Biometric Security MechanismIn Mobile PaymentsMichael GordonMona Institute of Applied Science, University of West Indies, Kingston, Jamaica & Dr. Suresh SankaranarayananDepartment of Computing, University of West Indies, Kingston, Jamaica

Speaker: 碩資一甲 M9990212 林純智

1.Introduction

Mobile commerce (m-commerce) refers to all purchases made using mobile wireless devices such as smart phones and PDAs.

Already in countries like Japan cell phones usage is a major purchasing method . Individuals already purchase ringtones, media and small applications from manufactures such as apple.

1.Introduction

Mobile commerce can be done by using applications that send TEXT-SMS towards a payment or NFC near field communication in which the phone is swiped against a purchasing station.

one must satisfy the following requirements viz. Identification, Non-repudiation, Data Integrity and Confidentiality.

1.Introduction

Many PDAs and cell phones these days come with finger print scanners. AuthenTec and LG have created a cell phone LP3550

It is found that finger print is a powerful mechanism in biometric authentication.

1.Introduction

Wireless network security protocols and encryption methods are notoriously weak and are easily cracked. It is suggested that m-commerce channels be supported by VPN or public key methods used to share symmetric keys at the start of each session.

2.Security in Mobile Payment Systems

The present security issues surround the loss of personal information through the theft of the cell phone. The use of biometrics has virtually eliminated the possibility of some one gaining access to a third party cell phone directly.

2.Security in Mobile Payment Systems

Similarly other authentication information such as logins and passwords should not be stored on the cell phone, but is gathered at run time.

2.Security in Mobile Payment Systems

The possibility of a man in the middle , attacking at NFC terminals or WAP gateways is of great concern, as these wireless protocols are known to be weak. The WAP gateway provides encryption between the gateway and the client, the gateway has to be authenticated to prevent a fake gateway being placed in a public hotspot by a perpetrator.

2.Security in Mobile Payment Systems

Similarly GSM networks which uses SIMs are vulnerable as SIMs can be cloned, fake base stations can be used to gather or adjust packet communication.

2.Security in Mobile Payment Systems

Security at the server is also paramount; a fraudulent employee could remove or adjust fingerprint templates, passwords or customer information. It is important that public and private keys be held in a secure password protected location on the server.

3.Secured Finger Print based Mobile

Payment Our solution involves the use a biometric

authentication mechanism. Our software would be installed onto a device that has a supporting finger print scanner.

The finger print template would be captured on the phone and compared against a stored template on a database server. A finger print is unique to any one user and so it cannot be easily duplicated.

3.Secured Finger Print based Mobile

Payment We do not intend to store any

authentication or processing information on the phone.

A PKI public key infrastructure provides the strongest known method of security.

3.Secured Finger Print based Mobile

Payment A hash will be created to ensure that a thief

will not be able to capture the finger print in its raw form. Similarly finger prints are not stored on the database in their raw form but as hashes.

1. 輸入信用卡資訊

2. 創建指紋樣版

3. 開啟 SSL 連結並獲得公共金鑰

4. 取得時間戳記和數位簽暑

5. 雜湊指紋樣版

6. 加密雜湊樣版和信用卡 資訊與公共金鑰並發送 到伺服器

7. 客戶身分驗證

8-1. 顯示驗證失敗訊息 8-2. 顯示驗證訊息

4.Implementation details

The implementation of biometric security mechanism is targeted at Java enabled platforms that support CLDC using MIDP form.

The tools used include the

• SUN Microsystems Java Wireless Toolkit.

• Bouncy Castle Lightweight Cryptography package.

4.Implementation details The information collected includes • Firstname • Lastname • Address • Credit Card Number • Security Code • Expiration Date • Signature - this is an image file which is assumed to be

loaded onto the phone by the user or at the bank. • The finger print is to be scanned using an embedded

finger print scanner or an attached device.

4.Implementation details

During a transaction, the credit card information i.e. the credit card number, security code and expiration date are encrypted using a public key received from the bank. As mentioned the finger print is never stored on the phone but is hashed directly into a class on the device using a SHA digest of 512 block size. The signature is also hashed using SHA of 512.

4.Implementation details

where there is a 97% match it is assumed that this is the finger print of the client. The signature is treated in a similar fashion.

If both finger print, signature match then the purchase is authorized. The system will be further secured with a login and password.

5.Conclusion For such mobile payments, we have being

using till now only information like credit card, signature and so on. These security mechanisms are still not secure.

So we here have introduced a biometric mechanism- finger print that gives a better level of security mechanism for mobile payment systems.

In future we propose to interface the fingerprint scanner with the mobile phone for validating too.

Google Wallet GOOGLE 26 日（美國時間）對外宣布推出

手機電子錢包服務，使用 Android系統智慧型手機的消費者通過在收款台的終端機上感應一下手機，即可實現購物支付或兌換優惠券。

Google Wallet 根據一份美國加州高等法院文件， Google

與現任職於 Google 的二位前 PayPal 主管提倫妮斯（ Stephanie Tilenius ）、貝迪爾（ Osama Bedier ），涉嫌竊取行動支付科技的機密。

Google Wallet PayPal 與 Google 之前花了二年的時間，商

討 Android 平台手機的電子錢包應用程式，Google 故意設下障礙造成談判失敗，隨後雇用了談判代表貝迪爾，設計出與 PayPal競爭的產品。

Google Wallet 簡介 Google 的電子錢包技術，簡單地說，就是

用戶在智慧型手機中，利用「 Google 電子錢包」，存入個人的信用卡資訊等，通過「 Google 團購」的優惠活動，就可以收到商家的各種折扣券。購物後，只需拿手機在收費終端機前晃一晃，就可以完成折扣與付款手續，還有紅利積點。

Google Wallet 簡介

Google Wallet 簡介

GoogleWallet 合作對象 目前 Google 錢包是與「花旗萬事達卡」合

作，透過萬事達卡現有付款平台購物。已經有 15 家美國零售商，成為第一批「 Google 錢包」合作商家，有包括百貨商店、快餐店與藥房。

PAYPAL 擁有 8700 萬個活躍帳戶 第二季帳戶成長 300 萬個 淨利為 8.17 億美元 佔 eBay 營收 37%

PAYPAL PayPal 看好「微型付款」 (micropayments)

前景，並打算推出新的服務，方便消費者在網上購買低價電子商品，包括付費閱讀文章、網路遊戲的虛擬物品等。 PayPal總裁湯普森表示，今年底即將推出這項服務，讓業者收取不到 1 美元的微型付款。他指出，目前在網路上購買一把 49 美分的虛擬寶劍，必須先購入 5 或 10 美元額度之後再消費， PayPal 計畫把微型消費整合起來，累計至 10 美元再向消費者收款。

結論 手機必須有 NFC(Near Field

Communication)晶片

新一代塑膠貨幣 帶給人們更便利的生活 Google Wallet on Youtube