CLOUD BASED NFC MOBILE WALLET SYSTEM: A LITERATURE REVIEW

CLOUD BASED MOBILE WALLET SYSTEM A thesis submitted for the degree of Master of Science BY MESIGO, TOCHUKWU NKEMJIKA G2012/MSC/COMP/FT/373 DEPARTMENT OF COMPUTER SCIENCE UNIVERSITY OF PORT HARCOURT, RIVERS, NIGERIA. CHAPTER ONE 1.1 INTRODUCTION This chapter provides an overview of the mobile payment system, an introduction to industry background and the problem statement. It also looks into the research objectives and purpose of study including the significance of the research. 1.2 OVERVIEW The emergence of mobile phones and other mobile communication devices has caused a large significant social and economic impact in the world today and is tipped to continue in such trend in coming years. One area of mobile phone activity that has generated a lot of interest is the use of mobile devices for monetary transactions and mobile commerce. Mobile commerce is a natural successor to electronic commerce. Mobile payments are a natural evolution e-payment schemes that will facilitate mobile commerce. A mobile payment or m-payment may be defined, for our purposes, as any payment where a mobile device is used to initiate, authorize and confirm an exchange of financial value in return for goods and services (Au and Kauffman, 2007). ). Mobile devices may include mobile phones, PDAs, wireless tablets and any other device that connect to mobile telecommunication network and make it possible for payments to be made (Karnouskos and Fokus, 2004). . The adoption of mobile payments globally has followed a path unlike almost any other technological development, with rapid take-up in some developing economies, while advanced economies have been slower to follow. Over the last few years, the mobile and wireless devices market has been one of the fastest growing markets in the world. Mobile devices are the most promising way to reach the masses and to create stickiness among customers, due to their ability to provide services anytime, anywhere, with high rate of penetration and potential to grow. Going by the Nigerian statistics, only 30% of Nigerians have bank accounts and over 70% who possess mobile phones. As of 2009, 68% of the world’s population had mobile cellular subscriptions (ITU, 2009). The growth in mobile telecommunications services is expanding the reach of financial services across wireless networks in the less developed countries, creating the potential for significant growth in mobile commerce and financial inclusion. As more citizens of the developed countries become unbanked as a result of widespread economic crisis, financial service providers have begun to explore the potential of mobile money as a means of enhancing financial inclusion as well as solving the challenges of remittances. Mobile money transfer (MMT) has the potential to catalyze the entire financial service market including mobile payment, banking and transfer because it stabilizes the infrastructure for remote mobile transactions and the concept of mobile wallet (GSMA, 2008). 1.3 STATEMENT OF THE PROBLEM According to the World/UN Foundation and SanBoeuf (2006), about 70% of the population in developing countries, particularly in Africa, majority of the populace live in rural areas and have no access to financial services. Researchers have shown that majority of the populace in the developing nations are rural dwellers that do not have access to basic financial services and are poor. This class of people are peasant farmers and petty traders who rely mostly on remittances from their wards and relations in major cities and abroad to meet their financial obligations at home. The methods of remittances are encumbered with challenges. Mobile money is a tool that allows individuals to make financial transactions using mobile cell phones. Nigeria is one of the fastest growing telecoms nations of the world and the adoption of mobile money will help a great deal to solve the problems associated with remittances 1.4 PURPOSE OF STUDY The purpose of this study is to develop an a mobile application that will enable anyone that has a phone or tablet make payments and also receive payment on their phones. This application will solely make and receive payments using a mobile device. 1.5 OBJECTIVES This paper seeks to promote mobile phone use as a means of expanding access to financial services through the use of cloud computing services and near field communication technology NFC. The core objectives which have been designated as fundamental to this project are: To design and evaluate a novel secure NFC transaction authentication protocol based on our third developed model which proposes a trusted relationship between multiple MNOs and the merchant in order to provide a complete transaction solution To consider the existing cloud computing and NFC transaction models in order to understand the limitations which have been raised regarding the adoption of this technology. To consider the existing NFC transaction models in order to understand the limitations which have been raised regarding the adoption of this technology. To provide authorities and the private sector with knowledge, tools and examples in a new service-based approach that combines the strengths of cloud computing and NFC. To develop a payment model based on the results and limitations obtained from consideration of the existing models. 1.6 LIMITATION OF THE STUDY The application that will be built will only run on android operating system. This implies that only mobile phones with android operating system can use the application. 1.7 PROJECT MOTIVATION The emergence of cashless economy initiative by the central bank of Nigeria has created the need for a secured mobile payment platform that can process financial transactions efficiently. This is a source of motivation to me. 1.8 SCOPE OF STUDY This Project centers on the development of a mobile application software that can serve as an efficient alternative to the physical wallet using mobile cloud computing concepts. 1.9 SIGNIFICANCE OF STUDY This study is of significance in the following ways: It will enable anyone to make financial transactions using their mobile phones. It will enhance the cashless policy of the Central Bank of Nigeria. It will eliminate the risks involved in handling physical cash. It will enhance economic activities in Nigeria if implemented. It will help researchers in the field. It will provide a common platform for everyone with a mobile phone or communication device to get connected financially. It will add to existing knowledge in the field. It will enhance I.T proficiency among the public since it involves the use of a digital communication device . 1.10 ORGANIZATION OF STUDY This study is organized in five chapters. Chapter one is the introduction which includes the statement of the problem, the project motivation, significance of study, scope of study, limitation of study, organization of study, definition of terms and table of abbreviations. Chapter 2 is the literature review which contains the overview and history of cloud computing, its advantages and disadvantages, benefits and challenges, its deployment models and the near field communication NFC. Past Literatures on the subject were also reviewed. Chapter three is the System analysis which describes the methodology used in this research. Cloud computing models were also reviewed and an improved model was proposed. Chapter four is the design and implementation which contains step by step procedures to developing the proposed application. Chapter five is the conclusion and recommendations. 1.11 DEFINITION OF TERMS MCP application An application residing in a secure environment performing the payment functions related to a Mobile Contactless Payment, as specified by the Mobile Contactless Payment application issuer in accordance with the payment scheme. Mobile device Personal device with mobile communication capabilities such as a telecom network connection, Wi-Fi, Bluetooth … which offers connections to internet. Examples of mobile devices include mobile phones, smart phones, tablets ... Mobile Network Operator (MNO) A mobile phone operator that provides a range of mobile services, potentially including facilitation of NFC services. The MNO ensures connectivity Over the Air (OTA) between the consumer and its PSP using its own or leased network (the latter are sometimes referenced as MVNOs - Mobile Virtual Network Operators). Mobile payment service Payment service made available by software/hardware through a mobile device. Mobile payment service issuer A PSP providing the mobile payment application (Mobile Contactless Payment or Mobile Remote Payment), authentication application and/or credentials to the consumer/payer. Mobile proximity payment A mobile payment where the communication between the mobile device and the Point of Interaction device takes place through a proximity technology (e.g., NFC, QR code, etc.). Mobile Remote Payment (MRP) A payment initiated by a mobile device whereby the transaction is conducted over a mobile telecommunication network (e.g., GSM, mobile internet, etc.) and which can be made independently from the payer’s location (and/or his/her equipment). Mobile Remote Payment (MRP) application An application residing in a secure environment performing the payment functions related to a Mobile Remote Payment, as specified by the Mobile Remote Payment application issuer in accordance with the payment scheme. Mobile service Service such as identification, payment, ticketing, loyalty, etc., made available through a mobile device. Mobile service issuer The provider of a mobile service. Mobile wallet A digital wallet accessed through a mobile device. This service may reside on a mobile device owned by the consumer (i.e. the holder of the wallet) or may be remotely hosted on a secured server (or a combination thereof) or on a merchant website. Typically, the so-called mobile wallet issuer provides the wallet functionalities but the usage of the mobile wallet is under the control of the consumer. Mobile wallet gateway A service operated by the mobile wallet issuer or a trusted third party acting on its behalf, which establishes for mobile transactions a link between the consumer/payer and its mobile wallet and between the mobile wallet and the payment gateways. During the payment transaction, it allows the payment gateway to receive authentication data directly from the mobile wallet. For life cycle management, it establishes a link between the mobile wallet and the mobile wallet issuer to download credentials, payment and/or authentication applications from the PSP. Mobile wallet issuer The service provider that issues mobile wallet functionalities Mobile wallet passcode A code entered by the consumer/payer4 via his/her mobile device that may be required to activate a mobile wallet. It is sometimes referred to as "mobile wallet credentials". Network operator The provider of data connectivity to the consumer and potentially other services. MNOs and ISPs are examples of network operators. NFC (Near Field Communication) A contactless protocol specified by ISO/IEC 18092 . On-line passcode Secret data known by the consumer/payer and used for remote financial services, such as on-line banking, SCT payments, etc., to verify its identity. Payer A natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order. Payment account Means an account held in the name of one or more payment service users which is used for the execution of payment transactions. Payment component Either a dedicated mobile payment/authentication application and/or a set of credentials. Payment component User Interface (UI) Enables the consumer/payer to manage a specific mobile payment service through a dedicated user interface. Depending on the payment component type, it may be a mobile payment/authentication application UI (provided by the PSP) or a credentials manager UI. Payment gateway A service operated by a beneficiary’s PSP or a trusted third party that manages the authorisation of payments for merchants. It facilitates the transfer of information between the payment portal (such as a website or mobile device) and the beneficiary’s PSP. Payment scheme A single set of rules, practices, standards and/or implementation guidelines agreed between PSPs for the execution of payment transactions and which is separated from any infrastructure or payment system that supports its operation Payment Service Provider The bodies referred to in Article 1 of the and legal and natural persons benefiting from the waiver under Article 26 of the Payment system A funds transfer system with formal and standardised arrangements and common rules for the processing, clearing and/or settlement of payment transactions . Payment transaction An act, initiated by the payer or by the beneficiary, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the beneficiary (as defined in [9]). POI device “Point of Interaction” device; the initial point where data is read from a consumer device (such as a PC or mobile phone) or where consumer data is entered. As an electronic transaction-acceptance product, a POI consists of hardware and software and is hosted in acceptance equipment to enable a consumer to perform a payment transaction. The merchant controlled POI may be attended or unattended. Examples of POI devices are Point of Sale (POS), vending machine, Automated Teller Machine (ATM) or merchant website (a so-called “virtual POI”). Secure Element (SE) A certified tamper-resistant platform (device or component) capable of securely hosting applications and their confidential and cryptographic data (e.g., key management) in accordance with the rules and security requirements set forth by a set of well-identified trusted authorities. Examples include universal integrated circuit cards (UICC), embedded secure elements, chip cards and secure digital cards. Secure environment A system which implements the controlled storage and use of information. A secure environment is used to protect personal and/or confidential data. It may be located in the mobile device, such as a Secure Element or a Trusted Execution Environment, or located in a remote Secured Server. Secured Server A web server with secure remote access that enables the secure storage and processing of payment related data. Static authentication An authentication method that uses always the same authenticator (e.g., card data). Strong authentication A dynamic authentication method which involves at least two independent authenticators. This means that at least one of them is dynamic. Trusted Execution Environment (TEE) An execution environment that runs alongside, but isolated from a main operating system. A TEE has security capabilities and meets certain security-related requirements: it protects TEE assets from general software attacks, defines rigid safeguards as to data and functions that a program can access, and resists a set of defined threats. Trusted Service Manager (TSM) A trusted third party acting on behalf of the secure element issuers and/or the mobile payment/authentication application issuers in the case where a secure element is involved, or on behalf of the mobile wallet issuers. Trusted Third Party (TTP) An entity which facilitates interactions between stakeholders of the ecosystem who all trust this third party. Examples of TTPs include TSMs and payment gateway providers. Umbrella UI Mobile wallet user interface component managing the portfolio of mobile payment services accessed through the mobile device. The umbrella UI is located in the mobile device. User Interface (UI) An application enabling the user interactions. Examples are umbrella UI, mobile payment/authentication application UI and credentials manager UI. User Verification Method A method for checking that a user (consumer) is the one claimed. 1.12 ABBREVIATIONS Abbreviation Term C2B Consumer-to-Business C2C Consumer-to-Consumer CSM Clearing and Settlement Mechanism CVM Cardholder Verification Method ETSI European Telecommunications Standards Institute GP GlobalPlatform GSMA The GSM Association HSM Hardware Security Module IBAN International Bank Account Number ISP Internet Service Provider MCP Mobile Contactless Payment MNO Mobile Network Operator MRP Mobile Remote Payment MVNO Mobile Virtual Network Operator NFC Near-Field Communications OS Operating System OTA Over the Air PAN Primary Account Number PC Personal Computer POI Point of Interaction PSD Payment Services Directive PSP Payment Service Provider QR code Quick Response code SCP SEPA Card Payment SCT SEPA Credit Transfer SDD SEPA Direct Debit SE Secure Element TEE Trusted Execution Environment TSM Trusted Service Manager TTP Trusted Third Party UI User Interface CHAPTER 2 2.1 Introduction Money has evolved several times in human history from the days of the barter trade, from coins to paper, then plastic and now phones. About 15 years ago, the mobile phone was used for making calls, playing simple games and texting friends. Today, mobile phones can be used to access the Internet, make video calls, take photos, find your location on a map, purchase transport tickets, and even for banking, among many other applications. The main drivers behind the success of mobile money are the explosive growth in the number of mobile devices and the fall in the cost of computing power, which have lowered the barriers to new entrants in this field. Mobile money (m-money) is quite versatile and can support a variety of services, in particular, person to person (P2P) money transfers, which are of significant value for emerging economies. There are three main types of mobile financial services with some degree of overlapping among the functionalities offered by applications in each category: • Mobile payments; • Mobile money transfer; and • Mobile banking. Mobile payments cover many types of transactions which fall into two categories: transactions with a remote merchant or proximity payments at the merchant site. Mobile money transfer is also a broad term and in this report refers mainly to the transfer of money from one individual to another. The transfer can be domestic or international and can also be called a “peer to peer” (P2P) payment. When the transfer is international, it is referred to as an international remittance. Mobile banking allows users to manage their bank accounts remotely from their mobile devices. The mobile wallet is the most common type of mobile money service in the news. An electronic account held on the mobile device known as a “mobile wallet” has various functional features such as converging deposit accounts, credit accounts, loyalty accounts, merchant accounts, gift cards and coupons stored on the mobile device with a remote communication facility for use anywhere, anytime. In developed countries, the mobile wallet can also be conceived as a container for different payment instruments, such as cash and cards. The mobile wallet can be a menu on the phone which provides access to different payment instruments and payment account information. 2.2 Cloud Computing Nowadays it is impossible to read a technology journal or blog without coming across the term cloud computing. While some might think that cloud computing is just a new buzzword, something companies use to sell services, cloud computing is transforming the way we deploy technology. The cloud is often used in a very general way and labelled on products that are not necessarily cloud computing services, but this paper provides a perspective on cloud computing and sheds light on the sometimes ambiguous understanding of cloud computing. Cloud computing is not just a service being offered from a remote data center. It is a set of approaches that can help organizations quickly, effectively add and subtract resources in almost real time. Cloud computing provides the means through which resources such as computing power, computing infrastructure and applications can be delivered to users as a service wherever and whenever they need over the Internet. Cloud services include the delivery of software, infrastructure, and storage over the Internet based on user demand. Mell and Grance from the U.S. National Institute Standards and Technology defined cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”[7]. Plummer, Bittman, Austin, Clearley, and Smith (2009) explained it as “a style of computing where massively scalable IT-enabled capabilities are delivered as a service to external customers using Internet technologies” [8]. The 451 Group defined cloud computing as “an IT as a service, delivered by IT resources that are independent of location [9] and Buyya, Yeo and Venugopal (2008) define the cloud as ”a type of parallel and distributed system consisting of a collection of interconnected and virtualized computers that are dynamically provisioned and presented as one or more unified computing resources based on service-level agreements established through negotiation between the service provider and consumers”. After examining the definitions given of cloud computing it helps us clarify the term and what it involves; briefly cloud computing is a way of delivering computing services such as software, servers or storage over the Internet in a self-service manner. Instead of having to install, maintain and manage these resources, one only needs to access and use them through a web browser or a specifically designed user interface. Cloud computing can be used to overcome the limitations of data centers. An enterprise data center is where servers and storage are located, operated and managed. A functional data center requires a lot of power, a lot of space, cooling, maintenance and so on. Most of human activities such as energy, lighting, telecommunications, Internet, transport, urban traffic, banks, security systems, public health and entertainment are controlled by data centers. People rely on the functioning and availability of one or multiple data centers. The process of adding and releasing resources in the traditional data center cannot be done in an automated or self- service manner, but in the cloud, users can request extra resources on demand and also release them when they are no longer needed. The fact that the cloud can easily expand and contract is one of the main characteristics that attracts users and businesses to the cloud. Furthermore, as enterprises grow and there is a need for more resources, IT departments usually add hardware to the data center and buy new software, which makes the data center even more large and complicated. Managing a big data center that is still expanding is stressful for IT management, thus the introduction of technology advancements such as virtualization. Even though these advancements in technology have enabled much more efficiency and cost effectiveness, companies are still overwhelmed with a lack of ability to satisfy customers’ needs. The public cloud enables companies to make use of external resources to improve their ability to offer services requested by users without investing in new infrastructure, training new personnel, or licensing new software. With cloud computing, there are no servers to maintain, which gives companies time to focus on other tasks; hence improving productivity. The public cloud involves end users that benefit from cloud services without knowing the underlying technology and cloud service providers that are responsible for the IT assets and maintenance. 2.2.1 Cloud Computing History Cloud computing has been possible through development in a variety of areas. As computer hardware evolved, so did software, as communication networks developed so did the protocols for how computers communicate. The communication rules and standards in turn affected the evolution of Internet software that made cloud computing possible. According to Carr, what is occurring nowadays is very similar to what happened during the industrial era. During the industrial era many industries had to provide their own electricity by wind or water mills to power their machines. As electricity through power lines became cheaper, more available and more reliable, there was no need for the industries to produce their own energy. Carr says that the organizations of today face the same shift as the ones during the industrial era, except today the shift is toward cloud computing. [10] Toffler states that a civilization goes through different waves of development: the first wave was the agricultural societies, the second one was the industrial age and what we are now facing is the third wave; the information age [9]. Development in various areas have led to the development of cloud computing. Some areas have affected the growth more than others, for example virtualization, utility computing, outsourcing and grid computing, are areas that have had a great impact on cloud computing. Virtualization IBM introduced virtualization in the early 1960s. Virtualization makes it possible to run several operating systems on one server simultaneously, but separates them as if they were on their own server. The difficulty comes from the fact that today’s computers are designed to run just one operating system and application at a time. Virtualization allows multiple operating systems and applications to share a single hardware host. Each virtual machine is isolated from the others by the hypervisor, and uses as much of the host’s computing resources as it requires. A hypervisor monitors the virtual machine in a way that each operating system appears to have the host's processor, memory, and other resources all to itself. The hypervisor controls the host processor and resources, allocating what is needed to each operating system, and making sure that the guest operating systems (virtual machines) cannot disrupt each other. The difference between virtualization and cloud computing is that virtualization is part of a physical infrastructure, while cloud computing is a service. There is also a difference in costs: using virtualization requires upfront costs but with cloud computing the charges are based on how much resources are used. Utility Computing “Utility computing can be defined as the provision of computational and storage resources as a metered service, similar to those provided by a traditional public utility company” [11]. The idea of utility computing is to provide computing resources like how electricity, telephone or water is provided. We pay for the amount that we use and it should be available to us. The main benefit of utility computing is better economics. Corporate data centers are underutilized, with resources such as servers often idle 85 percent of the time. Utility computing allows companies to only pay for the computing resources they need, when they need them. Utility computing differs from cloud computing by the fact that it relates to the business model in which application infrastructure resources are delivered, whereas cloud computing relates to the way we design, build, deploy and run applications that operate in a virtualized environment, and offering the ability to dynamically grow, reduce and self-services. Outsourcing Outsourcing is the act of one company contracting with another company to provide some services. Often the company itself could perform the tasks that are outsourced, but in many cases there are financial advantages that come from outsourcing. In comparison to cloud computing there are similarities but also some differences. Companies can outsource parts, or their whole IT department, on companies specialized on that particular field. For example a company that outsources the setup, maintenance and storage of their servers so that they do not have to have them onsite, on their company compound. This is similar to PaaS or IaaS where cloud computing vendors take care of the platform and/or infrastructure. There are many similarities but the differences lie in the quickness of providing the services and agreements from the outsourcing company or the cloud provider. Unlike traditional outsourcing that requires lengthy contracts that usually just carry on as long as the contracts agree on, cloud computing offers a predefined solution that matches the need of the customer’s application [6]. There is usually no initial cost, and the customer only pays for what is being used and nothing more. There are also some differences in the level of management, security and support when comparing cloud services and traditional outsourcing. Grid Computing The term “Grid computing” originated in the 1990s and refers to the idea of making computing accessible in similar manner to how a power grid works. “Grid computing is a form of distributed computing that implements a virtual supercomputer made up of a cluster of networked or Internetworked computers acting in unison to perform very large tasks”. Many cloud service providers offers services similar to grid computing by the pay-peruse model and perceived unlimited computing resources. However, cloud computing should be viewed as a step away from the grid utility model [11]. The fields overlap each other on several points, but the main difference between the two of them is how data is processed. In grid computing the user usually makes few but very large request. Only a few of these requests can be processed at any given time and others might be queued. However, cloud computing users do several small allocation requests, where allocations happen in real time. 2.3 Cloud Computing Features Overall, the cloud embodies the following key features: Resource pooling and Elasticity Self-service and automatic services Access over the Internet Billing in a pay-per-use model Each of these characteristics is described in more detail in the following sections. 2.3.1 Resource Pooling and Elasticity Resource pooling is the ability to scale up and down to serve multiple customers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to demand. Often, the service provider cannot predict how customers will use the service. Some customers might use the service a few times during their highest seasons, while others might use it as a primary development platform for all of its applications. Therefore, the service needs to be available all the time and it has to be designed to scale upward for high periods of demand and downward for lighter ones. The service also needs to scale when additional users are added and when the application requirements change. 2.3.2 Self-service and Automatic Services Cloud Computing allows customers to get cloud services easily without going through a long process. The customer simply requests an amount of computing, storage, software, process, or other resources from the service provider. This is an advantage that cloud computing offers compared with the process one has to go through when requesting new services from a typical data center. Before implementing a new application, the IT department has to submit a request to the data center for additional computing hardware, software, services, or process resources. The data center evaluates all requests from various departments and assesses the availability of existing resources versus the need to purchase new hardware. After new hardware is purchased, the data center is configured for the new application. This proves to be a long and complicated process that can be made easier by using cloud services. [12] 2.3.3 Access over the Internet The access of services over the Internet allows convenience. Access over the Internet means that resources hosted in the cloud are available for access from a wide range of devices and from several locations that offer online access [12]. Users are able to access data and services wherever and whenever they need, from the home computer, tablets, or smartphones. Usually, this was done through a browser, to avoid the need to install local software. However, cloud-based applications are now available in order to access data anytime it is needed. As will be discussed later , cloud computing has different deployment models: private, public and hybrid clouds. In a private cloud, secure data is accessed only by company employees within a company's own firewall. The company operates its own infrastructure, including a data center full of servers. Public cloud computing is when companies use an outside company to host servers or other cloud services that the company accesses for its employees. Access over the Internet might cause some security issues in a private cloud, but, as more employees use smartphones, tablets to access company resources or may want to work from their homes, a need for a network access over the Internet arises which may cause the company to adopt a hybrid cloud that combines both a private and a public cloud. 2.3.4 Billing in a Pay-Per-Use Model Pay only for the services used, and no more. Rather than paying a 100 percent for servers that are only used 20 percent of the time, one only pays for the exact number of resources used. The ideal cloud providers charge usage in terms that everyday people; not just IT systems administrators, understand. A cloud environment needs a built-in service that bills customers. Of course, to calculate that bill, usage has to be tracked. [12] For example measuring the storage, bandwidth, and computing resources consumed, and charging per stored gigabytes, transferred bytes, used computing hours, number of active user accounts per month or performed transactions. A pay-per-use model involves different payment mechanisms, such as subscription based payment, reservation based payment, consumption based and so on. In subscription based payment, the user has monthly or yearly fees to access the service. A pay-per-reservation method is when the user pays for the duration of the service. How much of the infrastructure used from the moment the service started is not necessary, the user will be charged according to the time. In consumption based, the user’s consumption is measured and charged according to the amount of memory, CPU cycles, disk space, and network traffic. These examples show that there are different approaches to the pay-per-use model, but they are all based on the amount of resources used or the period the service was available. 2.4 Cloud Computing Deployment Models A cloud deployment model defines where the physical servers are deployed and who manages them. Cloud computing deployment models are: Public cloud Private cloud Community cloud Hybrid cloud, which combine both public and private In the public cloud, the infrastructure is designed to make the services available to public users on the Internet. For the private cloud the infrastructure is configured exclusively for a private user, meaning an enterprise or organization where the services can only be accessed locally, and the organization’s IT department manages it. The infrastructure for the community cloud is shared by several organizations and supports a specific community that has common concerns (e.g. security requirements). The organization or a third party may manage it. As for the hybrid cloud the infrastructure is comprised of two or more clouds (private, community, or public) that remain unique entities but are communicating with one another by standardized technologies that enable data and application portability [7]. 2.5 Cloud Computing Service Models The three cloud service delivery models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These services are classified into three models to help us understand them; they are tasks that have been put together in order to be delivered to customers whenever they need them. The Infrastructure as a Service layer offers hardware, storage, servers, data center space and network components that developers and IT organizations use to build and deliver solutions. The Platform as a Service layer offers development environments, which software developers can use to create fully functional products or services. [12] The Software as a Service layer offers software over the Internet. The customer accesses those services with defined interfaces. These interfaces are all that the user ever comes in contact with. For example when watching a movie via Netflix the customers only sees the screen that enables selecting and watching the movie, they never see the underlying infrastructure and what happens behind the scenes to allow Netflix to deliver so many movies to many people. In cloud computing the underlying infrastructure that provides the service may be very complex, but the user does not need to understand this infrastructure in order to use it. 2.5.1 Infrastructure as a Service Infrastructure as a Service (IaaS) is the delivery of computer hardware (servers, networking technology, storage, and data center space) as a service. It may also include the delivery of operating systems and virtualization technology to manage the resources. Instead of buying and installing computing resources in their own data center, customers rent them. An IaaS provider is responsible for operating and maintaining the equipment it provides for a customer. Clients pay on a per-use basis. One of the characteristics of IaaS includes dynamic scaling to ensure more resources will be automatically given to the client in case they need them. Also, the service involves an agreed-upon service level in terms of availability and response to demand. For example, it might be stated that the resources will be available 99.999 percent of the time and that more resources will be provided dynamically if greater than 90 percent of any given resource is being used. [12] An example of an IaaS is Amazon’s Elastic Compute Cloud (Amazon EC2). It provides a web interface that allows customers to access virtual machines. The use of the term elastic in the naming of Amazon’s Infrastructure as a Service refers to the ability that EC2 users have to easily increase or decrease the infrastructure resources assigned to meet their needs. The user needs to initiate a request; the service provided is not dynamically scalable. 2.5.2 Platform as a Service Platform as a Service (PaaS) is a concept that describes a computing platform that is rented or delivered as a solution stack, which is an integrated set of software that provides everything a developer needs to build an application. The PaaS service delivery model allows a customer to rent virtualized servers and associated services used to run existing applications, or to design, develop, test, deploy and host applications. Recently web-hosting companies have been offering software stacks for developing web sites. PaaS can be considered an advancement of web hosting because it provides also a lifecycle management which is the process of managing the entire lifecycle of a product. It also involves all the software development stages from planning and design, to building, deployment, testing and maintenance.[12] The main advantage of PaaS is not having to worry about managing and maintaining the infrastructure, and only focus on developing the product. PaaS is also delivered with dynamic scaling; it can automatically scale up or down. An example of Platform as a Service is the Google App Engine. 2.5.3 Software as a Service Software as a Service (SaaS) is a model for the distribution of software where customers access software over the Internet. In SaaS, a service provider hosts the application at its data center and a customer accesses it via a standard web browser [7,1-3]. SaaS has its roots in Application Service Providers (ASPs), which used to host and manage business applications. SaaS extends the idea of ASPs; they require installation of software on users' personal computers, but SaaS solutions rely on the web and only require an Internet browser for users to access services. Also, while most ASPs maintained a separate instance of the application for each business, SaaS solutions normally utilize a multi-tenant architecture, in which the application serves multiple businesses and users, and partitions its data accordingly. The price of the software is on a per-use basis and businesses are able to reduce capital expenditures. Furthermore, before acquiring new software, businesses can test them first on a rental basis and if they find them appropriate, they can purchase them. Examples of Software as a Service are Microsoft Office 365 and Google drive. 2.6 Advantages of Cloud Services There are several benefits with cloud computing that companies can use to reduce costs while providing a high level of service to customers. This section will show how cloud computing can benefit an organization. 2.6.1 Improved Business Agility In the ever-changing market, businesses need to be able to adapt rapidly and cost efficiently to changes in the business environment. Cloud computing offers a way to save time and money by providing the ability to add new infrastructure quickly and in a self-service manner. Managing the internal information systems is not the core competence for most companies. Therefore, by using cloud services, IT management will be able to focus on supporting the corporate business values, while the cloud provider takes care of the IT needs. 2.6.2 Reduced Costs With the introduction of the cloud, companies can test a new application or develop a new application without first investing in hardware, software, and networking, and if they like it they would go ahead and purchase it. A need might arise to increase storage or buy new software for various departments, but there is not enough money to buy all those services at once. Cloud service vendors might rent storage on a per gigabyte basis. Companies are often confronted with the need to improve the functionality of IT while reducing costs. By adopting the cloud computing pay-as-you-go model, where one only pays for the amount of resources they use or respectively for the time the service is accessible, companies are able to avoid a large initial investment and instead pay for the functionality as an operating cost. 2.6.3 Elasticity and Scalability Computing resources are dynamically assigned, released, and reassigned according to consumer demand. Elasticity means that the platform can handle sudden, unexpected, and large loads. This could be due to an event happening that results in a vast but short influx of users on the system. Scalability is a planned level of capacity that is able to scale up or down in a quick and easy manner when more or less resources are needed. In cloud computing resource allocation can get bigger or smaller depending on demand. For example, an application can scale when adding users and when application requirements change. 2.6.4 Rapid Application Development Using cloud computing to build, test, and deploy applications, reduces the overall development time, due to the cloud platform's ability to simplify the development process and the ability to quickly get the development resources online. Cloud-based development platforms in PaaS and IaaS clouds, such as Google, Amazon Web Services, Microsoft, and Salesforce.com offer developers the ability to self-provision development and testing environments without having to wait for hardware and software to be installed in the data center. It allows them to quickly get applications into production and to scale those applications as required. This enables cost savings and efficiency. 2.7 Disadvantages of Cloud Services Companies require an ideal performance, a perfect implementation and a 100 percent uptime in order to satisfy customers. They also want to be able to get new infrastructure quickly, but have limited budgets. While cloud computing can offer all that, it comes with a few flaws. This section introduces us to cloud computing disadvantages. 2.7.1 Security There is a concern in larger organizations towards turning over their operations and data to a cloud-based service provider. A recent study done by the International Data Corporation (IDC), shows that almost 75 percent of Chief Information Officers and IT executives are concerned about the security when using cloud services. Before using cloud services, companies need the right level of security to make sure that another company cannot access the information or be maliciously accessed by a hacker. 2.7.2 Vendor Lock-in When using Platform as a Service, customers may find it difficult to move their applications to another development environment without rewriting them. When in need to switch to another PaaS vendor, rewriting the applications might cost companies plenty of money. This drawback has opened up a new approach: Open Platform as a Service. This is the same service as Platform as a Service, but customers are able to choose through a variety of development software, there are no limitations and it prevents customers from being locked in. 2.7.3 Misuse of Data There is a risk that data could be permanently lost by a cloud computing service provider due to various reasons such as technical errors or physical disasters like fire. Also, a crooked employee that has access to the data might misuse it or the data might be compromised by external parties. Even though these issues are not likely to occur, because the providers usually have back-up and proper security techniques, it is important for a company to consider how to address data loss or misuse in its agreement with the provider. 2.7.4 Lack of Maturity Cloud computing is still in its new phase and users may not fully understand how to utilize the capabilities of the concept [14]. Users might ask themselves questions like what happens to their data when the cloud provider is no longer there. Currently, there is no way for a cloud storage service provider to directly transfer customer data to another provider. If a service goes down, the hosting company must return the data to its customer, who then must find another provider. In addition, there are no rules regarding data removal. When a customer asks a cloud vendor to delete some of their data, it is not done right away. Cloud service providers use a "garbage collection" method for deleting old data. The data to be erased is marked first, then the actual deletion or overwrite process takes place at a later date, sometimes months later. 2.8 Mobile Cloud Computing The term “mobile cloud computing” was introduced not long after the concept of “cloud computing” launched in mid-2007. It has been attracting the attentions of entrepreneurs as a profitable business option that reduces the development and running cost of mobile applications, of mobile users as a new technology to achieve rich experience of a variety of mobile services at low cost, and of researchers as a promising solution for green IT. Mobile Cloud Computing at its simplest, refers to an infrastructure where both the data storage and the data processing happen outside of the mobile device. Mobile cloud applications move the computing power and data storage away from mobile phones and into the cloud, bringing applications and mobile computing to not just smartphone users but a much broader range of mobile subscribers. Aepona [6] describes MCC as a new paradigm for mobile applications whereby the data processing and storage are moved from the mobile device to powerful and centralized computing platforms located in clouds. These centralized applications are then accessed over the wireless connection based on a thin native client or web browser on the mobile devices. Mobile cloud computing is the availability of cloud computing services in a mobile ecosystem, in other words using Cloud Computing principles to deliver applications and services for mobile devices. Developments in mobile hardware and software have enabled users to perform tasks that were once only possible on personal computers and other devices like digital cameras and GPS navigation systems. Mobile users are now connected to the Internet, they can capture and manage photos and videos, play music and movies, and play complex games. However, the increasing number of mobile applications requires more resources in terms of storage and processing capability. Mobile devices compared to desktop computers, have less computing power, less storage capacity and battery limits. Demanding applications such as video streaming and mobile games need more resources on mobile devices for a better user experience. Migrating computing and major data processing tasks to the cloud can fill the gap between resource demand and supply in mobile devices. Definitions of mobile cloud computing can be classified into two categories. The first one denotes carrying out data storage and processing outside mobile devices [13]. Mobile devices tasks are reduced because the storage and computing processes take place in the cloud. The second category refers to mobile cloud computing as an extension of cloud computing in which foundation hardware consists at least partly of mobile devices. This definition acknowledges an opportunity to harness the collective sensing, storage, and computational capabilities of multiple networked phones to create a distributed infrastructure that can support new applications. By using the combined data and computational abilities of an entire network of smartphones, useful results for clients both outside and within the mobile network can be generated. This interface and the underlying hardware would create a mobile-cloud upon which certain mobile phone tasks could be performed. [13] In figure 2, mobile devices are connected to the mobile networks via base stations (e.g., base transceiver station (BTS), access point, or satellite) that establish and control the connections between the networks and mobile devices. Mobile users’ requests and information (e.g., ID and location) are transmitted to the central processors that are connected to servers providing mobile network services. Figure 2.1 Mobile Cloud Computing Architecture As shown in figure 2.1, mobile cloud computing can be simply divided into cloud computing and mobile computing (mobile devices, mobile applications, the infrastructure of mobile networks and protocols). Those mobile devices connect to a base station by 3G, 4G, WIFI, or GPRS. Mobile network operators provide the necessary services to mobile users such as provisioning, billing and AAA (Authentication, Authorization, and Accounting) based on the home agent (HA) and subscribers’ data stored in databases. After that, the subscribers’ requests are delivered to a cloud through the Internet. In the cloud, cloud controllers process the requests to provide mobile users with the corresponding cloud services. 2.8.1 Challenges Resource Limitations The main issue with the mobile cloud is the resource limitations of mobile devices. Compared to desktop computers, they have less memory, less compute power, and battery capacity limits. The mobile cloud is often viewed as SaaS, meaning that computation and data handling are usually performed in the cloud. Smartphones often access the cloud through web browsers or thin clients. [23] Reduced battery lifetime is a fundamental challenge for mobile devices. Mobile devices are less powerful and use a battery, whose capacity is limiting and prevent users from completely relying on their mobile device. It is therefore important to maximize battery life through the careful partitioning of application functions across servers and devices. Latency and Bandwidth Latency and bandwidth affect the mobile cloud as well. Wi-Fi improves latency but may decrease bandwidth when many mobile devices are present. Wireless connectivity is characterized by variable data rates and intermittent connectivity due to gaps in coverage. The dynamic nature of application throughput demands, subscriber mobility and uncontrollable factors such as weather, can cause bandwidth capacity and coverage to vary. Bandwidth for 3G cellular may further be limited by cell tower bandwidth in some areas. Similarly, connectivity may be irregular. Internet service providers are implementing 4G networks to help them meet the growing end-user demand for more bandwidth, higher security and faster connectivity on the move. Security Issues Security issues increase with mobile devices. It is easier to lose a mobile device and in case that device contains sensitive data just downloaded from the cloud, it could lead to an information leakage and data loss. Cloud computing users prove their identities with digital credentials, typically passwords and digital certificates. If an attacker could fake or steal these credentials, the cloud computing system will suffer from spoofing attacks. Mobile devices have less computing power to execute sophisticated security algorithms; therefore mobile cloud computing is more prone to attacks from hackers. In addition, it is difficult to enforce a standardized credential protection mechanism due to the variety of mobile devices. 2.8.2 Solutions Various solutions have been proposed to challenges often faced by mobile cloud computing. In this section, some of the solutions are reviewed. Offloading Mobile Applications Offloading mobile applications to the cloud is a way to save on device energy consumption because it reduces the amount of local processing. However, it is not possible to completely delegate the execution of all applications in the cloud. Application architects need to think about partitioning application functionality that can be offloaded on cloud versus executed on the mobile device. For example some non-display applications like virus scanning are more suited for being offloaded to the cloud. To achieve seamless and transparent migration and offloading, the application should be partitioned, meaning dividing the complex workload into lighter components that can be processed simultaneously. 4G Technology One of the biggest enablers for network reliability in mobile cloud computing will be the full implementation of 4G Technology, which will help with issues of latency and bandwidth. HTML5 also allows specification of offline support, which makes local storage possible, helping with connectivity interruptions. One example of an HTML5 benefit is the ability to watch a video without a plug-in like Adobe Flash or Microsoft Silverlight. HTML5 features improvements in forms specifications that benefit mobile applications. Embedded Hypervisor An embedded hypervisor will enable cross-platform applications. The hypervisor allows a web application to run on any smart phone without being aware of the underlying architecture. Mobile platforms require the hypervisor to be built in. For example, the Motorola Atrix has an embedded hypervisor that allows it to run a wider range of applications, not just those developed specifically for it. Security As mentioned earlier, mobile phones get lost easily. Therefore, there should be a way to prevent data misuse from lost or stolen devices. One way is the ability to wipe off mobile devices remotely. Some mobile manufacturers and wireless carriers provide this feature. The risk of privacy exposure and identity theft can be reduced by implementing improved protection measures for sharing data in interconnected systems, implementing monitoring capabilities and protocols, and by educating users about proper social media safe-surfing. One added security feature is lightweight virus and using firewall clients on mobile devices. 2.9 Cloud-based Mobile Applications With the rapid adoption of smartphones and tablets, companies need to add mobile applications to their service portfolios in order to reach more customers and provide services anywhere, anytime. Apps are actual applications that are downloaded and installed on mobile devices, rather than being accessed within a browser. In order to download apps, users visit mobile application stores like Apple’s App Store, Android Market, or Blackberry App World depending on the device’s operating system. The app may pull content and data from the Internet, in a similar way to a website, or it may download the content so that it can be accessed without an Internet connection. Mobile apps allow content to be available offline and provide access to the phones’ camera or phone resources to store information or process complex data. Functions can also be performed without an Internet connection. Examples of mobile apps are Angry Birds, Facebook and Gmail. Mobile apps enable interactive games, and when developing productive apps like EverNote or SportsTracker that involve users’ personal and daily usage, apps are a useful way to satisfy users’ needs. In addition, apps allow users to access their banking systems, which would not be safe to do through a usual web browser because of the lack of security systems in mobile phones. Mobile cloud computing provides many advantages for application developers as well as their end-users. With cloud-based applications, mobile users do not need high-end hardware and infrastructure to run or maintain mobile apps. Mobile app development requires hardware and software resources, and for organizations that do not have enough funds to get started, cloud computing comes in to provide needed resources in a pay-as-you go model. Cloud computing services are easy to use, they are scalable, efficient and offer a pay-per-use pricing. On-demand services and the availability of limitless processing power and storage provided by the cloud allow developers to reach high levels of mobile app functionality. When using cloud computing services, developers do not need to be concerned about deployment or the operational maintenance of the infrastructure to power their applications, they can focus on developing the main task at hand, while other functionalities are being taken care of. Cloud computing offers the performance and flexibility that mobile app developers require. With the introduction of cloud computing, the smartphone and app markets began to grow at a notable rate with more innovative and useful apps developed more quickly and cost effectively. This chapter discusses the benefits of cloud-based applications for developers. 2.9.1 Cost Advantages Developers do not need to invest heavily in building infrastructure and resources. Cloud computing provides instant access to scalable mobile application tools for building mobile and tablet apps. Cross-platform app development also helps reduce costs. Developers can now build an app once, test it and deploy it across multiple platforms. Building once and deploying to many devices considerably decreases the cost of developing apps. In addition, deploying apps to app stores and web sites is much easier. For example, developers can avoid device manufacturers or carrier app stores to distribute their apps, and publish them on their own private channels. 2.9.2 Increased Developer Productivity Developers can implement their ideas without being concerned about the infrastructure or the capacity of the surrounding services. In a usual on-premise infrastructure, developers need to acquire the virtual machine (VM) capacity for computing tasks, and database capacity for persistence, and they must build a target infrastructure environment even before implementing simple programs. Cloud allows developers to acquire compute, storage, network infrastructure, and managed services easily and quickly. Therefore, developers will be motivated to try new ideas that may drive organizations into new market places. 2.9.3 Secure Applications with Pre-defined Security Frameworks Developers do not have to create their own code to allow industry-standard authentication and authorization techniques in their web applications. For instance, if an application needs to make use of several OpenID providers (Microsoft Live, Google ID, Facebook, or Twitter to name a few) on the Internet, the developer must manually write forking code to understand multiple tokens, parse them to a canonical structure, and apply authorization rules before the user is able to access an application functionality. Some service providers simplify this whole process through simple settings. All the required implementation is already configured into a format that the application understands. Such services also free the developer from understanding the complicated details of OpenID protocols, and the token technicalities of each OpenID provider implementation. 2.9.4 New Platform Capabilities Cloud vendors usually bring new capabilities to market constantly at an increased rate compared to that of upgrades to on-premise software packages and operating systems. This is due to the fact that cloud services run on a standardized hardware and software platform inside the providers’ own data centers. This allows the deployment of features in a controlled manner with predictable impact to the deployed customer applications. This accelerated feature delivery allows a developer to take full advantage of the vendor’s investments that help their enterprises develop new solutions. 2.9.5 Up-to-date Application Platforms Cloud providers easily deliver new releases of technologies. As soon as there are updated versions, developers can start working with latest versions. They do not have to be slowed down by on-premise IT deployment latencies anymore. In addition, they are able to prevent the problems of being slowed down by outdated infrastructure and maintenance delays. A developer can integrate the latest development trends into the application as the recent frameworks and services usually perform with increasingly smaller amounts of code. This is a benefit to the companies they work for, as well as for the developer himself as this increases his skills sets. 2.9.6 Improved Reusability of Services Because of financial restrictions and delivery plans, developers usually focus on meeting the needs of the current project when they create and deploy services. Therefore, scalability issues may occur once consumers are using the services across the enterprise. With a cloud-based service, the developer does not need to worry about scalability; the required service will scale up or down depending on the demand. 2.9.7 Use of Existing skills for Cloud Applications In many cases, existing core skill sets transfer directly to cloud technologies. The need for design skills remains. The critical success factor of the broader adoption of a cloud platform is the developer ecosystem. Most cloud platforms allow the reuse of the existing skills either in the Java or .NET space. The cloud platforms are highly compatible with their on-premise alternatives, making applications highly portable across deployments. Most of the server-based web applications and web services can be ported with minimal or no changes. Briefly, cloud computing enables developers to build highly scalable, available, reliable, and high-performance platform independent applications, with a shorter time to the market. Cloud-based mobile application market is expanding at an exponential rate and it is a market changer and a new industrial revolution. 2.10 Advantages of Mobile Cloud Computing Cloud computing is known to be a promising solution for mobile computing due to many reasons (e.g., mobility, communication, and portability. In the following, we describe how the cloud can be used to overcome obstacles in mobile computing, thereby pointing out advantages of MCC. 1) Extending battery lifetime: Battery is one of the main concerns for mobile devices. Several solutions have been proposed to enhance the CPU performance and to manage the disk and screen in an intelligent manner, to reduce power consumption. However, these solutions require changes in the structure of mobile devices, or they require a new hardware that results in an increase of cost and may not be feasible for all mobile devices. Computation offloading technique is proposed with the objective to migrate the large computations and complex processing from resource-limited devices (i.e., mobile devices) to resourceful machines (i.e., servers in clouds). This avoids taking a long application execution time on mobile devices which results in large amount of power consumption. Many mobile applications take advantages from task migration and remote processing. For example, offloading a compiler optimization for image processing [20] can reduce 41% for energy consumption of a mobile device. Also, using memory arithmetic unit and interface (MAUI) to migrate mobile game components to servers in the cloud can save 27% of energy consumption for computer games and 45% for the chess game. 2) Improving data storage capacity and processing power: Storage capacity is also a constraint for mobile devices. MCC is developed to enable mobile users to store/access the large data on the cloud through wireless networks. First example is the Amazon Simple Storage Service (Amazon S3) which supports file storage service. Another example is Image Exchange which utilizes the large storage space in clouds for mobile users. This mobile photo sharing service enables mobile users to upload images to the clouds immediately after capturing. Users may access all images from any devices. With cloud, the users can save considerable amount of energy and storage space on their mobile devices since all images are sent and processed on the clouds. Flickr and ShoZu are also the successful mobile photo sharing applications based on MCC. Facebook is the most successful social network application today, and it is also a typical example of using cloud in sharing images. MCC also helps reducing the running cost for compute-intensive applications that take long time and large amount of energy when performed on the limited-resource devices. Cloud computing can efficiently support various tasks for data warehousing, managing and synchronizing multiple documents online. For example, clouds can be used for transcoding, playing chess or broadcasting multimedia services to mobile devices. In these cases, all the complex calculations for transcoding or offering an optimal chess move that take a long time when perform on mobile devices will be processed quickly on the cloud. Mobile applications also are not constrained by storage capacity on the devices because their data now is stored on the cloud. 3) Improving reliability: Storing data or running applications on clouds is an effective way to improve the reliability since the data and application are stored and backed up on a number of computers. This reduces the chance of data and application lost on the mobile devices. In addition, MCC can be designed as a comprehensive data security model for both service providers and users. For example, the cloud can be used to protect copyrighted digital contents (e.g., video, clip, and music) from being abused and unauthorized distribution. Also, the cloud can remotely provide to mobile users with security services such as virus scanning, malicious code detection, and authentication. Also, such cloud-based security services can make efficient use of the collected record from different users to improve the effectiveness of the services. In addition, MCC also inherits some advantages of clouds for mobile services as follows: _ Dynamic provisioning: Dynamic on-demand provisioning of resources on a fine-grained, self-service basis is a flexible way for service providers and mobile users to run their applications without advanced reservation of resources. _ Scalability: The deployment of mobile applications can be performed and scaled to meet the unpredictable user demands due to flexible resource provisioning. Service providers can easily add and expand an application and service without or with little constraint on the resource usage. _ Multi-tenancy: Service providers (e.g., network operator and data center owner) can share the resources and costs to support a variety of applications and large number of users. _ Ease of Integration: Multiple services from different service providers can be integrated easily through the cloud and the Internet to meet the users’ demands. 2.11 More Benefits of cloud-based mobile payment solutions From the merchant’s perspective, cloud-based mobile payment services may be more flexible by avoiding some POS constraints. For example, the cloud wallet decouples a purchase from the payment and can support traditional electronic and alternative payment methods that may offer less expensive payment options to the merchant. Implementation of the mobile payment solution may be easier since new POS hardware is not always required. From the consumer’s perspective there are several benefits: Consumer familiarity. Consumer experience with use of other mobile apps may help them transition more quickly to a cloud-based mobile payment solution than an NFC mobile solution Ease of use at check-out. The consumer typically inputs an account number and password, which are authenticated against his payment credentials stored in the cloud. In the push cloud model, a customer uses a token23 stored on his mobile phone, which represents his account credentials, to initiate and complete a payment transaction Portability. Because the cloud model is hardware agnostic, a consumer does not need to move his data if he switches mobile devices or mobile carriers, or upgrades his phone Improved security. The cloud solution provides alternative security for payment credentials by not storing them on the mobile phone, unless they are stored for back-up. Tokenization replaces the primary account number (PAN) with a substitute value called a token to prevent unauthorized access to the true account number. De-tokenization reverses the process and redeems the token to access the associated PAN value. The true PAN value is protected because it can only be determined if the substitute or token value is known. Broader availability. Cloud apps are web or browser-based (vs. native mobile apps which are developed to perform on specific mobile phone operating systems) and accessible across different device/OS platforms, enabling the apps to run on many different mobile phones. 2.12 Challenges of Cloud-based mobile payment Use of cloud-based mobile payment services requires both the merchant and the consumer to subscribe. While merchants do not need to implement NFC hardware and software on their terminals, merchants must work with the mobile payments providers to implement additional infrastructure to accept cloud payments at the POS, and the customer must register with each individual merchant before making a payment. Merchants should also be aware that some cloud-based transactions may be treated as card-not-present (CNP), resulting in higher transaction fees. Cloud payments require Internet connectivity. A transaction may not work or be interrupted due to connectivity issues, particularly if access to the cloud fails and there are no back-up payment credentials stored on the mobile phone. However, the most notable problem is the lack of quick mobile Internet access. Transactions may be slow depending on how the wallet is accessed, what the connection speed is, and how much data must be entered. A payment transaction may require more time because transmission to the cloud is slower than NFC to POS. In the U.S., for example, current 3G coverage is spotty outside urban areas, leading to intermittent connectivity issues and slow speeds. Connectivity to the cloud is required at the moment a transaction is made, even more so for transit payments than retail purchases, so speed is critical. Contingency payment options, such as NFC, Wi-Fi, plastic card, or a hybrid solution using the push cloud model to store a token on the mobile phone for offline transactions, need to be established for cloud payments. Storing payment credentials in the cloud for a digital wallet is new and relatively untested with scale. There are still many unknowns to be addressed. Because payments data can be compromised in the cloud, it is essential that: (1) payments data is not transmitted via SMS or e-mail because these platforms are not encrypted; (2) payments to the cloud are transmitted between secure, encrypted endpoints handled either by mobile carrier data networks or merchant-provided secure Wi-Fi hotspots, and are not transmitted unencrypted over any network. Data privacy remains a key concern for payments data stored in the cloud. Cloud providers control consumer data, so they have both a legal and ethical responsibility to protect it. They need to comply with privacy laws and make sure they obtain explicit consumer permission (opt-in) before sharing consumer information with other businesses, or mining data to companies interested in monitoring consumer spending behaviors. They need to make sure their underlying payment services are secure and resilient. Collaboration between banks and merchants will help to ensure consistent support for protecting the privacy and security of the consumer data. 2.13 APPLICATIONS OF MOBILE CLOUD COMPUTING Mobile applications gain increasing share in a global mobile market. Various mobile applications have taken the advantages of MCC. In this section, some typical MCC applications are introduced. A. Mobile Commerce Mobile commerce (m-commerce) is a business model for commerce using mobile devices. The m-commerce applications generally fulfill some tasks that require mobility (e.g., mobile transactions and payments, mobile messaging, and mobile ticketing). The m-commerce applications can be classified into a few classes including finance, advertising and shopping. The m-commerce applications have to face various challenges (e.g., low network bandwidth, high complexity of mobile device configurations, and security). Therefore, m-commerce applications are integrated into cloud computing environment to address these issues. X. Yang et al [14] proposes a 3G E-commerce platform based on cloud computing. This paradigm combines the advantages of both 3G network and cloud computing to increase data processing speed and security level based on PKI (public key infrastructure). The PKI mechanism uses an encryption-based access control and an over-encryption to ensure privacy of user’s access to the outsourced data. B. Mobile Learning Mobile learning (m-learning) is designed based on electronic learning (e-learning) and mobility. However, traditional m-learning applications have limitations in terms of high cost of devices and network, low network transmission rate, and limited educational resources. Cloud-based m-learning applications are introduced to solve these limitations. For example, utilizing a cloud with the large storage capacity and powerful processing ability, the applications provide learners with much richer services in terms of data (information) size, faster processing speed, and longer battery life. W. Zhao [15] presents benefits of combining m-learning and cloud computing to enhance the communication quality between students and teachers. In this case, a smartphone software based on the open source JavaME UI framework and Jaber for clients is used. Through a web site built on Google Apps Engine, students communicate with their teachers at anytime. Also, the teachers can obtain the information about student’s knowledge level of the course and can answer students’ questions in a timely manner. In addition, a contextual m-learning system based on IMERA platform shows that a cloud-based m-learning system helps learners access learning resources remotely. Another example of MCC applications in learning is “Cornucopia” implemented for researches of undergraduate genetics students and “Plantations Pathfinder” designed to supply information and provide a collaboration space for visitors when they visit the gardens. The purpose of the deployment of these applications is to help the students enhance their understanding about the appropriate design of mobile cloud computing in supporting field experiences. C. Mobile Healthcare The purpose of applying MCC in medical applications is to minimize the limitations of traditional medical treatment (e.g., small physical storage, security and privacy, and medical errors). Mobile healthcare (m-healthcare) provides mobile users with convenient helps to access resources (e.g., patient health records) easily and quickly. Besides, m-healthcare offers hospitals and healthcare organizations a variety of on-demand services on clouds rather than owning standalone applications on local servers. There are a few schemes of MCC applications in healthcare. U. Varshney [16] presents five main mobile healthcare applications in the pervasive environment. Comprehensive health monitoring services enable patients to be monitored at anytime and anywhere through broadband wireless communications. Intelligent emergency management system can manage and coordinate the fleet of emergency vehicles effectively and in time when receiving calls from accidents or incidents. Health-aware mobile devices detect pulse-rate, blood pressure, and level of alcohol to alert healthcare emergency system. Pervasive access to healthcare information allows patients or healthcare providers to access the current and past medical information. Pervasive lifestyle incentive management can be used to pay healthcare expenses and manage other related charges automatically . Similarly, C. Doukas et al proposes @HealthCloud, a prototype implementation of m-healthcare information management system based on cloud computing and a mobile client running Android operating system (OS). This prototype presents three services utilizing the Amazon’s S3 Cloud Storage Service to manage patient health records and medical images. Seamless connection to cloud storage allows users to retrieve, modify, and upload medical contents (e.g., medical images, patient health records and bio signals) utilizing web services and a set of available APIs called REST. Patient health record management system displays the information regarding patients’ status, related bio signals and image contents through application’s interface. Image viewing support allows the mobile users to decode the large image files at different resolution levels given different network availability and quality. For practical system, a telemedicine homecare management system is implemented in Taiwan to monitor participants, especially for patients with hypertension and diabetes. The system monitors 300 participants and stores more than 4736 records of blood pressure and sugar measurement data on the cloud. When a participant performs blood glucose/pressure measurement via specialized equipment, the equipment can send the measured parameters to the system automatically, or the participant can send parameters by SMS via their mobile devices. After that, the cloud will gather and analyze the information about the participant and return results. The development of mobile healthcare clearly provides tremendous helps for the participants. D. Mobile Gaming Mobile game (m-game) is a potential market generating revenues for service providers. M-game can completely offload game engine requiring large computing resource (e.g., graphic rendering) to the server in the cloud, and gamers only interact with the screen interface on their devices. Offloading (multimedia code) can save energy for mobile devices, thereby increasing game playing time on mobile devices. E. Cuervo, proposes MAUI (memory arithmetic unit and interface), a system that enables fine-grained energy-aware offloading of mobile codes to a cloud. Also, a number of experiments are conducted to evaluate the energy used for game applications with 3G network and WiFi network. It is found that instead of offloading all codes to the cloud for processing, MAUI partitions the application codes at a runtime based on the costs of network communication and CPU on the mobile device to maximize energy savings given network connectivity. The results demonstrate that MAUI not only helps energy reduction significantly for mobile devices (i.e., MAUI saves 27% of energy usage for the video game and 45% for chess), but also improves the performance of mobile applications (i.e., the game’s refresh rate increases from 6 to 13 frames per second). E. Other Practical Applications A cloud becomes a useful tool to help mobile users share photos and video clips efficiently and tag their friends in popular social networks as Twitter and Facebook. MeLog is an MCC application that enables mobile users to share real-time experience (e.g., travel, shopping, and event) over clouds through an automatic blogging. The mobile users (e.g., travelers) are supported by several cloud services such as guiding their trip, showing maps, recording itinerary, and storing images and video. 2.14 OTHER MOBILE PAYMENT TECHNOLOGIES QR code for mobile payments at POS Today, mobile phones with cameras can be used with barcodes to perform various functions, including mobile payments and loyalty programs. QR code use has expanded in the past year, providing incentive for consumers to use their smartphone cameras and related mobile apps to scan barcodes to access sites on the Internet, download products, find reviews and information, or pay for purchases.26 To initiate a POS mobile barcode payment, the customer opens a previously loaded mobile app for the selected merchant. The mobile app generates a dynamic QR code, which the customer scans at the POS terminal scanner, (which may be another mobile device enabled with a downloaded reader). The merchant’s POS system uses the consumer’s account information obtained from the barcode to retrieve his payment credentials from the cloud and process the payment over the card network. The consumer’s real payment credentials are not stored on the mobile phone or merchant terminal. Barcodes can be susceptible to a number of security risks. Malicious QR codes can contain URLs with hidden malware, or redirect to a fake websites to commit fraud, download malware, or phish for credentials. Because of their small screens, smartphones are more prone to phishing scams which try to trick victims into entering sensitive details to a fraudulent website that looks legitimate. If the barcode implementation is not for a proprietary system, the risk of fraud increases. There are several tools that could help minimize security risks associated with barcodes, including anti-virus and anti-malware on smartphones. For some barcode payments apps, such as the Starbucks app, customers can add passcode protection to prevent use of the app if the phone is lost or stolen. Also, a customer must enter an ID and password to reload the Starbucks account. Direct Carrier Billing (DCB) Direct carrier billing is not accepted at physical retail locations in the United States, but can be used to purchase digital content such a ringtones and wallpapers from online stores or make charitable donations, e.g., to the Red Cross for the Haiti earthquake, and most recently for Hurricane Sandy. AT&T, Verizon, T-Mobile and Sprint have all launched DCB services in the last several years. And acceptance of DCB payments by several large online companies, such as Google and Facebook, may increase adoption. To make a DCB payment, the customer enters his mobile phone number during the online checkout process. The DCB service provider sends an SMS message containing a PIN code to the customer’s mobile phone. The customer either enters the PIN on the checkout screen or responds to the SMS message from his mobile phone. The charge is then applied to the customer’s monthly mobile phone bill. DCB offers a simple and convenient method for consumers to pay for low value digital goods and services. Since customers already have existing relationships with their mobile carriers, they do not have to share their payment credentials with third party providers. There is also a reduced risk that the purchaser is not the account holder. To manage carrier risk, DCBs set different transaction value limits depending on the carrier. Initially set at $25, limits have increased to $100-200 based on increased consumer use. There are risks associated with using DCB; cramming being one of the most serious. While all mobile payment methods are susceptible to fraud, cramming is unique to DCB. According to the FCC, “cramming is the practice of placing unauthorized, misleading or deceptive charges on a customer’s telephone bill.” Crammers rely on confusing telephone bills to trick consumers into paying for services they did not authorize or receive, or that cost more than the consumer was led to believe. A crammer charges a customer’s account without the customer’s full knowledge or full understanding of the transaction. The charges go through undetected because they are labeled as phone-related services (e.g., voicemail, collect calls) or they are generic recurring charges (e.g., membership, subscriptions). Consumers must proactively check their bills carefully to make sure they are not victims of cramming. The FCC recently introduced the “Truth-in-Billing” rule in order to prevent cramming. It requires MNOs to organize bills with a clear, specific layout accompanied by understandable descriptive language for describing services for which a customer is being billed. Compared to other mobile payment methods that are cleared and settled over traditional payment networks (e.g. credit, debit, and ACH) and governed by bank regulations that limit consumer liability, DCB mobile payments do not provide the same clarity of coverage and consumer protection. Carrier-offered protections are inconsistent. Examples of differences in protections include charges related to lost or stolen devices, late fees, reporting of disputed charges, and requesting refunds. Unless mobile carriers offer protections which are on par with credit or debit card, there is a financial risk to the consumer that differs from other financial instruments covered by Reg. E or Reg. Z. 2.15 What is new about cloud computing? The computer pioneer John McCarthey has already predicted back in 1961 that “computation may someday be organized as a public utility”(in Foster et al. 2008). This statement and the reflections on computing history show that cloud computing is no entirely new idea. Critics may even say that cloud computing is simply another name for grid computing. However, although cloud computing and grid computing have a lot in common, there are also some differences. According to Foster (2002), grid computing describes “a system that coordinates resources which are not subject to centralized control, using standard, open, general-purpose protocols and interfaces to deliver nontrivial qualities of service“. Foster et al. (2008) identified the main differences regarding security aspects, programming, compute and data model, abstractions, applications and the business model. Today’s clouds usually do not focus on the coordination of distributed infrastructure resources that are under the control of various parties. Instead, cloud computing providers commonly manage their own infrastructure that is probably more homogeneous than that of a typical grid. The reason for this lies in the different objectives of the two concepts. While cloud computing addresses Internet-scale computing problems, utilizing a large pool of computing and storing resources, grid computing aimed at large-scale computing problems by harnessing a network of resource-sharing commodity computers, dedicating resources to a single computing problem (Foster et al. 2008). Computing grids were designed upon the assumption that resources are heterogeneous and dynamic, being owned by different parties who want to remain their own administration domain and operating autonomy. This is the reason, why security is a fundamental aspect of the grid computing architecture. According to Foster et al. (2008) this is another important distinguishing factor between these two concepts. Another difference can be found regarding the computation model. While cloud computing harnesses the power of virtualization to allow users to share resources simultaneously, most computing grids use a batch-scheduled computing model. Meaning that dedicated resources are governed by a queuing system, potentially long queuing times might occur in grid computing. Thus, most grids are not supporting interactive applications natively. Also the business models of both concepts differ significantly. The business model of grid computing is typically project oriented, where users are assigned a certain number of service units (i.e. CPU hours), which they can spend. In contrast, cloud computing is based on a consumption basis, where users can utilize as many resources as they need and only pay for what they have consumed (Foster et al. 2008). Concluding, Foster et al. (2008) claim that both grid and cloud computing share the same vision, “to reduce the cost of computing, increase reliability, and increase flexibility by transforming computers from something that we buy and operate ourselves to something that is operated by a third party”. However, they predict that in future local systems and large-scale infrastructure providers will coexist, distributing load dynamically. As Figure 6 shows, Foster et al. see an overlap of grid and cloud computing, where the first one is more application oriented and the latter one more service oriented. Computing grids may be used as infrastructure basis for cloud computing, maybe they even become more service oriented. Nevertheless, grid computing will probably remain a domain of scientific computing, ensuring dedicated resources and high security standards. Figure 2.2: An overview of grid and cloud computing (Foster et al. 2008) Another concept that is often mentioned in conjunction with cloud computing is Software-as-a-Service (SaaS). SaaS can be regarded as the top layer in the presented cloud computing model. Nevertheless, traditional SaaS models, occurring around the year 2000, are based on a regular (e.g. monthly) fee for service provision, independent of whether the service was used or not (Buxmann et al. 2008). Thus, traditional SaaS can be differentiated from cloud computing, which is grounded in consumption based pricing, where users only pay for what they have consumed. Concluding, we see cloud computing as a set of preexisting technologies that offers some new features. Probably the most evident feature is the elasticity cloud computing offers. Computing resources as well as higher level services such as software can be utilized on-demand. In conjunction with this one must also mention the pay-per-use pricing model, which does not require any long term commitment and only charges for what has been consumed. In addition cloud computing is not restricted to certain users or institutions, but open for everybody, offering large computing resources to everyone with a credit card. Compared to grid computing, the cloud computing concept offers a higher level of abstraction. Development platforms increase the user friendliness by for example offering graphical user interfaces, application programming interfaces (API) and automatic scalability. Thus, cloud computing is accessible for a larger group of people, both developers and end-users. However, in our opinion, the really new about cloud computing is not the technology behind, but the IT service ecosystem it shapes. The innovation of cloud computing is the way of how IT resources are deployed, allowing different actors to provide, consume and aggregate services on different levels. This simple deployment model reduces the entry barriers and builds the basis for a fast growing services landscape, where different actors provide various services to solve individual problems. 2.16 NEAR FIELD COMMUNICATION NFC is a standards-based wireless communication technology that allows data to be exchanged between devices that are a few centimeters apart. NFC-enabled mobile phones incorporate a smart chip (called a secure element) that allows the phone to store the payment application and consumer account information securely and use the information as a virtual payment card. NFC payment transactions between a mobile phone and a POS terminal use the standard ISO/IEC 14443 communication protocol currently used by EMV and U.S. contactless credit and debit cards that allows the mobile phone to simulate a physical contactless card. There are three NFC approaches for processing and storing sensitive consumer data in the mobile phone. Mobile payment stakeholders, including mobile network operators (MNO), financial institutions, card issuers, merchants, and payment processors, decide which option(s) to implement. Each approach is hardware-based and differs primarily on the placement of the secure element in the mobile phone. The secure element is essentially the component within the mobile device that provides the application, the network and the user with the appropriate level of security and identity management to assure the safe delivery of a particular service. It is an encrypted smart card chip6 that contains a dedicated microprocessor with an operating system, memory, an application environment, and security protocols, built to exacting standards and developed and delivered in controlled white room manufacturing environments. The secure element is used to safely store and execute sensitive applications, such as payment applications, on a mobile device, and store associated payment credentials and financial data. Encryption is an important component of the secure element, and plays a critical role in mitigating fraud during a mobile payment transaction by converting payment data into a form unintelligible to everyone except holders of a unique cryptographic key. Cryptographic keys are values that determine the output of an encryption algorithm when transforming plain text to encrypted text. The longer the key, the more difficult it is to decrypt the text in a given message. Key rotation7 is the process of decrypting data with the old encryption key and re-keying the data with the new encryption key. Encryption protects consumer and transaction-level information against unauthorized access or disclosure, from the initial encryption step to the decryption step. Encryption can protect data during transmission and while at rest. 2.17 Secure Element Placement Options The most common secure element implementations include: a) embedded (or hard-wired) in the mobile phone, b) loaded on a SIM8 card, and c) loaded on a microSD card. This section will examine each approach and compare the benefits and security features. a) Embedded Secure Element In the embedded NFC model, the secure element is soldered onto hardware in the mobile phone. The original equipment manufacturer (OEM) procures space on the secure element for issuing banks or other mobile payment providers, and is responsible for safely distributing the secure elements in the mobile handsets to consumers, who purchase embedded NFC mobile phones at various mobile retailers. MNOs coordinate with the handset manufacturers to ensure that authorized operating systems/applications (e.g., iOS, Android) work with the secure element. Fig 2.3 Embedded secure element An embedded secure element provides a common architecture for application developers, independent of the mobile phone technology—GSM or CDMA. A larger antenna built into the handset also offers a stronger communication signal between the mobile phone and merchant terminal. And, because secure elements are built into mobile devices during the manufacturing process, they are relatively tamper-proof and less costly to produce relative to SIM and microSD options.9 9 Industry analysts report that major manufacturers are increasing the number of shipments of embedded secure elements. Edgar, Dunn & Company, “Advanced Payments Report 2012,” March 2012. One disadvantage of an embedded secure element is that it is not portable, making it difficult to transfer mobile payment applications and credentials between handsets. This may be inconvenient for consumers when they need to transfer credentials and applications from an old phone to a new one. However, some mobile services and operating systems enable data on the embedded chip to be transferred over-the-air (OTA) to the new phone. OTA technology transmits data using a wireless network and protects the information exchange by using a secure end-to-end communication link to the secure element. It also provides strong security by using double encryption, in which the OTA messages are encrypted with two sets of unique keys – the MNO key and the service provider key. Once the secure element is activated on the new mobile phone, a customer’s payment credentials must be wiped from the old device. However this process is not a standard requirement when provisioning the mobile phone and should be addressed by the mobile payments providers. (For example, Google’s mobile wallet payments strategy is built around the OTA option.) b) Secure Element in the SIM Card A SIM (Subscriber Identity Module) is a removable smart card used in many mobile phones. Each SIM card can hold multiple applications. GSM phones use the SIM card, while CDMA phones use their own version called CSIM (CDMA2000 SIM). For mobile payments, the SIM card performs the secure element function. The SIM card communicates with the NFC controller in the mobile handset through a Single Wire Protocol (SWP). Using the SIM card as a secure element is considered safe because it is personalized, remotely manageable over-the-air, and uses standard transport protocols developed by global telecom standards bodies. The MNO owns the SIM card11 and creates secure partitions or domains in the SIM for third parties (e.g., banks, retailers, and transit authorities) to rent for their mobile applications. The MNO provides each third party with a unique security key to access its domain. The keys are also known to the SIM. One advantage to using the SIM approach is that the secure element can use information contained on the SIM (such as its unique serial number (ICCID) and the international mobile subscriber identity (IMSI)) to link to an individual consumer. This provides an additional layer of security and also simplifies the changeover process when a consumer upgrades his mobile phone, as the SIM is easily removable. MNOs can also communicate with, download applications to, and manage a SIM card/secure element remotely over-the-air. If a handset is lost or stolen, it can be locked or remotely wiped to prevent any unauthorized account access. There are some drawbacks to this approach. Because the MNO owns and controls the SIM, a mobile operating system has restricted access to the secure element in the mobile device. Furthermore, the MNO also controls which third parties or financial institutions can add payment applications or wallets, and what fees they pay to use the SIM as the secure element. Fig 2.4 Embedded secure element in sim card c) Secure Element in microSD card The third option is to put the secure element in a microSD card, which is a memory card used to store data. It is designed to integrate with the mobile phone by fitting into a specially designed slot on the device. Like embedded and SIM NFC phones, NFC-enabled microSD cards communicate with apps to enable mobile payments. The full NFC microSD card model employed in the U.S. contains the secure element, security domain, NFC chip, and antenna. In the third option, payment card data is also encrypted and stored in the secure element, but the secure element resides in the microSD card. Fig 2.5 Embedded secure element in Micro SD card Unlike the SIM and embedded secure element options, there are three ways to issue, provision and distribute an NFC-enabled microSD card to the consumer: (1) Card-issuing financial institution provides the microSD card. (2) Retailer provides a blank microSD card to the end consumer, similar to a prepaid card. (3) MNO bundles the microSD with a phone or sells it independently of a phone. Implementing an NFC-enabled microSD card solution can speed deployment of mobile contactless payment services by allowing a consumer to insert the microSD card into his existing mobile smartphone to begin making mobile payments. Over the past few years, several U.S. banks, card networks, and transit authorities have piloted mobile payments using microSD cards to test several concepts: easier implementation, ability to enable contactless payments in consumers’ mobile phones more quickly, ability to test the NFC technology without needing SIM or embedded NFC chips, and consumer interest. The pilots were relatively limited in scale, providing useful information on consumer experiences using a mobile phone for POS purchases, but also identified a number of technical problems, such as: Weak radio signal and interference caused by: Size and location of the antenna. If the antenna is too small, it may result in a weaker radio signal and be subject to interference. Physical location of the microSD card slot on the mobile phone. Material of a mobile phone’s casing. Metal casing tends to cause signal interference and weaker reception. Protective and decorative external covers. Additional covers on a mobile device can cause signal issues and become a barrier to the radio signals. Embedded antennae. Communication conflicts and unexpected radio interference may occur when both the mobile device and the microSD card have embedded antennae. Compatibility issues with mobile phones that are not equipped with microSD slots. MicroSD cards are typically mono-band, meaning that they can support only a single application or payment account. If consumers have multiple mobile payment and/or loyalty accounts from different sources, they may need a microSD card for each application—one from each bank, carrier, or other provider with which the customer has accounts. In contrast, a SIM card or embedded NFC chip can be segmented into multiple secure compartments to support multiple applications. While the microSD approach may be more suitable for an issuer of a single closed mobile payment application, it can be more complicated and much less convenient for the consumer. Other consumer risks associated with a microSD card make its long-term survival doubtful. While consumers can transfer microSD cards from one mobile phone to another, the cards are tiny and fragile, and frequent removal and insertion into a mobile device increase the risk of loss or damage. Portability provides opportunity for an unauthorized person to easily gain access to the payment information on the microSD card because there is no lock or PIN to prevent anyone from opening the phone and removing it. Issuers must handle and protect microSD cards in the same manner as they handle plastic cards when distributed and mailed to consumers. Finally, it is unclear whether specific standards for microSD cards exist today in the U.S., particularly to manage how microSD card slots securely communicate with user interfaces and support communication between the microSD secure element and the NFC controller on a mobile device. 2.18 BENEFITS OF NFC-TYPE MOBILE PAYMENTS NFC-based contactless payments are considered extremely secure; there is no empirical evidence to the contrary. Whether or not empirical evidence exists, using NFC technology for mobile payments offers many security benefits. (1) Payment credentials are stored in the secure element in the mobile wallet. Different passwords can be set-up to log on to the mobile device, and to activate the payment application that accesses the payment credentials in the secure element. (2) When not in use, the NFC antenna can be disabled until needed so that unauthorized users cannot access the wallet. (3) NFC is an extension of EMV15 chip technology, with the radio interface added. When a mobile payment begins, EMV secures the payment transaction with dynamic data authentication (DDA), which uses an encryption key to generate unique, dynamic data values to authenticate the transaction when it is authorized by the card network. These values are only valid for one authentication. If a thief tries to re-use the payment account data, it will be out of sync with the number stored by the card issuer and rejected, making it harder to skim usable data and clone for counterfeiting. (In contrast, the signature used for static data authentication is the same every time.) EMV provides end-to-end security with “chip+ PIN” credit cards in most developed countries today. Other benefits of NFC payments include eliminating the cost of plastic card provisioning, using the existing clearing and settlement channels, and providing the possibility for the transaction to be “card present” vs. “card not present” (CNP), which reduces risks associated with CNP and lowers interchange fees. 2.19 CHALLENGES OF NFC-TYPE MOBILE PAYMENTS For NFC mobile payments to succeed, several challenges related to technology, implementation, and consumer adoption must be resolved. Few mobile phones are currently enabled for use with either SIM or embedded NFC secure element chips, although more handset manufacturers are beginning to embed NFC chips in their mobile phones or on SIM cards as a basic component. More merchants must invest in upgrading their POS terminals to enable two-way NFC, a long-standing barrier to adoption. Work still needs to be done to develop an agreed upon set of technology standards for mobile phones, chips, and secure elements, and standards for provisioning and maintaining mobile payment credentials. Yet the number of cross-industry participants engaged in the mobile payment process/value chain continues to grow, further complicating business models and customer-ownership. Finally, we need to remember that many consumers are still unfamiliar with NFC technology and require not only incentives, but also education regarding its safety and security when used for mobile payments, particularly with a mobile wallet. The Role of Cloud Computing within NFC Ecosystem Having several parties involved in the NFC ecosystem with a lack of standards to define their roles and accesses to NFC components and applications, means that companies are increasingly considering using the cloud environment as a single entity to make things easier (Alliance, 2011). Moreover, cloud-based payment solution can help the adaption of NFC as they only require downloadable applications for both retailers and customers. However, it might bring more openness towards the security of customer’s credentials (e.g. bank account details), but in terms of flexibility and manageability, it makes the whole process much clearer and easier to handle (Losup et al., 2011). Cloud computing introduces a new method of storing payment credentials which improves the manageability of the NFC ecosystem. Rather than having all the sensitive information in the NFC handset, the cloud can store this information and transmit it when required. When a client scans his NFC phone on the merchant’s POS terminal, encrypted payment credentials are taken out from a virtual SE that is stored in the cloud and transfers to the SE that is stored in the NFC handset. The purpose of having a SE in an NFC handset is to provide temporary storage in order to store authentication assets. Once payment credentials reached the NFC phone, they are again pulled out to get transmitted to the merchant’s terminal in order to perform the transaction. In this scenario, the communication between merchant’s terminal and NFC phone is established through an NFC link. The cloud solution enables the client to manage transaction data by using a cloud-based payment application that is subscribed by both client and merchant. The payment application is accessible via a mobile phone using either email or a mobile browser and the transaction report can be in the form of a Short Message Service (SMS), email or just a sound. Examples of this approach include PayPal and PayCloud Mobile Wallet (PayPal, 2013; Alliance, 2011). Although in this approach, most of the focus has been towards vendor gift cards, the cloud-based approach is also feasible in open payment systems. Development of this approach can be easy for vendors as they are not required to install new POS terminals. Thus, this approach gives the opportunity to vendors to better differentiate and customize applications. Another advantage that this solution offers to vendors is that, in the case of operating a different payment type, the solution might be lower costs for the vendor. Moreover, clients are already familiar with this type of payment methods (i.e. PayPal). As cloud-based NFC payments might be treated as card-not-present in some cases, it is more likely that the transaction fees will be higher than the normal card payments. Furthermore, in order to execute a transaction, a connection is required to the cloud. Executing a transaction may not be possible if this connectivity is somehow interrupted. In addition, some security issues may arise from using email and SMS that can be the sign of a transaction notification. As the current payment infrastructure is not leveraged, there might be a possibility that a vendor should install a non-standard application in order to process a payment. Replacement of current POS terminals with NFC terminals may be required, as the POS has to be capable of communicating with an NFC enabled phone. The transaction execution performance depends on the network connection speed, data capacity and the way that wallet’s data are accessed. Last but not least, both client and vendor have to sign up with the cloud service provider to use its services (Kounelis et al, 2012; Alliance, 2011; Ko et al., 2011). 2.20 REVIEW OF PAST LITERATURES 2.20.1 A SURVEY OF MOBILE CLOUD COMPUTING: ARCHITECTURE, APPLICATIONS, AND APPROACHES, By Hoang T. Dinh, Chonho Lee, Dusit Niyato, and Ping Wang This paper gives a survey of Mobile Cloud Computing, which helps general readers have an overview of the Mobile Cloud Computing including the definition, architecture, and applications. The issues, existing solutions and approaches are presented. In addition, the future research directions of Mobile Cloud Computing are discussed. The paper presents a comprehensive survey on mobile cloud computing providing a brief overview of MCC including definition, architecture, and its advantages. It also presented several issues that arise in Mobile Cloud Computing and approaches to address the issues. Some of the open issues discussed are outlined below. A. Low Bandwidth Although many researchers propose the optimal and efficient way of bandwidth allocation, the bandwidth limitation is still a big concern because the number of mobile and cloud users is dramatically increasing. We consider that 4G network and Femtocell are emerging as promising technologies that overcome the limitation and bring a revolution in improving bandwidth. B. Network Access Management An efficient network access management not only improves link performance for mobile users but also optimizes bandwidth usage. Cognitive radio can be expected as a solution to achieve the wireless access management in mobile communication environment. Cognitive radio increases the efficiency of the spectrum utilization significantly, by allowing unlicensed users to access the spectrum allocated to the licensed users. When this technique is integrated into MCC, the spectrum can be utilized more efficiently, the spectrum scarcity can be solved and thus millions of dollars for network providers can be saved. However, cognitive radio is defined as wireless communication technology in which each node communicates via an optimal wireless system based on recognition of radio resource availability in heterogeneous wireless communication environment. Therefore, mobile users in MCC must be able to detect this radio resource availability (through spectrum sensing) while ensuring that the traditional services will not be interfered. C. Quality of Service In MCC, mobile users need to access to servers located in a cloud when requesting services and resources in the cloud. However, the mobile users may face some problems such as congestion due to the limitation of wireless bandwidths, network disconnection, and the signal attenuation caused by mobile users’ mobility. They cause delays when users want to communicate with the cloud, so QoS is reduced significantly. Two new research directions are CloneCloud and Cloudlets that are expected to reduce the network delay. D. Pricing Using services in MCC involves with both mobile service provider (MSP) and cloud service provider (CSP). However, MSPs and CSPs have different services management, customers management, methods of payment and prices. Therefore, this will lead to many issues, i.e., how to set price, how the price will be divided among different entities, and how the customers pay. For example, when a mobile user runs mobile gaming application on the cloud, this involves the game service provider (providing a game license), mobile service provider (accessing the data through base station), and cloud service provider (running game engine on data center). The price paid by the game player has to be divided among these three entities such that all of them are satisfied with the division. It is clear that the business model including pricing and revenue sharing has to be carefully developed for MCC. E. Standard Interface Interoperability becomes an important issue when mobile users need to interact and communicate with the cloud. The current interface between mobile users and cloud are mostly based on the web interfaces. However, using web interfaces may not be the best option. First, web interface is not specifically designed for mobile devices. Therefore, web interface may have more overhead. Also, compatibility among devices for web interface could be an issue. F. Service Convergence The development and competition of cloud service providers can lead to the fact that in the near future these services will be differentiated according to the types, cost, availability and quality. Moreover, in some cases, a single cloud is not enough to meet mobile user’s demands. Therefore, the new scheme is needed in which the mobile users can utilize multiple cloud in a unified fashion. In this case, the scheme should be able to automatically discover and compose services for user. One of the potential solution of this issue is the sky computing, which will be the next step of cloud computing. Sky computing is a computing model where resources from multiple clouds providers are leveraged to create a large scale distributed infrastructure. Similarly, the mobile sky computing, will enable providers to support a cross-cloud communication and enable users to implement mobile services and applications. However, to offer a service to mobile user in a unified way, the service integration (i.e., convergence) would need to be explored. 2.20.2 A PROPOSED NFC PAYMENT APPLICATION by Pardis Pourghomi, Muhammad Qasim Saeed, Gheorghita Ghinea(2013) (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 4, No. 8, 2013 Near Field Communication (NFC) technology is based on a short range radio communication channel which enables users to exchange data between devices. With NFC technology, mobile services establish a contactless transaction system to make the payment methods easier for people. Although NFC mobile services have great potential for growth, they have raised several issues which have concerned the researches and prevented the adoption of this technology within societies. Reorganizing and describing what is required for the success of this technology have motivated the researchers to extend the current NFC ecosystem models to accelerate the development of this business area. In this paper, they introduce a new NFC payment application, which is based on their previous “NFC Cloud Wallet” model to demonstrate a reliable structure of NFC ecosystem. They also described the step by step execution of the proposed protocol in order to carefully analyze the payment application and the main focus will be on Mobile Network Operator (MNO) as the main player within the ecosystem. The execution of the model is described in what follows: 1) Customer waves the NFC enabled phone on the POS terminal to make the payment 2) The payment application is downloaded into customer’s mobile phone SE. 3) The reader communicates with the cloud provider to check whether the customer has enough credit or not. 4) Cloud provider transfers the required information to the reader. 5) Based on the information which was transferred to the reader, the reader either authorizes the transaction or rejects customer’s request. 6) Reader communicates with the cloud to update customer’s balance - if customer’s request was authorised, the amount of purchase will be withdrawn from his account otherwise customer’s account will remain with the same balance. PROPOSED MODEL The authors proposed an extension to previously proposed NFC Cloud Wallet model. Since there are multiple options applicable to this model, they designed the model based on the following assumptions: SE is part of SIM Cloud is part of MNO MNO is managing SE/SIM Banks, etc. are linked with MNO These assumptions are appropriate regarding the NFC execution process and its ecosystem. As mentioned in Section IIIpreviously, SE is in the format of UICC therefore SE is part of the SIM. MNO manages the cloud infrastructure and it is the only party that has full access and permission to manage confidential data which are stored in the cloud. As MNO is the owner of the cloud, it fully manages the SIM in terms of monitoring the GSM network and controlling cloud’s data. From the financial institution’s point of view, they only deal with MNO as MNO is the single party that has full control over the SIM as well as the cloud. The Proposed Protocol This proposal is based on cloud architecture where the cloud is being managed by the Mobile Network Operator MNO. The cloud and the banking sector are the subsystems of MNO, in addition to the existing subsystems of an MNO. Assumption is made that the communication is secure between various subsystems of the MNO. The shop POS terminal, registered with one or more MNO, shares an MNO specific secret key Kp with the corresponding MNO. This key is issued once a shop is registered with the MNO. The bank detail of the shopkeeper is also registered with the MNO for monetary transactions. The communication between the shop POS terminal and the mobile device is wireless using NFC technology. The mobile device has a valid SIM. We used the existing feature of GSM network for mutual authentication. We tailored their model according to our requirement in our proposed architecture. The proposed protocol executes in three different phases: Authentication, Keys generation and Transaction. The protocol initiates when the customer places his cell phone for the payment after agreeing to the total price displayed on the shop POS terminal. The details of these phases are described in what follows: Phase 1. Authentication Step 1: As soon as the user places his mobile device, NFC link between the mobile device and the shop POS terminal is established. The shop POS terminal sends an ID Request message to the mobile device. Step 2-3: The mobile device sends TMSI, LAI as itsID. On receipt of the information from the mobile device, the shop POS terminal determines the user's mobile network. The network code is available in LAI in the form of Mobile Country Code (MCC) and Mobile Network Code (MNC). An MNC is used in combination with MCC (also known as a ‘MCC/MNC tuple’) to uniquely identify a mobile phone operator/carrier. Step 4-5: The shop POS terminal sends TMSI, LAI, and Shop ID to respective MNO for customer authentication and shop identification. Step 5.1: In case of incorrect TMSI, a declined message is sent. Step 6: In case of correct identification, the MNO generates one set of authentication triplet (R, S, Kc) and sends R to mobile device through shop POS terminal. Step 7-8: SIM computes Kc from R as explained in Section V. SIM generates a random number Rs and concatenates with R, encrypts with key Kc and sends it to the MNO through shop POS terminal. Step 9-10: The MNO checks the validity of the SIM (or mobile device). It receives EKc(R||Rs) from the mobile device and decrypts the message by Kc, the key it already has in authentication triplet. The MNO compares R in the authentication triplet with the R in the response. In case they do not match, a ‘Stop’ message is sent to the mobile device and the protocol execution is stopped. If both R are same, then the mobile is authenticated for a valid SIM. In this case, the MNO swaps R and Rs, encrypts with Kc and sends it to mobile device. Step 11-12: This step authenticates the MNO to the mobile device. The mobile device receives the response EKc (Rs||R) and decrypts it with the key Kc already computed in Step 7. The mobile device compares both R and Rs. If both are same, then the MNO is authenticated and a ‘successful authentication’ message is sent to the MNO. C. Phase 2. Key Generation and PIN Verification Step 13-14:Kp is a shared secret between the MNO and the shop POS terminal. Kc is the shared secret between the MNO and the customer's mobile device (computed in step 7). There is no shared secret between the POS terminal and the mobile device till this stage. MNO and mobile device compute one-way hash function of Kc to generate Kc1, the key that will be used for MAC calculation. The MNO computes Kc2 from Kc1 using one-way hash function and sends it to shop POS terminal by encrypting it with Kp. Mobile device also computes Kc2 as it already has Kc1 . Kc2 is the encryption key between MNO, shop POS terminal and the customer's mobile device. Fig 2.6 The proposed protocol Step 15-17: The shop POS terminal sends the Total Price (TP) and the Receipt Number encrypted with Kc2. The user's mobile device decrypts the information and displays to the user. If he agrees, he enters the PIN. The PIN is an additional layer of security and adds trust between the user and the shopkeeper. A PIN binds a user with his mobile device, so the shopkeeper is to believe that the user is the legitimate owner of the mobile device. Moreover, the user feels more secure as no one else can use his mobile device for transaction without his consent. PIN is stored in a secure location in the SIM. The SIM compares both PINs and if both are same, the user is authenticated as the legitimate user of the mobile device. Otherwise, the protocol is stopped. D. Phase 3. Transaction Step 18: The customer's cell phone generates two messages, PI and TRM, such that; PI= Receipt No, Total Price, Time Stamp (TSU) TRM=PI, Rs, Transaction Counter Step 19:TSU represents the exact time and date the transaction has been committed by the user. TC is a counter that is incremented after each transaction and is used to prevent replay attack. PI is encrypted with Kc2 so that it can be verified by the shop POS terminal. The user encrypts the TRM with Kc so that it cannot be modified by the shop terminal. The user computes MAC with Kc1 over the TRM using Encrypt-then-MAC approach for integrity protection. Step 20-21: The POS terminal can decrypt only the PI encrypted with by Kc2 to check its correctness. The POS terminal does not need to verify the MAC (and it cannot do so), as it already knows the main contents of PI. The Shop POS terminal also verifies the TSU to be in a defined time window. If PI is correct, the POS terminal relays the encrypted TRM with corresponding MAC along with the TSU to the MNO. Step 22: On receipt of the message, the MNO checks the integrity of the message by verifying the MAC with Kc1. If the MAC is invalid, the transaction execution is stopped. In case of a valid MAC, the MNO decrypts the message. The MNO compares the Rs in the TRM with the Rs received earlier in the authentication phase. A correct match confirms that the user is the same who was earlier authenticated.It also verifies the TC and TSU. In case of successful verification, the MNO communicates with the concerned subsections for monetary transaction. The concerned subsections of the MNO checks the credit limitations of the user, and if satisfied, executes the transaction. Once the transaction is executed, the MNO generates Transaction Information (TI) message as: TI = Transaction Serial Number, Amount, TSTr Step 23-25: The MNO encrypts TI with Kc2, digitally signs the message and sends it to the shop POS terminal. The POS terminal verifies the signature. A valid signature indicates correct TI. The POS also verifies the TI for the amount mentioned in the TI. In case of successful verification, the POS terminal appends the message it received from the MNO with the Shopping Details (SD) and corresponding digital signature. Step 26: The user verifies both signatures. It verifies the contents of TI and SD. 2.20.3 EPAYMENT SYSTEMS DATABASE – TRENDS AND ANALYSIS – ELECTRONIC PAYMENT SYSTEMS OBSERVATORY (EPSO) MARCH 2002 by Gérard Carat. Institute for Prospective Technological Studies, Directorate General Joint Research Centre, European Commission This study analyses the evolution of Internet-based payment solutions offered to consumers in Europe. It is based on the observation of 100 electronic payment schemes taken from the e-Payment Systems Inventory, which is one of the deliverables of the electronic Payment Systems Observatory (ePSO) project. The main topics monitored by the report are: the role of non-banks within the payment systems providers; the positioning of telecommunications operators against banks; the main trends of payment solutions according to their level of deployment; the increasing importance of mobile networks and virtual wallets as payment platforms; the comparison between e-purses and pre-paid dedicated accounts; the reaction of banks with respect to virtual wallets; the main platforms that allow micro-payments; how credit cards remain the main Internet payment instrument; the emerging alternatives to credit cards for cross-border payments; the role played by consumer costs in the failure of a payment system. 2.20.4 Modelling, Design, and Analysis of Secure Mobile Payment Systems By Supakorn Kungpisdan Faculty of Information Technology, Monash University(2005) Mobile payment allows users to perform payment transactions through their mobile devices. However, it brings up many emerging issues regarding security and performance of mobile payment systems that can be classified into at least two main problems. The first problem comes from the limitations of wireless environments that are primarily from mobile devices which have limited system resources and from wireless networks which have high connection cost, low bandwidth, and low reliability. In particular, a mobile user may not be able to efficiently perform highly secure transactions, which require high computational cryptographic operations, over the wireless network with the above characteristics. The second problem is the lack of sufficient security of existing mobile payment systems, mainly due to improper protocol design and the deployment of lightweight cryptographic operations which lead to the lack of important transaction security properties. Such problems have motivated the research conducted in this paper. The main purpose of this paper is to propose methods to enable practical and secure mobile payment. The results obtained from it may serve as a basis for protocol designers and system implementers to design and implement secure mobile payment systems and to analyze their existing mobile payment systems. The research conducted here focuses on three different levels of reasoning and securing mobile payment: formal model, framework, and protocol. A formal model for a practical and secure mobile payment system was proposed. In this model, the interactions among engaging parties and properties to be satisfied by the system including goals and requirements for payment transactions, transaction security properties, and trust relationships among parties is formalized. The proposed model can be seen as a guideline for designing and implementing practical and secure mobile payment frameworks and protocols for both account-based and token-based payment. At the framework level, the problems of existing mobile payment frameworks was investigated. Then a framework that not only overcomes the limitations of wireless environments, but also solves the problems of the existing frameworks was introduced. Particularly, a traditional fixed-network payment protocol is well operated in this framework, even more efficiently if a payment protocol specifically designed for wireless environments is applied. In addition, we show that the proposed framework can be captured by the proposed formal model. At the protocol level, a lightweight, yet secure cryptographic technique was proposed. This technique not only reduces the computation at engaging parties, especially at mobile users, but also satisfies the transaction security properties including the trust relationships among engaging parties stated in the proposed formal model. Two account-based mobile payment protocols which deploy the proposed technique was also introduced. We develop a prototype of one of the proposed protocols to demonstrate its practicability as a real world application. The results from the implementation show that the implemented protocol itself operates well in wireless environments, yet has better transaction performance if the proposed mobile payment framework is applied to it. They also demonstrated that both of the proposed protocols have better transaction performance than existing protocols. To show that the proposed framework and protocols satisfy the formal model, they developed a formal logic for analyzing them and successfully prove that they satisfy the goals and requirements for payment transactions and the transaction security properties, stated in the formal model. Combining with the analysis results, it can be concluded that either a payment system based on the proposed framework deploying an existing payment protocol or a payment system based on the proposed protocol operating on an existing framework is considered as a practical and secure mobile payment system because it satisfies all the required properties stated in the model. In addition, they show that the proposed logic is general in that it is able to analyze any kinds of electronic commerce protocols including mobile payment protocols. To enhance the security of the proposed protocols, they introduced a limited-use key generation technique which eliminates the need of long-term shared key distribution among engaging parties prior to each transaction. And then applied the proposed key generation technique to the proposed protocols and discuss its potential applications to other kinds of Internet applications. Finally, to emphasize the generality of the mobile payment model, they propose a (token-based) micropayment protocol for wireless environments that satisfies the proposed model. The protocol deploys the proposed lightweight cryptographic technique to enhance its transaction security. The proposed protocol is prepaid-based, yet extensible to postpaid-based micropayment. This results in a general framework for wireless micropayment. The authors then demonstrated that their micropayment protocol is more secure and has better transaction performance compared to existing micropayment protocols. 2.20.5 A ROBUST CLIENT VERIFICATION IN CLOUD ENABLED M-COMMERCE USING GAINING PROTOCOL by Chitra Kiran N., Dr. G. Narendra Kumar, IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 6, No 2, November 2011 The proposed system highlights a novel approach of exclusive verification process using gain protocol for ensuring security among both the parties (client-service provider) in m-commerce application with cloud enabled service. The proposed system in this paper is based on the potential to verify the clients with trusted hand held device depending on the set of frequent events and actions to be carried out. The framework of the proposed work is design after collecting a real time data sets from an android enabled hand set, which when subjected to gain protocol, will result in detection of malicious behavior of illegal clients in the network. THE PROPOSED SYSTEM The proposed system assumed the attacker or intruder which has an access to the confidential physical information to the trusted hand held device which the user normally use for mobile banking or performing very confidential transaction. In the current 3G enabled cell phone, normally all the phone comes with an inbuilt application of Facebook, Twitter, or some other application like mCheck of Airtel. Therefore, the intruder might also be interested in other alternative resource which is connected with the trusted hand held device like accessing the account details from phone book or message archives etc. Not only this, the presence of an type of malicious applications could also pose a huge threat towards the device and the premium services associated with the device. Example of such attack could be cloning attack where the malicious program will attempt to send information on the victim trusted handheld device to the colluding user available in the network and then slowly poison the network sending certain information of services which by default is supposed to create an event after it. Such types of lethal threat can be prevented by considering the message packets being digitally signed by the subscriber identity module card which will be most difficult to be duplicated. The consistent malicious programs on the mobile phones will able to have more lethal effect as the complete control structure will be robustly created by the attacker for which every event performed from the device can be monitored by the intruder. It also raises possibility of duplication of the action performed by the genuine user by the fraudulent user. Not only this various availability of spy softwares will increase the threat exponentially. The proposed solution against such types of issues is highlighted in this paper as a system knowledge acquiring algorithm. The proposed system initially acquires knowledge from a client’s system from their previous actions. Current Actions Previous Actions Gaining Algorithm Client Framework Knowledge Acquiring protocol Gain value Fig 2.7 Proposed Architecture . In order to design a robust verification assessment in real-time scenario, the proposed system uses a gaining protocol which assess the client system and their recent actions performed in previous history of transactions or any other activities over the device and then it yields a gain value identifying the probability that the genuine client is utilizing the trusted hand held device. The gain value is considered to design a verification decision which characteristically uses a threshold factor in order to choose whether to accept or to decline the genuine user. Not only this, the threshold factor can also deflect from diverse application, which is dependent on if the system is responsive to optimal security measure. The gain value could also be considered for a dual aspect gauge to supplement conventional secret word based authentication system, which we use currently. The actions of the genuine client are characterized by the client system framework. An immature framework can be discussed where it can be considered about the liberty among the various diversified sections of user actions. Representing alternatively, it can also be considered that the client’s trusted hand held device is free from their location, usage of the service, as well as any other activities. The framework assumed the client’s actions performed is completely dependent on the instant of the time in day as well as week, probably can be month too. To cite an example, it can be said that one client might use both incoming as well as outgoing calls very frequent in morning but might not work out in outgoing calls in afternoon. He might get only frequent calls in afternoon. Let F1, F2,…., Fk represents independent arbitrary feature variable. Let is assume F1 is time elapsed since the previous good calls, F2 is inter arrival time between bad calls, F3 represents location coordinates etc. The good call represents the incoming or outgoing calls done from the genuine user phone book and bad calls represents any incoming or outgoing calls which are not listed in the memory of the phone or a SIM card. The client’s framework is a multiplication of R probability function trained on the variable T as instance of time. Therefore client’s framework is, [P(F1/T),P(F2/T),. . . P(FR/T] The knowledge acquiring protocol fundamentally computes such functions structuring client’s model. THE GAINING PROTOCOL With a facilitated client’s framework and previously known set of actions of the client, the gaining protocol yields a gain value representing the probability that the trusted handheld device is under the control of genuine user. This can also be described as gaining independent charecteristics. The gaining function is developed in a very secure and robust way under the independent characteristic framework. The client current actions can be represented as tuple (T, F1, F2, .., FR) where current time is shown as T and F1, F2, ….FR represents the values of variables (F1, . . . , FR) at instant of time t. The significant perception for this logic is to evaluate a discreet gain for each feature and then utilize it a function in order to gather such distinctive gain values into a final evaluation. Fundamentally, we will have R gaining functions represented as G G1(f1)=1-H(f1|T=t) (1) The gain function for the client position might be allocated to a position visited at a specific time of day a gain which is inversely proportional to the Euclidean distance to the nearest position group which is connected with that specific instant of the day. A client who specifically is at “office” group during office hours and at a “resident” group at night can receive the maximum gain for being positioned at an expected group at the expected time. Position near expected group would receive incomplete credit which reduces to “0” as the distance to the group increments. The next phase will be knowledge acquiring with gaining protocol. With the facilitated distinctive gain values for the R different characteristics, the system calls f(G1(f1), . . GR(vR)) to evaluate the final value of gain. Citing an example, let us say that each gain Gi(f1) (1<i<R) is the feasibility of the fi, which means Gi(fi)=Pr[Vi=vi] as in equation (1). Exactly after this step, a common process to combine the gain values is to estimate the combined feasibility of (f1, . . , fR). The final gain value will be the multiplication of these feasibilities: f(g1, . . , gR)=g1.g2.. . gR. Or else alternative feasible structure for function is a weighted addition: f(g1, . . , gR):= w1.g1+w2.g2+ . . .+wR.gR. The weights w1, . . , wR has to be estimated through a potential training procedure. In order to acquire knowledge using gaining protocol, we need to consider that the system gather set of actions from the individual clients. This collection of information will be categorized into evaluation set and training set. The training set will comprise of utility as positive samples in the training procedure. The system in hybrid method generates attack information for training process. In specific, the system will deploy wedging procedure for creating negative samples. That will mean if a client P and client Q come into view in the proximity of each other at instant of time t, than the system wedge the information for P before t and the information for Q after time t. The proposed framework represents a hybrid process of initiating an attack model where Q picks up or intrude P’s trusted hand held device and initiates using it maliciously. In practicality, Q could be any associated relation or may be completely outsider (stranger). Training the weights w1, . . , wR can be represented as a issue of minimization which will mean that if the system fixes the rate of false negative e.g. it can be said that a genuine legal client is declined the permission of access and has to feed the password frequently in day. Therefore the proposed system aims at minimize the rate of false positive which is failure to identify an attack and the time till the detection in the presence of an attack. 2.21 Related Applications In this section we describe the most popular and recent cloud-based mobile payments which have been developed by well-known companies. A. Google Wallet One of the major companies which operates the concept of mobile wallet is Google. They named this service as "Google Wallet" (Google, 2013; Ronald et al., 2013). The communication between the mobile phone and the POS is carried out through NFC technology that transmits the payment details to merchant's POS. Customer credentials are not stored in the mobile phone; rather, they are stored online. Google Wallet takes the form of an application stored on the customer's mobile phone. The customer will have an account with Google Wallet which includes the relevant registered credit/debit cards. Accordingly, the Google Wallet device has a chip /SE which stores encrypted payment card information. Linked credit or debit card credentials are not stored on the SE; rather, the virtual prepaid credit/debit card which is created during the setup is stored on the SE. The transaction then operates through the virtual prepaid credit/debit card that transfers funds from the Google Wallet into the merchant's POS when the customer taps his phone on the POS. B. MasterPass "MasterPass" (Mastercard, 2013; Bodhani, 2013) is a service which has been developed by MasterCard as an extended version of PayPass Wallet Services (NFC World, 2013) and provides a digital wallet service for secure and convenient online shopping. In MasterPass, delivery information and transaction data are stored in a central and secure location. The latest MasterPass provides the following services (NFC World, 2013):  MasterPass checkout services: This service enables the vendor’s payment acceptance in a consistent way irrespective of the client’s location. This means vendors have the ability to accept a payment without having to know where the client is. For instance, when the client is in store, he can use this service since it supports NFC, Quick Response (QR) codes, tags, and mobile devices to pay for products at a vendor’s POS. Thus, in online shopping scenarios, the client can use this service to pay for a product without having to enter the card and delivery details every time he intends to make a purchase.  MasterPass-connected wallets: Vendors, financial institutions, and partners are able to provide their own wallets using this service. The client’s card information, address books, etc. can be saved in a secure cloud provided by a party they trust. Thus, clients can use other credit and debit cards in addition to their MasterCard’s cards.  MasterPass value added services: The purpose of this service is to improve the client’s shopping experience before, during and after checkout. Value added services include account balances, offers, loyalty programs, and real-time alerts. REFERENCES European Payments Council .(White paper on mobile payments) Mobile phone as a wallet by Alcatel lucent (2010) http://www.gsma.com/digitalcommerce/digital-mobile-wallets Cloud Computing and Computing Evolution MARKUS BÖHM, STEFANIE LEIMEISTER, CHRISTOPH RIEDL, HELMUT KRCMAR, Technische Universität München (TUM), Germany The Mobile Money Revolution (May 2013) by ITU-T Technology watch report White Paper, “Mobile Cloud Computing Solution Brief,” AEPONA, (November 2010). Mell P, Grance T. The NIST Definition of Cloud Computing-Recommendations of the National Institute of Standards and Technology [online]. Gaithersburg, MD 20899- 8930: National Institute of Standards and Technology; September 2011 URL: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. Accessed 25 January 2013. Plummer DC, Bittman TJ, Austin T, Clearley D, Smith DM. Cloud computing: Defining and describing and emerging phenomenon. Stamford, CT 06902-7700 U.S.A: Gartner Inc.; (2008). The 451 group. Market monitor : Cloud Computing. New York: 451 Research. URL: https://451research.com/market-monitor-cloud-computing [online]. Accessed 4 February 2013. Carr N.The Big Switch - Rewiring the World from Edison to Google.New York:WW Norton & Company, Inc.; (2009). Rittinghouse WJ, Ransome FJ. Cloud Computing Implementation, Management, and Security. Boca Raton, FL: CRC Press; (2010) Hurwitz J, Bloor R, Kaufman M, Halper F. Cloud computing for dummies. Indianapolis, Indiana: Wiley Publishing, Inc.; (2010). Fan X, Cao J, Mao H. A Survey of Mobile Cloud Computing [online]. ShenZhen, P.R.China: ZTE Corporation; (2011). URL: http://wwwen.zte.com.cn/endata/magazine/ztecommunications/2011Year/no1/articles/2 01103/t20110318_224532.html. Accessed 07 December 2012. X. Yang, T. Pan, and J. Shen, “On 3G Mobile E-commerce Platform Based on Cloud Computing,” in Proceedings of the 3rd IEEE International Conference on Ubi-Media Computing (U-Media), pp. 198 - 201, (August 2010). W. Zhao, Y. Sun, and L. Dai, “Improving computer basis teaching through mobile communication and cloud computing technology,” in Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), vol. 1, pp. 452 - 454, (September 2010). U. Varshney, “Pervasive healthcare and wireless health monitoring,” Journal on Mobile Networks and Applications, vol. 12, no. 2-3, pp. 113 - 127, (March 2007). C. Doukas, T. Pliakas, and I. Maglogiannis, “ Mobile Healthcare Information Management unitizing Cloud Computing and Android OS,” in Annual International Conference of the IEEE on Engineering in Medicine and Biology Society (EMBC), pp. 1037 - 1040, (October 2010). E. Cuervo, A. Balasubramanian, Dae-ki Cho, A. Wolman, S. Saroiu, R. Chandra, and P. Bahl, “MAUI: Making Smartphones Last Longer with Code offload,” in Proceedings of the 8th International Conference on Mobile systems, applications, and services, pp. 49-62,( June 2010). Z. Ye, X. Chen, and Z. Li, “Video based mobile location search with large set of SIFT points in cloud,” in Proceedings of the 2010 ACM multimedia workshop on Mobile cloud media computing (MCMC), pp. 25-30, (2010). Alliance, S. C. (2011) ‘The Mobile Payments and NFC Landscape: A US Perspective’, Smart Card Alliance. Iosup, A., Yigitbasi, N., & Epema, D. (2011) ‘On the performance variability of production cloud services’ In proceedings of the 11th International Symposium on Cluster, Cloud and Grid Computing (CCGrid),IEEE. pp. 104-113. ISO/IEC 18092 (2004) Near Field Communication - Interface and Protocol (NFCIP-1), International Organization for Standardization (ISO) Std. Kounelis, I., Loschner, J., Shaw, D., & Scheer, S. (2012) ‘Security of service requests for cloud based m-commerce’ in proceedings of the 35th International Convention. IEEE. pp. 1479-1483. Ko, R. K., Lee, B. S., & Pearson, S. (2011) ‘Towards achieving accountability, auditability and trust in cloud computing’ in Advances in Computing and Communications. Springer Berlin Heidelberg. pp. 432-444. Google (2013). Goole Wallet. Available at: http://www.google.co.uk/wallet/faq.html. [Accessed 3 April 2014]. MasterCard (2013). MasterPass. Available at: https://masterpass.com/online/Wallet/Help?cid=127568. [Accessed May 12, 2014]. Bodhani, A. (2013) ‘New ways to pay [Communications Near Field]’, Engineering & Technology, 8(7), pp. 32-35. 95