Week 6 Flashcards
Describe the similarity and dissimilarity between m-commerce and e-commerce.
Cost and customer base: Mobile networks can be designed and implemented in much
quicker and cost-efficient ways than fixed networks, and also its customer base is rising rapidly. Researchers and university educators were the early users of the internet and the highly educated people originally dominated the internet user population. In contrast, most cell phone users are young people or non-academic consumers.
Infrastructure and Standards: E-commerce is base on TCP/IP and HTML, XML protocol.
M-commerce services use WAP (Wireless Application Protocol) and SMS (Short Message Systems/Services) while the wireless communication infrastructure is based on global (Satellite), regional (3G, IEEE 802.11a/b, DoCoMo I-mode), to short distance (Bluetooth).
Cellular carriers use different systems and standards such as FDMA, TDMA and CDMA etc.
Service range and type: E-commerce activities are regarded as B2C and B2B service, while m-commerce services can be regarded as P2P (person-to-person) and P2S (person-to system) services. Briefly state the current status of m-commerce.
Briefly state the current status of m-commerce.
Currently the mobile commerce services are reading email, newspaper and e-book, social networking and finding information. Others services include stock quotes, weather
forecasts, driving directions, other interactive services such as games, chat lines, and polling. It is growing fast in shopping such as buying electronic products, clothes and
accessories, food, tickets and so on. Global mobile commerce revenue will reach us$119 billion in 2015, while in 2009 it was 1.2 billion USD.
What are the major risks associated with m-commerce?
- Unauthorized purchases made with a consumer’s mobile phone without his knowledge or consent. This can happen when proper authentication is not required to use a person’s mobile phone and someone else make a purchase at his expense.
- Inadequate disclosures in advertisements about the products and services offered, the cost, and the terms and conditions leaving details in fine print.
- Products and services may be misrepresented by fraudulent vendors;
- Spam sent to mobile phones tempting consumers to buy unsolicited offers;
- Security of financial information given to vendors to make mobile commerce transactions. Information could be intercepted in transmission or obtained surreptitiously by hidden RFID readers;
- Lack of dispute right on unauthorized transactions and incorrect charges;tracking purchases and the locations of the device users
- Marketing targeted to children who are using mobile phones tempting to buy games, ring tones and other products or services popular with young people can be found in media (television, radio, Internet, and print publications).
Discuss the four major security challenges identified in m-commerce.
Mobile devices: Confidential user data on the mobile device and the device itself should be protected from unauthorized use. Security mechanisms including user authentication
(e.g. PIN, password or biometric authentication), secure storage of confidential data (e.g. SIM card) should be employed here; the security of the operating system must also be considered.
Radio interface: Secured access to a telecommunication network is required, assuring confidentiality, integrity, and authenticity of the transmitted data. In particular the user’s
personal data should be protected from eavesdropping.
Network operator infrastructure: Security of the user’s data within and beyond the access network is important. The user also receives certain services which often involve the
network operator and the consumer needs to be assured about correct charging and billing.
m-commerce application: m-commerce applications, especially those involving payment, need to be secured to assure customers, merchants, and network operators. For example, both the customer and merchant want to authenticate each other before committing to a payment as well as assurance about the delivery of goods or services. In addition to the authenticity, confidentiality and integrity, non-repudiation of payment is essential.
What are war driving and war chalking?
The attacker stays in a car or drives around with a car equipped with an antenna, either inside or attached to the roof, which is connected to a laptop or a hand held device. A program runs in the laptop or PDA which captures the beacons frame, analyze them to get a number of information (e.g., Basis Service Set ID, WEP enabled or not, type of device, MAC address, transmission channel number, signal strength, GPS location, etc). The attackers sometimes use a series of well defined symbols on different structures to indicate nearby access point availability and specific wireless setting. This is called war chalking.
Describe two security protocols for m-commerce.
The Wired Equivalent Privacy (WEP) is the encryption standard for 802.11-based WLANs and requires the WAP and the wireless network interface cards to be configured with a shared pass-phrase. At the beginning it was thought to offer impenetrable security against attacker, however, serious flaws were discovered later. WEP uses the RC4 encryption algorithm developed by Ron Rivest of RSA with a variable length key to encrypt the data.
WEP uses 40-bit key, however, some vendors have implemented products with 104-bit and even 128-bit keys. With the addition of the 24-bit Initialization Vector (IV), the actual key used in the RC4 algorithm is 152 bits for the 128 bits WEP key. RC4 employs a streaming cipher that creates a unique key for each packet of encrypted data.
WTLS is based on the Transport Layer Security (TLS) protocol, a derivative of the Secure Sockets Layer (SSL) protocol. The goal of WTLS is very much like that of SSL: to provide privacy and reliability for client-server communications over a network. While SSL primarily provides security over the Internet, WTLS is specific to wireless applications using WAP. WTLS was developed to address the problematic issues surrounding mobile
network devices - such as limited processing power and memory capacity, and low bandwidth - and to provide adequate authentication, data integrity, and privacy protection mechanisms. The WAP client, typically a cellular phone, communicates directly to a gateway. A gateway is a proxy that provides protocol translations, compression of
WML/WML Script and additional services. When a gateway receives a request from a WAP client, it’s translated into HTTP to communicate with the appropriate content server. In the implementation of a secure WAP system, the communication between the WAP client and gateway is encrypted with WTLS. The gateway will then decrypt WTLS and then re-encrypt using SSL to connect to the content server. The SSL connection is similar to what one would find in a traditional secure Internet application.
Describe the security vulnerabilities of WEP.
The most obvious problem is the use of static WEP keys - many users in a wireless network potentially share the identical key which poses security vulnerability. The
lack of key management in the WEP protocol does not present an easy way to change and distribute keys. A shared key also means it is possible to eavesdrop large
amount of data with less effort. A lost key would result in many devices sharing the same key being compromised.
• The Initialization Vector IV in WEP is relatively short for cryptographic purpose and is sent as clear text with the encrypted packet. Moreover, the 802.11 standard does
not specify how the IVs are set, and some vendors may adopt a poor scheme which can expose the key stream easily.
• The cryptographic key length is only 40-bit which is inadequate for any system. Given other security vulnerabilities of WEP, even 128-bit key length is not adequate for most applications.
• WEP provides no cryptographic integrity protection. The checksum on data packet is done by the 802.11 MAC protocol using CRC which is a noncryptographic
checksums.
• WEP implementation of RC4 has key scheduling problem. The predictability in the first few bytes of the plain text can leads to an attack on the key scheduling algorithm.
• Only the device is authenticated, no user authentication is done. Again, the client does not authenticate the access point.
Explain what is meant by a smart card. What is the difference between a memory card and
a smart card?
A smart card is aimed to store important personal information (e.g., medical data and cryptographic keys), financial information, downloaded money into it etc. Its initial aim was that we will not need to carry variety of cards that we do today, instead all of them can be integrated into one card where data can fetch in a secured manner. That is why it is called smart card.
The main difference between memory card and smart card is that smart card contain microprocessor, memory to store and remove data, can interact with other computing
devices through reader.
Outline the differences between a contact and a contactless smart card.
A contact-oriented smart card need to be inserted into a reader where direct electrical contact between the card and reader is required while a contactless card operates on radio frequency. The range of operational distance in contactless smart card can vary from few mm to tens of meters.
Why can user authentication be more secure for smart cards than it is for magnetic strip
cards?
Magnetic strip card uses PIN numbers for authentication while smart card can uses biometric data, e.g. fingerprint, DNA sequence for authentication which is much more
secured.
Discuss the future prospects for smart card technology.
Smart card enjoys popularity in Europe and some parts of Asia. In Hong Kong the same smart card can be used for bus, trains, subway, and ferry transport as well buying goods from convenient stores. In USA also it is gaining popularity. Few years back Coca-Cola did a study which showed that it loses substantial revenue from its vending machine operation just because people not always carry right coins to buy drinks. Since smart card can store money, this type of business can benefit from using smart card. Smart card can also offer higher security. It is expected that in the future, smartphone will replace all cards including smart cards.