Mobile e-commerce, or m-commerce, is the buying and selling of goods and services on wireless devices, like smartphones or PDAs. Mobile commerce has become a great way for businesses to increase their revenues by offering convenience to their consumers. Many different products and services are available via mobile commerce, including mobile money transfer, mobile ATM, mobile ticketing, mobile vouchers, coupons, and loyalty cards, content purchase and delivery, and mobile banking. In the last year alone, there has been a 103% increase in website traffic from smartphones, with 5.41% of total website traffic coming from iPhones and 3.31% coming from Android devices (8). With the significant rate of expansion in mobile e-commerce, the number of security risks and privacy concerns is also growing due to new technologies, novel applications and increased pervasiveness. There are certain privacy risks unique to mobile e-commerce rather than standard e-commerce, which are due to the limitations, portability, hidden and unconscious computing, and location-awareness of client devices. These risks include platform risks, software application risks, and WML script risks. It is imperative for businesses to have an easy-to-navigate mobile site or application while also providing security with costumer data and information for mobile transactions if they want to maximize their sales potential in this ever-growing m-commerce market.
Mobile commerce can be defined as any business transaction between a buyer and a seller conducted on the internet through the use of cell phones and other wireless, handheld electronic devices. The mobile commerce phenomenon has been growing extremely rapidly in the last few years and is only expected to get even bigger. The three types of m-commerce software applications include transaction management (tolls, payments, automatic updates, shopping), digital content delivery (e-mail, short messages, information browsing, directory services, video), and telemetry services (status monitoring, interactive marketing, smart messaging, stock quotations, appliance management)(3). Convenience is the biggest advantage for users of m-commerce, because smartphone and wireless device users are able to shop, to use online banking services and to download digital media from any location at any time. This provides a wider reach for sellers and allows flexible accessibility for users. Also, it is easy for these devices to connect to the internet through mobile networks, rather than using a standard wired network connection. Mobile devices are easily personalized and easy to use. Mobile commerce can reduce transaction time and costs and streamline business processes. Mobile Commerce is also changing the way that consumers shop in brick-and-mortar stores. About 53% of mobile consumers engage in ‘showrooming’, or looking at products in-store and buying them online. Many consumers who engage in showrooming do so to find a better price at another store, to find a better price online, or to find a better item online. Other popular in-store mobile trends include taking photos of products to send someone, looking for other stores nearby, looking up product reviews, checking for location deals, showing something online to a store employee, and barcode scanning (9). Retailers need to adapt to this new phenomenon if they want to be able to compete with online retailers by having an easy to navigate, informative, up-to-date mobile website and by participating with relevant shopping applications.
There are many different methods for mobile payments, including both remote mobile payments and physical mobile payments. Remote mobile payments means paying for digital or physical goods via a mobile web enable retailer, while physical mobile payments are made in a physical storefront just like cash or a debit/credit card would be used. Payments via mobile web enable retailers to bill goods and services from a mobile website, which is very similar to payment on typical e-commerce sites. Another form of payment is via SMS, where payment is initiated via text message and the funds are billed to the customer or transferred from a registered account on a mobile wallet (like PayPal). “Direct to bill” payment is when goods and/or services are tacked onto the user’s monthly cell phone bill. The two main types of physical mobile payments include “text and pin” and “wave and pay” which occur when a device has certain applications installed on it to complete a transaction like a debit or credit card would (11).
Because the mobile market is growing and expanding, it is extremely important for businesses and mobile applications to provide safe and secure transactions for their customers. The differences in security needs between a wired connection and wireless devices are important in understanding the extra need for security for mobile commerce. Technically speaking, mobile commerce over wireless networks are very insecure compared to electronic commerce over wired networks. Firstly, the portability of these devices leaves a greater potential for theft, loss and damage. Reliability and integrity are issues because the wireless channels are error prone due to interference and fading. Handoffs and disconnections also degrade the security systems. As for privacy and confidentiality, the broadcast nature of the radio channel makes it easier to tap, so communication can be intercepted and interpreted without difficulty if no security mechanisms such as cryptographic encryption are employed. Because wireless devices are mobile, there are difficulties with identification and authentication of mobile terminals. Finally, the limited computing power, memory size, communication bandwidth and battery power make it difficult to utilize high-level security schemes such as 256-bit encryption (1). Due to these limitations, the user cannot carry out sophisticated cryptographic protocols or engage in rich GUI interaction (6).
Security is a crucial aspect of mobile commerce, and the six main goals of mobile commerce security include confidentiality, authentication, integrity, authorization, availability, and non-repudiation. Confidentiality makes certain that the information and systems will not be disclosed to unauthorized persons, processes, or devices. Authentication ensures that each party that participates in a transaction is trusted, and not an impostor. The transactions must have integrity, meaning that the information and systems have not been altered or corrupted by outside parties. Procedures must be provided to authorize and verify that the user can make the requested purchases. Authorized users must have timely, reliable access to information in order to perform transactions. Non-repudiation is about making parties accountable for the transactions that they participated in which ensures that a user cannot deny that they performed the transaction. The user is provided with proof of the transaction and the recipient is assured of the user’s identity. A variety of policies and processes are involved with these procedures along with necessary hardware and software tools to protect the mobile commerce systems and transactions and the information processed, stored and transmitted by them (1).
The differences in security needs between a wired connection and wireless devices are important in understanding the extra need for security for mobile commerce. Technically speaking, mobile commerce over wireless networks are very insecure compared to electronic commerce over wired networks. Firstly, the portability of these devices leaves a greater potential for theft, loss and damage. Reliability and integrity are issues because the wireless channels are error prone due to interference and fading. Handoffs and disconnections also degrade the security systems. As for privacy and confidentiality, the broadcast nature of the radio channel makes it easier to tap, so communication can be intercepted and interpreted without difficulty if no security mechanisms such as cryptographic encryption are employed. Because wireless devices are mobile, there are difficulties with identification and authentication of mobile terminals. Finally, the limited computing power, memory size, communication bandwidth and battery power make it difficult to utilize high-level security schemes such as 256-bit encryption (1). Due to these limitations, the user cannot carry out sophisticated cryptographic protocols or engage in rich GUI interaction (6).
One of the biggest software risks that exists for wireless devices is known as the “WAP gap”. Wireless requests to webpages are translated at the WAP gateway from the WTLS protocol to SSL protocol, which is widely used in HTTP requests. During the translation process from one protocol to another, the data is decrypted and then re-encrypted (10). If an attacker compromises the WAP gateway, they could capture the data during the split second after decryption is done. This issue is expected to be solved in the near future by modifying existing protocols (5).
The platform or operating system, the most basic infrastructure for running mobile commerce applications, has many risks due to the many features that are not provided by manufacturers for client devices. A lack of memory protection for processes, protected kernel rings, file access control, authentication of principals to resources, differentiated user and process privileges, and sandboxes for untrusted code leave the platform vulnerable to attacks (13). For example, a popular PDA does not provide memory protection for its applications, which poses serious threats for the security and privacy of each application. If a trusted application which uses a private key for signing documents was attacked at the very right moment, the decrypted key could be stolen from the application’s memory. There are a few ways that some of these platform risks could be addressed, for example, strong authentication mechanisms including biometrics like fingerprint recognition systems could be built into devices. Also, software certificates should be used to authenticate software to the user before being installed on the device. Access control for principals and objects should be used to prevent unauthorized programs and users from accessing confidential data, and encrypted tunnels or virtual private networks should be built into the platform (5).
On top of a wireless device’s platform risks, there are also risks associated with software applications. Flaws in an application’s logic and implementation can lead to security holes which can be exploited by attackers or malicious websites. Because low-level languages are used in application development for mobile devices, plenty of basic flaws are common, like buffer overflow. Also, because of the limited computing power, memory and bandwidth, a tradeoff is made for developers to forgo security features such as encryption, in order to improve online performance (5). Android powered phones have been attacked by virus-carrying applications which steal personal information saved on the devices. Apple reviews each application before it is available for download, but many developers believe the system is too restrictive (12).
WMLScript is the equivalent to HTML, but is derived from XML which is used to provide a uniform interface to wireless applications. This scripting is used for client-side processing to offload servers and reduce demand on bandwidth. WMLScript is integrated with WML to reduce network traffic, and is optimized for small-memory and small-CPU devices. There are some security risks associated with WMLScript which are based on a fundamental lack of a security model for secure computation. WMLScript is not type-safe, and does not differentiate between trusted local code and untrusted code downloaded from the internet, so there is no access control. Scripts can be scheduled to be pushed to the client device without the user’s knowledge, and does not prevent access to persistent storage. Possible attacks through WMLScript include theft or damage of personal information and abusing the user’s authentication information (14).
By 2015, mobile commerce is expected to generate $119 billion in revenue worldwide (9). Because of this rapid growth, existing protocols will have to be changed and new protocols will have to be developed to ensure that both consumers and businesses can participate in secure transactions on mobile devices. Eventually, new standards will be introduced and implemented in mobile commerce which will be able to reduce and prevent security risks.