Mobile commerce over GSM: A banking perspective on security

Van der Merwe, Pieter Ben

20 July 2004

GSM has changed the face of communication and information exchange, much as the Internet did. With the advances made in the mobile technology arena, new opportunities are created. Mobile Commerce (m-Commerce) is one such opportunity. Each new advance in technology brings with it associated risks. This dissertation focuses on the risks involved with m-Commerce for the banking industry. This dissertation provides a detailed overview of basic services that any m-Commerce application should provide to the banking industry. These principles provide the foundation for securing any financial transaction over untrusted networks. Several mechanisms to provide these services are also discussed. Examples of such mechanisms include hash functions, Message Authentication Codes and Digital Signatures. The security of GSM networks has come under attack in the past. This is largely due to the fact that the GSM consortium opted to develop their security technologies in secret, rather than in the public domain. This dissertation aims to evaluate the security offered by GSM and assess potential attacks in order to further understand risks associated with m-Commerce applications over GSM. In recent years there have been significant additions to the GSM enabling technology family. The arrival of the SIM Application Toolkit and the Wireless Application Protocol promised to again change the face of commerce. Although market acceptance of these technologies proved to be initially slow, usage is set to increase exponentially within the next couple of years. A detailed analysis of these enabling technologies is presented in the dissertation. Possible attacks on these technologies are discussed in the latter part or this document. Based on the findings of the research, some changes to either the application architectures or the processing of the data have been suggested in order to enhance the security offered by these services. It is not the intent of this dissertation to redesign these applications, but to rather leverage off the current technologies in order to enable secure m-Commerce over these channels. This dissertation provides a detailed overview of basic services that any m-Commerce application should provide to the banking industry. These principles provide the foundation for securing any financial transaction over untrusted networks. Several mechanisms to provide these services are also discussed. Examples of such mechanisms include hash functions, Message Authentication Codes and Digital Signatures. The security of GSM networks has come under attack in the past. This is largely due to the fact that the GSM consortium opted to develop their security technologies in secret, rather than in the public domain. This dissertation aims to evaluate the security offered by GSM and assess potential attacks in order to further understand risks associated with m Commerce applications over GSM. In recent years there have been significant additions to the GSM enabling technology family. The arrival of the SIM Application Toolkit and the Wireless Application Protocol promised to again change the face of commerce. Although market acceptance of these technologies proved to be initially slow, usage is set to increase exponentially within the next couple of years. A detailed analysis of these enabling technologies is presented in the dissertation. Possible attacks on these technologies are discussed in the latter part or this document. Based on the findings of the research, some changes to either the application architectures or the processing of the data have been suggested in order to enhance the security offered by these services. It is not the intent of this dissertation to redesign these applications, but to rather leverage off the current technologies in order to enable secure m-Commerce over these channels. / Dissertation (M.Sc (Electronics))--University of Pretoria, 2005. / Electrical, Electronic and Computer Engineering / unrestricted

M-commerce

Mobile commerce security

Wireless application protocol

Wap

Wireless internet gateway

Wig

Stk

Sim application toolkit

Cryptographuy

Mobile commerce

Gsm security

Gsm

UCTD