What happens is that the device places the RSA public key encrypted PIN block into a transaction message and then transmits the transaction message to the cryptographic converter and the converter will secure the transmission using a powerful Secure Sockets Layer (SSL 3.0) cryptographic protocol, which provides various security features including encryption, authentication and data integrity. In addition, the mobile payment device will finally wait for an acknowledgement from the payment transaction showing that a transaction processing is completed before displaying a confirmation to the user.
30
c. Network
The secure payment transaction above includes a network over which transaction data necessary to process the payment transaction is transmitted. The network is any suitable telecommunications network having a wireless network component through which the mobile payment device communicates.
d. Cryptographic Converter
The cryptographic converter converts public key encrypted data into secret key encrypted data. The cryptographic converter interfaces with the network, generates and securely stores a private key it uses to decrypt the public key encrypted data and a secret key it uses to re-encrypt the decrypted data.
Operation of the cryptographic converter. The cryptographic converter in figure 3 obtains the public key encrypted PIN from the mobile payment device via the network. It specifically obtains the transaction message described above from the device and extracts the RSA public key encrypted PIN block and then decrypts the public key encrypted PIN. It will maintains the RSA private key which corresponds to the RSA public key that was used by the mobile payment device to encrypt the PIN. It applies the RSA private key to decrypt the RSA public key encrypted PIN block and extracts the PIN from the resulting decrypted PKCS #1 Type 2 encryption block.
The cryptographic converter re-encrypts the PIN using an asymmetric (secret key) cryptography algorithm. In an embodiment of the invention, the cryptographic converter applies a Triple Data Encryption Standard (3DES) algorithm to encrypt the PIN. It also maintains a 3DES secret key which is identical to a secret key maintained by the payment transaction in figure 3. The identical secret keys are generated, for example, by a Derived Unique Key per Transaction (DUKPT) process. It applies the 3DES secret key to encrypt the PIN, placing it into an encrypted PIN block and then passing the encrypted PIN block
back to the cryptographic converter.
The cryptographic conversion host replaces the RSA encrypted PIN block in the transaction message with the 3DES secret key encrypted PIN block and provides the transaction message to the transaction host. For example, the cryptographic conversion host transmits the transaction message with the 3DES secret key encrypted PIN block to the transaction host via the network.
Here, the original form of a message is usually known as plaintext, and the encrypted form is called ciphertext (Piper and Murphy, 2002). The set of all the plaintext messages is denoted by Mp; similarly, the set of all the ciphertext is denoted by Mc, and f is a mapping from the variables in Mp into the set Mc. P and C represent plaintext and
31
ciphertext, respectively. Both of them are stored and transited in binary data. They can be represented in mathematical formulae:
C = f (P) (1)
In the reverse process, the decryption function f -1 operates on C to obtain plaintext P:
P = f -1(C) (2)
where P Є Mp, C Є Mc; and f is viewed as the encryption algorithm (function) and f -1denotes e decryption algorithm. Since the encryption and decryption are inverse functions of each other, the following formula must be true:
P = f -1(f (P)) (3)
e. Transaction host
The system further includes a transaction host which obtains transaction data via the network and processes the payment transaction on behalf of a financial institution that holds the account of the customer Cn for the payment card that has been used.
Operation of the transaction host. The operation starts with negotiation.
Negotiation phase: in this phase a customer browses the merchant’s website and selects item to buy. During this phase, the merchant Mk and the customer Cn reach an agreement upon a set of item’s information that describes the purchase such as the item’s price. A customer Cn selects the payment method from the merchant Mk webpage (in this case the customer Cn will select the “Using Mobile Phone” method instead of other payment methods such as credit card). A customer can use any host computer to send the Order Information (OI) to the merchant such as the selected item’s description and the customer’s mobile number but without any financial details. The transactions process can be summarized as:
When the merchant receives the order information they will send an order confirmation and the Payment order Information (PI) that has been Digitally Signed (DS) by the merchant to the customer’s mobile device. The payment information includes details such as a transaction number, service ID, amount of money to be paid, merchant’s ID and the merchant bank ID. The merchant stores details of the transaction in their transaction database to use them in some stage later. The transactions process can be summarized as:
32
Payment Phase
Firstly, the transaction host obtains the secret key encrypted PIN from the cryptographic conversion host. Specifically, the transaction host obtains the transaction message described above via the network, for example, the network in figure 3 and extracts the secret key encrypted PIN block from the transaction message.
Secondly, the transaction host decrypts the secret key encrypted PIN block. Specifically, the transaction host stores a 3DES secret key that is identical to the 3DES secret key applied by the cryptographic conversion host to encrypt the PIN block. The transaction host applies the 3DES secret key to decrypt the 3DES secret key encrypted PIN block and extracts the PIN from the decrypted PIN block.
Thirdly, the transaction host determines whether the PIN is valid by comparing it to data associated with the account of the customer Cn the particular transaction. If the PIN is valid, the transaction host debts the account of the customer Cn by the purchase amount, and confirms the transaction by sending an appropriate confirmation message back to the mobile payment device via the network. If the PIN is not valid, the transaction host sends a rejection message back to the mobile payment device via the network (see figure 3.0). The process in the MP can be summarized as:
Verify PIN
IF PIN is correct THEN {MP A: [[PI, DS], CI] Kpu} ELSE Terminate
Payment Protocol
C M: NIDc, TIDReq (i.e. NIDc= temporary identity & TIDReq = Identification of transaction Request)
M C: EM-C(TID, IDM)
C M: EC-M(OI, Price, NIDc, IDI, VSRequest, h(OI,NIDC, IDI )) VSRequest,= EC-I(Price, h(OI), TC, IDM)
33
VSRequest = (VSRequest, h(OI),TID, Price, NIDC, IDI)
5
CONCLUSION
The research has designed a secure mobile payment system: using personal identification number (PIN) method as a means of encouraging more customers Cn’s acceptance of online shopping and increasing their trust in online payment systems. In the system, customers Cn do not need to disclose their financial information during the transaction and the merchant Mk will not act as intermediary between customer Cn and the acquirer A. The system has more advantages compared with a conventional e-payment system by providing high security, low cost and convenience, which are key factors to make the m-payment more usable. The system is part of the current research.
REFERENCE
1 Akinyede, R. O. and Afolayan, O. J.: Electronic payment system revolution in Nigeria banking industry, in proceedings of the 20th Annual National Conference of the Nigeria Computer Society, vol. 17, pp 107-115, (2006).
2 World Internet/ICT Indicator Database: Internet Users and Population Stats, Internet usage statistics - The Big Picture. Retrieved 6th Oct. 2009 from: http://www.internetworldstats.com/stats.htm
3 Kungpisdan, S., Srinivasan, B. and. Le, P. D.: A Secure Account-Based Mobile Payment Protocol, in Proceedings of ITCC (1), pp. 35–39, (2004)
4 Changjie Wang and Ho-fung Leung: A Private and Efficient Mobile Payment Protocol CIS 2005, Part II, LNAI 3802, pp. 1030–1035, © Springer-Verlag Berlin Heidelberg, (2005) 5 Shivani Agarwal, Mitesh Khapra, Bernard Menezesand Nirav Uchat: Security Issues in
Mobile Payment Systems www.csi-sigegov.org/2/14_310_2.pdf, (2008)
6 S. Fong and E. Lai.: Mobile Mini-payment Scheme Using SMS-Credit.. International Conference on Computational Science and Its Applications-ICCSA. pp. 1106-1114, (2005). 7 PayPal. Online www.paypal.com, (2008)
8 Coppinger Paul D.: Method and System for Securing a Payment Transaction http://www.faqs.org/patents/app/20090281949, (2009)
9 Piper, F. and Murphy, S.: Cryptography: Avery Short Introduction. Oxford University Press, Oxford, (2009)
