Seminar Report On M-Commerce & Its Security Issues
Seminar Report On M-Commerce & Its Security Issues
Seminar Report On M-Commerce & Its Security Issues
By SAMEER YADAV
Contents
2 M-COMMERCE: Basics 5
2.1 M-Commerce: Definition . . . . . . . . . . . . . . . . . 5
2.2 Mobile devices . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Features of m-commerce . . . . . . . . . . . . . . . . . 6
2.4 Differences to E-Commerce: Advantages and Disadvan-
tages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 Framework . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 KEY ISSUES 10
3.1 Security Issues . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Wireless User Interface and Middleware Issues . . . . . 11
3.2.1 Wireless and mobile middle-ware for mobile com-
merce . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Wireless Networking Infrastructure . . . . . . . . . . . 12
3.4 Issues for Carriers and Developers . . . . . . . . . . . . 13
i
CONTENTS ii
4.2.2 WTLS . . . . . . . . . . . . . . . . . . . . . . . 21
4.3 Service Security . . . . . . . . . . . . . . . . . . . . . . 21
4.3.1 Intelligent Network . . . . . . . . . . . . . . . . 21
4.3.2 Parlay/OSA . . . . . . . . . . . . . . . . . . . . 21
4.3.3 SMS . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.4 USSD . . . . . . . . . . . . . . . . . . . . . . . 22
4.3.5 SIM/USIM Application Toolkit . . . . . . . . . 22
6 M-PAYMENT 29
6.1 Background on payment systems . . . . . . . . . . . . 29
6.2 Distinctive features of payment systems . . . . . . . . 30
6.3 Categorization of M-payment systems . . . . . . . . . . 31
6.3.1 Software electronic coins . . . . . . . . . . . . . 31
6.3.2 Hardware electronic coins . . . . . . . . . . . . 32
6.3.3 Background account . . . . . . . . . . . . . . . 32
6.4 Standardization and forums . . . . . . . . . . . . . . . 32
INTRODUCTION AND
OVERVIEW
1
CHAPTER 1. INTRODUCTION AND OVERVIEW 2
envisioned and developed so far assume fixed or stationary users with wired infras-
tructure, such as browser on a PC connected to the Internet using phone lines or a
Local Area Network. A new e-commerce application such as Wireless e-commerce
or Mobile e-commerce will benefit one to reach the consumer directly, regardless of
where he is.
Though e-commerce has grown as expected, M-Commerce has not taken off the
same way for the use of goods and services. Wireless services are not everywhere and
consumers often do not feel safe or happy buying with their phone. As technology
increases this may change. As for now, consumers use M-commerce as a portable
friend to communicate and to do transactions. When consumers feel secure, they
buy. As the younger generation grows with wireless business models will further
develop M-Commerce.
The emergence of M-commerce, a synonym for wireless e-commerce allows one
to do the same function that can be done over the internet. This can be done by
connecting a PDA to a mobile phone, or even a portable PC connected to a mobile
phone. Mobile Commerce is perfect for the group who always keep a mobile phone by
side all the times. A study from the wireless data and computing service, a division of
strategy analytics, reports that the mobile commerce market may rise to The report
predicts that transactions via wireless devices will generate about 14 billion dollars a
year. With the omnipresent availability of mobile phones (and other mobile devices),
M-commerce services have a promising future, especially in the B2C market. Future
applications include buying over the phone, purchase and redemption of ticket and
reward schemes, travel and weather information, and writing contracts on the move.
However, the success of m-commerce very much depends on the security of the
underlying technologies. For example, today the charge back rate for credit card
transactions on the Internet is 15 percent, versus 1 percent for POS (Point-of-Sales)
credit card transactions. Chargeback rates grow to 30 percent when digital products
are sold. For m-commerce to take off, fraud rates have to be reduced to an acceptable
level. As such, security can be regarded as an enabling factor for the success of m-
commerce applications. In this paper, we discuss two main areas of m-commerce
that are relevant to security, namely
• Network technology - In m-commerce, all data is transmitted via a mobile
telecommunication network. Here, we consider existing network and service
technologies for 2G (2nd Generation), 3G (3rd Generation) and other wireless
systems.
• M-payment (mobile payment) - Doing business on the Internet requires the
payment of goods and services. M-payment systems have different require-
ments and characteristics than e-payment systems. Here, we give an overview
of current payment technology.
service was launched in 1997 by Merita Bank of Finland, also using SMS. In 1998,
the first sales of digital content as downloads to mobile phones were made possible
when the first commercial downloadable ringtones were launched in Finland by
Radiolinja. Two major national commercial platforms for mobile commerce were
launched in 1999: Smart Money (http://smart.com.ph/money/) in the Philippines,
and NTT DoCoMo’s i-Mode Internet service in Japan. Mobile-commerce-related
services spread rapidly in early 2000. Norway launched mobile parking payments.
Austria offered train ticketing via mobile device. Japan offered mobile purchases of
airline tickets.
The first book to cover mobile commerce was Tomi Ahonen’s M-profits in 2002.The
first university short course to discuss mobile commerce was held at the University
of Oxford in 2003, with Tomi Ahonen and Steve Jones lecturing. As of 2008, UCL
Computer Science and Peter J. Bentley demonstrated the potential for medical ap-
plications on mobile devices. PDAs and cellular phones have become so popular
that many businesses are beginning to use mobile commerce as a more efficient way
to communicate with their customers. In order to exploit the potential mobile com-
merce market, mobile phone manufacturers such as Nokia, Ericsson, Motorola, and
Qualcomm are working with carriers such as AT&T Wireless and Sprint to develop
WAP-enabled Smartphones. Smartphones offer fax, e-mail, and phone capabilities.
Since the launch of the iPhone, mobile commerce has moved away from SMS
systems and into actual applications. SMS has significant security vulnerabilities and
congestion problems, even though it is widely available and accessible. In addition,
improvements in the capabilities of modern mobile devices make it prudent to place
more of the resource burden on the mobile device.
More recently, brick and mortar business owners, and big-box retailers in par-
ticular, have made an effort to take advantage of mobile commerce by utilizing a
number of mobile capabilities such as location based services, barcode scanning,
and push notifications to improve the customer experience of shopping in physical
stores. By creating what is referred to as a ’bricks & clicks’ environment, physical
retailers can allow customers to access the common benefits of shopping online (such
as product reviews, information, and coupons) while still shopping in the physical
store. This is seen as a bridge between the gaps created by e-commerce and in-store
shopping, and is being utilized by physical retailers as a way to compete with the
lower prices typically seen through online retailers.
M-COMMERCE: Basics
• Mobile phone
• Smart phone - The smart phone combines mobile phone and PDA technology
into one device
Each mobile device has certain characteristics that influence its usability, such as
5
CHAPTER 2. M-COMMERCE: BASICS 6
• Availability of internal smart card reader (e.g. for a SIM card in mobile phones)
Depending on these factors, the services that the end user can receive differ con-
siderably. Moreover, depending on the network technology used for transmission,
the bandwidth capacity varies and influences the kind of services that the end user
is able to receive. In mobile phones, there exist three solutions to internal smart
cards: single SIM, dual chip, and dual slot. Single SIM is the solution that is most
widely available today, where all confidential user information is stored on one smart
card. Dual chip means that there are two smart cards in the mobile phone, one for
user authentication to the network operator and one for value-added services like
m-payment or digital signature. A dual slot mobile phone has a SIM card and a
card slot for a full-sized external smart card. With this solution different cards can
be used one after the other. Moreover, the cards can also be used in traditional POS
and ATM terminals.
• Ubiquity - The end user device is mobile, that is, the user can access m-
commerce applications in real time at any place.
• Security - Depending on the specific end user device, the device offers a certain
level of inherent security. For example, the SIM card commonly employed in
mobile phones is a smart card that stores confidential user information, such as
the users secret authentication key. As such, the mobile phone can be regarded
as a smart card reader with smart card.
• Convenience - The size and weight of mobile devices and their ubiquity and
accessibility makes them an ideal tool for performing personal tasks.
• Personalization - Mobile devices are usually not shared between users. This
makes it possible to adjust a mobile device to the users needs and wishes
(starting with the mobile phone housing and ringtones). On the other hand,
a mobile operator can offer personalized services to its users, depending on
specified user characteristics (e.g. a user may prefer Italian food) and the
users location (see above).
• Mobile devices are more prone to theft and destruction. According to a gov-
ernment report, more than 700000 mobile phones are stolen in the UK each
year. Since mobile phones are highly personalized and contain confidential
user information, they need to be protected according to the highest security
standards.
• The communication over the air interface between mobile device and network
introduces additional security threats (e.g. eavesdropping).
2.5 Framework
We are aware that consensus within business and industry of future applications is
still in its infancy. However, we are interested in examining those future applications
and technologies that will form the next frontier of electronic commerce. To help fu-
ture applications and to allow designers, developers and researchers to strategize and
create mobile commerce applications, a four level integrated framework is proposed.
These four levels are as follows: m-commerce applications, user infrastruc-
ture, middleware and network infrastructure which simplifies the design and
development. By following this framework a single entity is not forced to do every-
thing to build m-commerce systems, rather they can build on the functionalities
CHAPTER 2. M-COMMERCE: BASICS 8
provided by others. The framework also provides a developer and provider plane
to address the different needs and roles of application developers, content providers
and service providers. Fig. 2.1 depicts the Framework of M-commerce in brief (cf.
[10]).
Content provider can build its service using applications from multiple applica-
tion developers and also can aggregate content from other content providers and can
supply the aggregated content to a network operator or service provider. Service
providers can also act as content aggregators, but are unlikely to act as either an
application or content provider due to their focus on the network and service aspects
of m-commerce.
Wireless carriers can play a very active and important role in the mobile com-
merce applications and services due to the fact that mobile user is going through
their network to perform all mobile commerce transactions. Mobile user is likely to
prefer a common bill for voice, data and mobile commerce services. Fig.2.2 shows
the Life Cycle of Mobile commerce (cf. [10]).
CHAPTER 2. M-COMMERCE: BASICS 9
KEY ISSUES
• The mobile device - Confidential user data on the mobile device as well as
the device itself should be protected from unauthorized use. The security
mechanisms employed here include user authentication (e.g. PIN or password
authentication), secure storage of confidential data (e.g. SIM card in mobile
phones) and security of the operating system.
• The network operator infrastructure - Security mechanisms for the end user
often terminate in the access network. This raises questions regarding the
security of the user’s data within and beyond the access network. Moreover,
the user receives certain services for which he/she has to pay. This often
involves the network operator and he/she will want to be assured about correct
charging and billing.
10
CHAPTER 3. KEY ISSUES 11
• Ability to work with and adapt to mobile commerce applications with diverse
requirements,
• An operating system that can manage resources to support many of the func-
tions.
Some of these features are already available in hand-held devices. Many of these
capabilities will increase the size and weight significantly, and thus, potentially affect
the usability and portability of these devices.
and modify the structure, content and style of HTML and XML documents. Fig.
3.1 above shows the Mobile middleware for application and content adaptation (cf.
[9]).
Networking
Specific attributes
requirements
Multicast support
• support for multicast in infrastructure wireless
networks
Network
dependability
• impact and frequency of component failure
• fault-tolerant design
Quality of service
• bandwidth requirements
Roaming across
multiple networks
• handoff among multiple wireless networks
Issues
Comments
Network processing
and storage
• Band width and delay requirements (real-time vs.
requirements
non-real time applications)
• Disconnected operation
Application
Development
• Use of any existing Software Development Kit (SDK)
Compatibility and
interoperability
• Independence from the underlying wireless access
technologies
• Interoperability with IP
Desirable features
• Support for intermittent connectivity
• Easy upgradability
Wireless carriers are also to face challenges involving how to price mobile com-
merce services, and because several carriers are likely to be involved in completing
a mobile commerce transaction, another issue is how to divide revenues among mul-
tiple carriers. There are many important issues that need to be addressed before
mobile commerce applications can be widely deployed. These include the devel-
opment of new business models for charging wireless customers and for revenue
division among providers, maturity of application software, middle-ware support,
vendor support and user trust necessary for conducting mobile transactions. There
are some important issues for developers of m-commerce applications. These issues
are presented in the Table 3.2 above (cf. [13]). Due to the potential values of many
mobile commerce applications, atomic transactions may be necessary. It is possible
that the mobile middle-ware may provide most of such functions and thus reducing
the amount of work needed to support atomic transactions.
Chapter 4
In this chapter, we give an overview of the technologies which are relevant to secure
m-commerce transactions. We focus on those network and service technologies which
are specific to mobile devices.
4.1.1 GSM
GSM (Global System for Mobile Communication) is the current European standard
for mobile communications. Since GSM handsets are popular and widespread, they
have to be considered as the major device for mobile commerce at the moment. In
the first years of GSM (beginning of the 1990s), the devices were very limited with
respect to their capabilities other than telephony. Dial-in data sessions over circuit
switched connections were possible but relatively slow (9.6 Kbit/s) and required a
separate device (computer) which reduces mobility. As the GSM core network was
extended with more and more data service elements, the cellular phones also became
more powerful. A number of data services were established:
• SMS (Short Message Service) allows the exchange of 160 character short mes-
sages over the signaling channel.
• HSCSD (High Speed Circuit Switched Data) provides higher data rates by
channel bundling.
• GPRS (General Packet Radio Service) extends GSM with packet oriented
services. With GPRS, the mobile node can stay “always on” without blocking
16
CHAPTER 4. SECURITY ISSUES FOR M-COMMERCE 17
a connection timeslot with the base station. GPRS can also be used as a
bearer service for WAP and SMS.
The basic architecture of GSM including GPRS, IN (intelligent network) and SMS
components is depicted in Figure 4.1 above (cf. [3]).
The mobile station communicates over the wireless interface with a base transceiver
station (BTS) which is part of a base station subsystem (BSS). The base station
controller (BSC) is connected with a MSC (Mobile Switching Centre) and a SGSN
(Serving GPRS Support Node). The latter two are the central switching compo-
nents for circuit and packet switched data. When a customer subscribes, the GSM
home network assigns the mobile station a unique identifier, the international mobile
subscriber identity (IMSI), and an authentication key Ki. The IMSI and the secret
authentication key Ki of the mobile station (MS) are stored in the SIM (subscriber
identity module), which is assumed to be tamper proof. On the network side, the
IMSI, Ki and other information are stored in the HLR (Home Location Register)
and AuC (Authentication Centre). GSM provides the following security features for
the link between the mobile station and the network (cf. [7]):
• IMSI confidentiality
• IMSI authentication
weaknesses: since the network is not authenticated, a false base station can perform
a “man-in-the-middle” attack. The base station can suppress IMSI confidentiality
and encryption and this is not even visible to the mobile station.
4.1.2 UMTS
4.1.3 WLAN
The IEEE standard 802.11 specifies families of Wireless Local Area Networks
(WLAN) which operate in the unlicensed 2.4 GHz and 5 GHz band. The standards
specify the physical layer and the medium access control layer. For the network
layer and above, WLAN employs a classical IP stack. A number of commercial
products (even for PDAs) are available, and IEEE 802.11b, offering 11 Mbit/s raw
bandwidth, is currently very popular. When operated in the infrastructure mode,
the mobile station attaches to an Access Point which provides connectivity to fixed
net IP networks or to other mobile stations. In the default mode, WLAN does
not provide any security. This means that a mobile attacker can eavesdrop and
manipulate all the wireless traffic with standard tools. In order to provide a certain
level of security, the IEEE defined WEP (Wired Equivalent Privacy). WEP was
designed to provide:
• Authentication to protect the association to an AP
WEP cannot be remedied by the new authentication and key management schemes
in 802.1X. The IEEE is currently working towards a new standard (WEP2), and a
number of proposals are in circulation. Another approach is to employ VPN (virtual
private network) technologies and in particular IPsec in order to establish network
layer security. The IPsec protocol (or more specifically the ESP Tunnel protocol) is
an internet standard (cf. [8]) for the protection of IP packets between two nodes (e.g.
a mobile station and a security gateway). This architecture is depicted in Figure
4.3 above (cf. [3]). Note that link layer specific information (e.g. MAC addresses)
is still unprotected.
4.1.4 Bluetooth
Bluetooth is a wireless technology developed by the Bluetooth Special Interest
group3 and is mainly aiming at ad hoc piconets and connections to peripheral
devices. Bluetooth is also operating in the unlicensed 2.4 GHz band and can be
considered as a de-facto-standard. The Bluetooth specification defines a complete
OSI stack, so, unlike WLAN, it is not restricted to IP connectivity. Although raw
bandwidth is limited to 1 Mbit/s, the Bluetooth technology will probably often be
used in the future to connect devices in the personal environment, which makes it
relevant for m-commerce. Bluetooth specifies three security modes, including “no
security”. Bluetooth provides link layer security with a challenge-response protocol
for authentication and a stream cipher encryption of user and signaling data (cf.
[2]). When the connecting devices do not share a key in advance, they have to
establish an initialization key in a pairing procedure. This is based on a PIN, which
must be entered into both devices (or imported from some application). Bluetooth
can currently be considered secure for small ad hoc networks, provided the pairing
happens in a safe environment and the PIN is strong enough. The existing attacks
are still theoretical in nature. However, privacy requirements may not be met since
the Bluetooth device address (unique MAC address) allows the tracing of personal
devices and hence their owner.
4.2.1 SSL/TLS
The SSL/TLS protocol is by far the most widely used internet security protocol.
Its main application is the HTTPS protocol (HTTP over SSL), but it may also
be used as a standalone protocol. SSL requires a bidirectional byte stream service
CHAPTER 4. SECURITY ISSUES FOR M-COMMERCE 21
(i.e. TCP). SUN has implemented a client side version of SSL for limited devices,
called KSSL (Kilobyte SSL). KSSL does not offer client side authentication and only
implements certain commonly used cipher suites, but it has a very small footprint
and runs on small devices using the J2ME platform.
4.2.2 WTLS
The WAP forum has standardized a transport layer security protocol (WTLS) as
part of the WAP 1 stack. WTLS provides transport security between a WAP device
(e.g. a mobile phone) and a WAP gateway which performs the protocol transfor-
mation to SSL/TLS. Hence, no real end-to-end security is provided and the WAP
Gateway needs to be trusted. Note that the WAP Forum now proposes a WAP 2
stack which is a classical TCP/IP stack on a wireless bearer medium. This permits
end-to-end SSL/TLS sessions.
4.3.2 Parlay/OSA
Parlay/OSA (Open Service Access) is an initiative of the industry (Parlay group),
ETSI and 3GPP and aims at introducing standard interfaces to network services.
The IN platform and their SS7 based protocols like INAP and CAP are relatively
complex and generation of services is reserved to operators and manufactures. Now
CHAPTER 4. SECURITY ISSUES FOR M-COMMERCE 22
Parlay offers standard application programming interface which allows service pro-
visioning on IT platforms using standard middleware. The Parlay/OSA framework
then provides gateway functionality between applications and Service Capability
Features (SCF’s) of the IN. M-Commerce applications can then access core network
functionality, e.g. inquire status and location of a mobile user, send messages or
place calls. Parlay/OSA applications are portable among networks which is usually
not possible with IN services. Security is an important issue, since Parlay/OSA
potentially opens the core network to intruders. Parlay/OSA specifies authentica-
tion and encryption on the application layer. But the security also depends on the
underlying network architecture, e.g. firewalls and strict policies should protect core
network components.
4.3.3 SMS
SMS (short message service) is a very popular data service for GSM networks. Al-
though SMS messages are limited to 160 characters, a considerable number of m-
commerce scenarios are based on this service. The sender and receiver of an SMS
are identified by its IMSI which an attacker cannot forge without breaking the
GSM/UMTS security mechanisms (e.g. by cloning a SIM card). Hence SMS mes-
sages can be used for authentication (at least towards the network). Furthermore,
SMS data is transmitted in the GSM (UMTS) signaling plane, which ensures the
confidentiality of messages. However, the protection ends in the GSM or UMTS
network, there is no end-to-end security, and the network operator and its infras-
tructure (e.g. SMSC, Short Message Service Centre) must be trusted (when no other
security mechanisms are applied to the SMS message, confer section on SIM/USIM
Applications below).
4.3.4 USSD
The GSM Unstructured Supplementary Service Data (USSD) service allows data
communication between a mobile station and either the HLR, VLR, MSC or SCP
in a way transparent to the other network entities. Unlike the asynchronous SMS
service, an USSD request opens a session which may induce other network operations
or an USSD response before releasing the connection. Mobile originated USSD may
be thought as a trigger for a network operation. USSD works with any mobile
phone since the coded commands are entered in the same way as a phone number.
With USSD, roaming can be offered for prepaid GSM customers before IN services
(CAMEL) are implemented in a network. Another USSD application (requiring
CAMEL phase 2) is replenishing a prepaid account by incorporating the voucher
number in an USSD string. In principle, any transaction, e.g. a payment operation,
could be triggered by USSD data. USSD possesses no separate security properties;
instead it relies on the GSM/UMTS signaling plane security mechanisms.
applications can e.g. send, receive and interpret SMS or USSD strings. Currently,
there exists banking applications using SAT. The required security mechanisms are:
• Authentication
• Message Integrity
• Message Confidentiality
EMERGING M-COMMERCE
APPLICATIONS
24
CHAPTER 5. EMERGING M-COMMERCE APPLICATIONS 25
with specific needs, interests, and inclinations. It is also possible that direct adver-
tising to users may be performed without much control from the wireless service
providers.
This class of application involves location tracking of goods, services and even
people. The tracking of goods may help service providers in determining the time of
delivery to customer, thus improving customer service and obtaining a competitive
edge over other business. One very interesting application is rolling inventory-which
CHAPTER 5. EMERGING M-COMMERCE APPLICATIONS 27
may involve multiple trucks carrying a large amount of inventory while on move.
Whenever a store needs certain goods/items, it can locate a truck (preferably in
nearby area) and just-in-time delivery of goods can be performed. The rolling in-
ventory and delivery application can reduce the amount of inventory space and cost
for both vendors and stores and may reduce the time between when an order is
placed and the goods are delivered (shown in figure 5.3 above) (cf. [13]).
Location tracking of components can be broken into two components: indoor
and outdoor. Indoor tracking can be performed by a chipset (TX/RX) and loca-
tion information may be transmitted over a satellite or cellular/PCS system to the
component supplier where such information is needed.
This would help reduce anxiety levels of owners and improve the general con-
ditions of automobiles on the road leading to the reduced number of traffic jams,
accidents and even fatalities. From the technological point of view, automobiles
can be equipped with smart sensors that keep track of how much wear and tear a
car component has gone through. This information can then be transmitted using
a radio/microwave/satellite system to a specified service center or other location.
Some implications of such applications are privacy, security, reliability and cost of
deployment.
Chapter 6
M-PAYMENT
29
CHAPTER 6. M-PAYMENT 30
• Time of payment
• Payment amount
• Anonymity issues
• Security requirements
Time of payment denotes the relation between the initiation of a payment transac-
tion and the actual payment. In pre-paid payment systems, the customers account is
debited before the payment and the amount is stored, for example, on smart cards,
in specific customer accounts or as electronic cash. In pay-now payment systems, the
customers account is debited at the time of payment and in post-payment systems,
payment can be regarded as a ’payment promise’ where the merchants account is
credited before the customers account is debited (for example, credit card systems).
The payment amount has an influence on the design of electronic payment protocols.
Electronic payment systems often originate with conventional payment systems.
As such, cash-like payment systems should provide anonymity to the customer.Generally,
integrity, authentication, authorization, confidentiality, availability, and reliability
issues need to be considered, depending on the specific requirements of an electronic
payment system. Offline payment validation means that no third party is involved
during the payment procedure, whereas Online payment validation involves some
kind of background payment server as a trusted third party. The latter causes an
additional communication overhead, but reduces certain risks, e.g. double spend-
ing. The above discussion summarizes some distinctive features of payment systems.
There are other issues such as
The above list of distinctive features gives an idea of the complexity and variety of
payment systems.
CHAPTER 6. M-PAYMENT 31
• Credit cards - Some providers allow credit cards to be linked to a phone’s SIM
card
• Micropayment services
1. Software electronic coins - electronic money stored on the mobile device in file
format.
• Customers surfing the Internet through their mobile phones will have to pay
an access charge of only Rs 0.42 per minute. These trends suggest that a
fertile ground for m-commerce already exists in India and its revolution seems
inevitable.
• Novel applications and services made possible due to the wireless networks
and mobile devices.
• Security and privacy problems that is unique to wireless networks and mobile
devices.
• Middle-ware issues that are unique due to device, network and protocol limi-
tations
34
CHAPTER 7. CONCLUSIONS AND FURTHER RESEARCH 35
The research problems that can be addressed by the existing e-commerce research
with some modifications and extensions are:
• Trust building
[4] http://www.roseindia.net/services/m-commerce/mobile-commerce.shtml
[5] www.wikipedia.com/wiki/m-Commerce.htm
[6] 3GPP TS 33.102 3.9.0 Release 1999, 3rd Generation Partnership Project; Tech-
nical Specification Group Services and System Aspects; 3G Security; Security
Architecture.
[7] GSM 03.48 version 8.3.0 release 1999. Digital cellular telecommunication system
(Phase 2+); Security Mechanisms for the SIM application toolkit.
[8] S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. RFC
2401
[9] T. Dierks, C. Allen. The TLS protocol, Version 1.0. RFC 2246
[13] M. Oliphant. The mobile phone meets the Internet, IEEE spectrum(August
1999).
[15] GSM 02.09 version 7.0.1 Release 1998. Digital cellular telecommunication sys-
tem (Phase 2+); Security Aspects.
36