Securing Mobile Payment Systems: Using Personal Identification Number (PIN) Method

Transcription

1 July 5th-9th, Ota, Nigeria Securing Mobile Payment Systems: Using Personal Identification Number (PIN) Method Raphael Olufemi Akinyede, 1,1 Olumide Sunday Adewale 1 and Boniface Kayode Alese 1 1 Department of Computer Science, The Federal University of Technology, Akure, Ondo-State, Nigeria. { femi_akinyede!,!, osadewale 1, and faalkad 1 Abstract. Mobile payment is the process whereby two parties exchanging financial value using a mobile device in return for goods or services. In Nigeria, banking industry and citizens all incur a high overhead in using physical cash. However, mobile phone-based payment system is a viable alternative to physical cash since it incurs much lower overheads and offers more convenience as the users can transact business anytime of the day, 24/7. Because security is of paramount importance in any financial transactions, this paper therefore, focuses it attention on the security issues in mobile payment for m-commerce with emphasis on personal identification number (PIN). In the paper, we carryout a review of m-commerce, m-payment and its operational model, the technologies and standards for m-payment systems. Finally, the paper proposed a method and system for securing a payment transaction model. Keywords: Mobile Payment, mobile commerce, PIN and cryptography. 1 INTRODUCTION Electronic payment revolution has finally started and it is led by a large number of Nigerian institutions which comprises of banks, federal government, and individual organizations (Akinyede and Afolayan, 2006). These revolutions, which are at its initial stage, were possible because of the introduction of Internet. Internet is being embraced virtually in all areas of human activities because of its functionalities. Presently, the number of users of Internet has increased explosively as a result of the rapid growth in information technology (IT) industry. According to the World Telecommunication/ICT Indicators Database (2009, 6 th ed), in 2000, the Internets users were 200,000 whereas in 2009 it was 11,000,000 which showed a increased in percentage of 5,400% in Nigeria. The emerging technologies such as broadband satellite, VSAT and wireless telephony provide wonderful opportunities for Nigeria to leapfrog in the information society age. These technologies have been exploited in order to accelerate information technology (IT) that leads to a cashless society development in Nigeria. However, this drive has also led to the evolution of payment modes other than paper or coin money, such as cards, electronic and wireless payment systems mainly to facilitate, expedite and secure transactions and wealth across the globe, and this has reduced the world into a global village. With Internet, the limitation posed to international trade by geographical distance is fast 23

2 July 5th-9th, Ota, Nigeria crumbling and it is now possible to carryout transactions with people in remote areas of the world. In addition, the increasing use of the Internet has seen the growth of e-payment which is now graduating to mobile payment (m-payment) for business transactions (ecommerce or m-commerce) conducted between geographically distant parties (i.e. consumers and merchants). Monetary values are transferred over networks, resulting in the development of e-payment systems. This has made a secure and efficient payment system to be one of the key drivers that would help the acceleration of the wheel of e- commerce in Nigeria. Therefore, the need for securing payment system for m-commerce in the light of the rise in Internet fraud. 2 M-PAYMENT OPERATIONAL MODEL Five principal participants are involved in m-payment operational model, and they are discussed as follows: i. Customer (C): Holder of a payment card, in the proposed model a customer is required to have a GSM mobile phone with a Subscriber Identity Module (SIM). This card has software installed by an authorizer and this acts as a credit card that is recognized by the authorizer. ii. Merchant (M): Merchant is the organization that sells goods/services to the cardholder through the Internet and accredited by a known trusted third party. iii. Acquirer (A): A financial institution, which processes payment card authorizations and makes payments. The Acquirer provides electronic transfer of funds to the Merchant s account from the Issuer I (customer s bank account) over a secured payment network iv. Issuer (I): A financial institution of the customer C. It also provides payment software to install. v. Payment Gateway (PG): an additional entity that acts as a medium between acquirer/issuer at banking private network side and client/merchant at the Internet side for clearing purpose (Kungpisdan, et al., 2004) 24

3 July 5th-9th, Ota, Nigeria Issuer (I) Acquirer (A) Payment Gateway (PG) Customer (C) Merchant (M) Figure 1: M-payment Operational Model. In figure 1, we specify the links among the five entities of our scheme. Note that there is no direct connection involving the client and the issuer. Moreover, the connection between the customer C and the merchant M (denoted as the dotted arrow) is set up through a wireless channel. However, the basic idea is that the transaction payment details are divided into two parts. Firstly, on Issuer s (I s) side, the only available information is that Customer C authorizes a payment to Acquirer (A) through the payment gateway, while no merchant (M) identity or account information is revealed, so that the Issuer (I) has no idea of what the Customer C buys. Secondly, an acquirer (A) should only know there is a payment waiting to be credited to the merchant s (M) account, while knowing nothing about who makes the payment. Based on the assumption that Issuer (I) and Acquirer (A) never collude to sell out the private information of Customer C, we can achieve the privacy protection of Customer C during the electronic transactions through mobile network (Changjie and Hofung, 2005) 2.1 M-PAYMENT SYSTEM OVERVIEW There are a number of steps involved in m-payment systems, but only one of them is hereby discussed:- 25

4 July 5th-9th, Ota, Nigeria Interactions between the entities involved- In m-payment system, where the customer C and the merchant M are at remote locations, a customer C will place an order from his station to a merchant M store (see figure 2). The steps are as follows:- Step 1: A customer C browses the merchant M s website and select item to purchase. During this phase, the merchant M and customer C reach an agreement upon a set of item s information, such as the item s price, that describes the purchase. The customer C then sends a payment request to a Payment Service Provider (PSP) over a wireless network. This request includes the details of the customer C and amount to be paid. A customer C selects the payment method from the merchant M webpage. Step 2: A PSP verifies the credentials of the customer C and the merchant M (basically it checks whether the customer C and merchant M have registered for such an m-payment service). Step 3: Optionally, the PSP might ask the customer C for some more details (like a password) for authentication. Step 4: Once the credentials of the customer C have been established, the PSP requests the merchant M for confirmation by forwarding the payment details. Step 5: The merchant M then sends a confirmation message to the PSP. Step 6: After successful confirmation, the PSP performs backend processing to update the accounts of the customer C and the merchant M. Step 7: It sends a payment receipt to the customer C. It might also optionally send a Transaction completed message to the merchant M. 26

5 SMS Internet SMS Customer C 6. Payment Receipt 1. Payment Request 3. Request for Confirmation 4. Confirmation Merchant M 5. Back end processing 2. Verification Figure 2: Basic Architecture of a Remote M-Payment System (Source: 3 TECHNOLOGIES AND STANDARDS FOR M-PAYMENT SYSTEMS According to Shivani, et al. (2008), in order to perform a security analysis of an e- payment scheme it is necessary to understand the underlying standards, technologies, protocols and platforms used. The two popular standards used for mobile communication are Global System for Mobile communications (GSM) and Code Division Multiple Access (CDMA). GSM based phones use a SIM (Subscriber Identification Module) card which is a detachable smart card containing the user's subscription key used to identify a user. In CDMA based phones, the phone itself stores the subscription key. A common technology for remote payment systems is SMS (Short Messaging Service) which is a low cost alternative to making calls. SMS is an attractive technology because of its ease of use and low cost. SMS based payment systems are of two types, namely, the ones which do not require a change in the device infrastructure (SIM card) and the ones which do. In the former case, the user can initiate or authorize a transaction by sending an SMS message using a standard SIM card. PayPal (2008) and SMS-Credit (Fong & Lai, 2005) are examples of such SMS based systems. 27

6 4 METHOD AND SYSTEM FOR SECURING A PAYMENT TRANSACTION MODEL Financial Institutions (Banks ) DBMS Cryptographic Converter Hardware Security Module Payment Transaction (PT) Communicating Environment Network Mobile Payment Device 1 2 k Merchants C 1 C 2 C n Customers Figure 3: Block diagram of a secure payment transaction system PHP MySql DBMS Merchants Side 28

7 The symbols C, M, PG, I, A are used to denote Customer, Merchant, Payment Gateway, Issuer, and Acquirer respectively. According to Coppinger (2009), the method for securing a payment transaction, comprising the steps of: a. Customer/Merchant Interaction. The system in figure 3 provides avenue for customer/merchant interaction. A customer C browses the merchant M s website and select item to purchase. During this phase, the merchant M and customer C reach an agreement upon a set of item s information, such as the item s price, that describes the purchase. The customer C then sends a payment request to a Payment Service Provider (PSP) over a wireless network. This request includes the details of the customer C and amount to be paid. A customer C selects the payment method from the merchant M webpage. b. Mobile Payment Device In figure 3 above, M k (where k= 1, 2,, k) are the merchants that maintain websites under a secure payment transaction and made sales of goods or services to customers C n (where n = 1,2, 3,, n) who maintain a mobile payment device (i.e. Personal Digital Assistant (PDA) or a mobile phone with advanced personal computing capabilities). The mobile payment device is configured in such a way that it will perform a secure payment transaction functions on the Internet. The mobile payment device has the following: a processor, memory, and other hardware elements operating in accordance with the system and application software appropriate to the functions it provides. Finally, it has a card reader through which data on a payment card (such as a credit or debit card) can be read and a user interface (i.e. keypad or touchpad) with which inputting of information is done. Operation of the mobile payment device. Both the merchant M k and customer C n communicate on the Net as shown above. Mobile payment device will obtain purchase information from merchant M k, such as, the detail of goods or services ordered for by the customer C n. It also obtains payment information and a password (PIN) from customer C n. However, when certain types of payment cards such as a debit card or ATM card is used, some form of password/pin must be provided by the customer C n to authenticate the customer to the financial institution that will process the payment. When a PIN is obtained from customer C n via the user input interface, the device stores the PIN in its volatile memory. Then the PIN will be encrypted using an asymmetric (public key) cryptography algorithm and the encrypted PIN will be transmitted via the network as shown in figure 3 to the cryptographic converter. What happens is that the device places the RSA public key encrypted PIN block into a transaction message and then transmits the transaction message to the cryptographic converter and the converter will secure the transmission using a powerful Secure Sockets Layer (SSL 3.0) cryptographic protocol, which provides various security features including encryption, authentication and data integrity. In addition, the mobile payment device will finally wait for an acknowledgement from the payment transaction showing that a transaction processing is completed before displaying a confirmation to the user. 29

8 c. Network The secure payment transaction above includes a network over which transaction data necessary to process the payment transaction is transmitted. The network is any suitable telecommunications network having a wireless network component through which the mobile payment device communicates. d. Cryptographic Converter The cryptographic converter converts public key encrypted data into secret key encrypted data. The cryptographic converter interfaces with the network, generates and securely stores a private key it uses to decrypt the public key encrypted data and a secret key it uses to re-encrypt the decrypted data. Operation of the cryptographic converter. The cryptographic converter in figure 3 obtains the public key encrypted PIN from the mobile payment device via the network. It specifically obtains the transaction message described above from the device and extracts the RSA public key encrypted PIN block and then decrypts the public key encrypted PIN. It will maintains the RSA private key which corresponds to the RSA public key that was used by the mobile payment device to encrypt the PIN. It applies the RSA private key to decrypt the RSA public key encrypted PIN block and extracts the PIN from the resulting decrypted PKCS #1 Type 2 encryption block. The cryptographic converter re-encrypts the PIN using an asymmetric (secret key) cryptography algorithm. In an embodiment of the invention, the cryptographic converter applies a Triple Data Encryption Standard (3DES) algorithm to encrypt the PIN. It also maintains a 3DES secret key which is identical to a secret key maintained by the payment transaction in figure 3. The identical secret keys are generated, for example, by a Derived Unique Key per Transaction (DUKPT) process. It applies the 3DES secret key to encrypt the PIN, placing it into an encrypted PIN block and then passing the encrypted PIN block back to the cryptographic converter. The cryptographic conversion host replaces the RSA encrypted PIN block in the transaction message with the 3DES secret key encrypted PIN block and provides the transaction message to the transaction host. For example, the cryptographic conversion host transmits the transaction message with the 3DES secret key encrypted PIN block to the transaction host via the network. Here, the original form of a message is usually known as plaintext, and the encrypted form is called ciphertext (Piper and Murphy, 2002). The set of all the plaintext messages is denoted by Mp; similarly, the set of all the ciphertext is denoted by Mc, and f is a mapping from the variables in Mp into the set Mc. P and C represent plaintext and 30

9 ciphertext, respectively. Both of them are stored and transited in binary data. They can be represented in mathematical formulae: C = f (P) (1) In the reverse process, the decryption function f -1 operates on C to obtain plaintext P: P = f -1 (C) (2) where P Є Mp, C Є Mc; and f is viewed as the encryption algorithm (function) and f - 1 denotes e decryption algorithm. Since the encryption and decryption are inverse functions of each other, the following formula must be true: e. Transaction host P = f -1 (f (P)) (3) The system further includes a transaction host which obtains transaction data via the network and processes the payment transaction on behalf of a financial institution that holds the account of the customer C n for the payment card that has been used. Operation of the transaction host. The operation starts with negotiation. Negotiation phase: in this phase a customer browses the merchant s website and selects item to buy. During this phase, the merchant M k and the customer C n reach an agreement upon a set of item s information that describes the purchase such as the item s price. A customer C n selects the payment method from the merchant M k webpage (in this case the customer C n will select the Using Mobile Phone method instead of other payment methods such as credit card). A customer can use any host computer to send the Order Information (OI) to the merchant such as the selected item s description and the customer s mobile number but without any financial details. The transactions process can be summarized as: When the merchant receives the order information they will send an order confirmation and the Payment order Information (PI) that has been Digitally Signed (DS) by the merchant to the customer s mobile device. The payment information includes details such as a transaction number, service ID, amount of money to be paid, merchant s ID and the merchant bank ID. The merchant stores details of the transaction in their transaction database to use them in some stage later. The transactions process can be summarized as: 31

10 Payment Phase Firstly, the transaction host obtains the secret key encrypted PIN from the cryptographic conversion host. Specifically, the transaction host obtains the transaction message described above via the network, for example, the network in figure 3 and extracts the secret key encrypted PIN block from the transaction message. Secondly, the transaction host decrypts the secret key encrypted PIN block. Specifically, the transaction host stores a 3DES secret key that is identical to the 3DES secret key applied by the cryptographic conversion host to encrypt the PIN block. The transaction host applies the 3DES secret key to decrypt the 3DES secret key encrypted PIN block and extracts the PIN from the decrypted PIN block. Thirdly, the transaction host determines whether the PIN is valid by comparing it to data associated with the account of the customer C n the particular transaction. If the PIN is valid, the transaction host debts the account of the customer C n by the purchase amount, and confirms the transaction by sending an appropriate confirmation message back to the mobile payment device via the network. If the PIN is not valid, the transaction host sends a rejection message back to the mobile payment device via the network (see figure 3.0). The process in the MP can be summarized as: Verify PIN IF PIN is correct THEN {MP A: [[PI, DS], CI] Kpu} ELSE Terminate Payment Protocol C M: NID c, TIDReq (i.e. NID c = temporary identity & TIDReq = Identification of transaction Request) M C: E M-C (TID, ID M ) C M: E C-M (OI, Price, NID c, ID I, VSRequest, h(oi,nid C, ID I )) VSRequest,= E C-I (Price, h(oi), TC, ID M ) M PG: E M-PG (VSRequest, ID M ) 32

11 VSRequest = (VSRequest, h(oi),tid, Price, NID C, ID I ) 5 CONCLUSION The research has designed a secure mobile payment system: using personal identification number (PIN) method as a means of encouraging more customers C n s acceptance of online shopping and increasing their trust in online payment systems. In the system, customers C n do not need to disclose their financial information during the transaction and the merchant M k will not act as intermediary between customer C n and the acquirer A. The system has more advantages compared with a conventional e-payment system by providing high security, low cost and convenience, which are key factors to make the m- payment more usable. The system is part of the current research. REFERENCE 1 Akinyede, R. O. and Afolayan, O. J.: Electronic payment system revolution in Nigeria banking industry, in proceedings of the 20th Annual National Conference of the Nigeria Computer Society, vol. 17, pp , (2006). 2 World Internet/ICT Indicator Database: Internet Users and Population Stats, Internet usage statistics - The Big Picture. Retrieved 6 th Oct from: 3 Kungpisdan, S., Srinivasan, B. and. Le, P. D.: A Secure Account-Based Mobile Payment Protocol, in Proceedings of ITCC (1), pp , (2004) 4 Changjie Wang and Ho-fung Leung: A Private and Efficient Mobile Payment Protocol CIS 2005, Part II, LNAI 3802, pp , Springer-Verlag Berlin Heidelberg, (2005) 5 Shivani Agarwal, Mitesh Khapra, Bernard Menezes and Nirav Uchat: Security Issues in Mobile Payment Systems (2008) 6 S. Fong and E. Lai.: Mobile Mini-payment Scheme Using SMS-Credit.. International Conference on Computational Science and Its Applications-ICCSA. pp , (2005). 7 PayPal. Online (2008) 8 Coppinger Paul D.: Method and System for Securing a Payment Transaction (2009) 9 Piper, F. and Murphy, S.: Cryptography: Avery Short Introduction. Oxford University Press, Oxford, (2009) 33

12 34