Survey on Smart Card

1
Survey onSmart Card Mobile Payment

• Tijo Thomas ( 03229401)
• Guided by Prof Bernard Menezes

2
Contents

• Introduction
• Methodology of Study
• Existing Payments Schemes
• Business Drivers
• Relation between SIM card Smart Card
• Technological Trends
• Business Trends
• Conclusion

3
Introduction

• Motivation
• To understand the existing payment schemes.
• To understand the role of smart card in retail
  payment.
• To understand the security issues.
• Goal
• To understand the future of retail payment.

4
Methodology of Study

• Collected the details about the existing payment
  schemes.
• Surveyed Industry Standards for Payments.
• Collected responses to questionnaire from focus
  groups.
• Studied various types of smart cards.
• Analyzed the relationship between smart card and
  SIM card.
• Surveyed the Business Trends of M-Commerce and
  its future.

5
Existing Payment Scheme

• Based on Value
• Micro payments less than 5
• Medium Payments Between 5 - 25
• Macro payments - above 25
• Based on Location
• Remote Transaction SMS, GPRS
• Proximity Transaction Bluetooth, RFID
• Based on Technology
• Magnetic Strip card
• Smart Card

6
Smart card Payments

• What is smart card?
• Smart card is a tamper proof plastic card with
  an embedded microchip that can be loaded with
  data.
• Why smart card?
• Security
• Processing power
• Memory

7
Smart Card Security

• OS and File Security
• File hierarchy MF,DF,EF
• File security attributes
• Access Rights
• Always(ALW)
• Card holder Verification 1 (CHV1)
• Card holder Verification 2 (CHV2)
• Administrative (ADM)

8
Smart Card Security

• Hardware Security
• All the data are store in EEPROM, so can be
  erased using unusual voltage
• Data can be erased by exposure to UV rays
• Heating the card in high temperature
• Statistical Attack like Differential power
  analysis (DPA)

9
Java Card

• The Java Card platform was designed and
  developed from the beginning specifically to
  enhance the security of smart cards.
• Advantages
• Open Architecture Designed with Industry Experts
• Java runtime environment (JRE)
• Security Enhancements transaction atomicity,
  Cryptography, Applet firewall
• Code reusability (OOPS) data integrity
• Proven platform - Passed security evaluation by
  financial agencies, US Dept of Defense and US
  national security Agency.

10
Mobile Commerce

• Definition
• Mobile commerce is the use the of mobile hand
  held devices to communicate, inform, transact and
  entertain using text and data via connection to
  public and private networks
• (Lehman Brothers)
• Mobile Commerce refers to any transaction with
  monetary value that is conducted via a mobile
  telecommunications network. (Durlacher)

11
Scheme of Mobile Payments

• SMS Based Payments
• WAP/GPRS
• Reverse SMS Billing
• Proximity Payments

12
SMS Based Payments

• Secure message in the form of SMS are used to
  transfer money from one user account to another
• Use of PKI
• Implementation e.g. mCheque
• Advantage No account information is revealed

13
WAP/GPRS based payments

• Wireless Application Protocol (WAP) over GPRS
  mobiles are used
• Similar to e commerce
• Less risk involved
• Cost for GPRS connectivity is reducing.
• No changes in the existing business model

14
Reverse SMS Billing

• Definition
• Provider over charge SMS from special numbers
  -(Premium SMS)
• Separate Business Models are to be realized
• Only small change in the existing set up
• Advantage No additional infra structure is
  required.
• Applications Digital contents like ring tones,
  music , video...etc

15
Proximity Payments

• Definition
• The trading parties are in the same vicinity.
• Standardized interfaces e.g. Infra red , Blue
  tooth
• Supported Offline transaction
• Cheaper solution for micro payments
• High Risk
• Separate Business Models Infrastructure need to
  be implemented

16
Business Drivers

• Wider acceptance for GPRS/WAP enabled mobile
  devices
• Mobile operators are looking for new revenue
  streams
• Population of mobiles devices over PC
• Average time to detect a mobile theft is 68 min
  over 26 hours for credit cards
• More secure than conventional credit cards

17
Relationship between SIM card and smart card

• GSM specification11.11 defines the interface
  between Subscriber Identification Module (SIM)
  and the Mobile Equipment for use during the
  network operation as well as the internal
  organization of SIM.
• Any implementation of this standard can act as a
  SIM card in Mobiles.
• Implementation
• Java Card
• Native Card

18
Technology Trends

• Research organizations Focus groups are working
  on the effective standards.
• Different Business Models (OSS BSS) are being
  evaluated for its feasibility.
• Emerging Wireless Technology - 3G, 2.5G
• Advancement Mobile Phone Technology

19
Business Trends
Taken from Towards A Holistic Analysis of Mobile
Payments A Multiple Perspectives Approach by
Jan Ondrus Yves Pigneur
20
Business Trends

• Research reveals high potential market
• New revenue stream for MNOs
• Opportunity for new comers - application
  developer, content providers etc
• High Penetration of mobile device
• Lack of security in existing credit/debit card
  system

21
Conclusion

• High Potential Market
• High Demand for Killer Applications
• MNO are looking for new revenue stream
• Customers willingness to experiment
• Merchants are looking for a standard OSS and
  standard based products
• Opportunity for new comers

22

• Thank You

23

• GSM Specifications

24
GSM Specification

• Defines the interface between Subscriber
  Identification Module (SIM) and the Mobile
  Equipment for use during the network operation as
  well as the internal organization of SIM.
• Any implementation of this standard can act as a
  SIM card in Mobiles

25
GSM Characteristics

• Physical Characteristics- electronic signals,
  supply voltage, transition protocol
• Logical Model- logical structure of SIM, file
  structure.
• Security Feature
• File access condition
• Description of Functionalities- functional
  description of commands and respective response,
  status condition, error code
• Description of Commands- mapping the functions to
  APDU
• Contents of Elementary files- elementary files
  for GSM session, access condition..etc
• Application Protocol- list of standard operation
  between SIM and ME.

26
GSM SIM Security

• Subscriber Identity Authentication
• authenticate the identity of the mobile
  subscriber
• The network issues a random challenge
• Mobile Subscriber (MS) computes the
  responseusing a one-way hash fn (A3 algo) using
  a authentication key which is unique to each
  subscriber
• The Network also compute the response and compare
  with the response it receive from MS
• The same mechanism is used to establish a cipher
  key Kc
• This key is used to encrypt data and radio
  signal. (A8 Algo)
• The two algorithms are combined into single
  algorithm called A38

27
GSM SIM Security

• User Signalling Data Confidentiality
• The data is exclusive-ord with the key Kc and
  transferred over the radio path.
• Subscriber Identity Confidentiality
• This service is to hide the International Mobile
  Subscriber Identity (IMSI)
• The service is based on Temporary MSI (TMSI)
• The IMSI is mapped to TMSI
• The TMSI is then encrypted with the cipher key Kc
  and send

28

• Smart Card Standards

29
Smart card Standards

• International Standards
• ISO 7816 physical and elecrical characteristics
  as well as format and protocol for information
  exchange between the smartcard and reader.
• European Telecommunication Standards Institute
  (ETSI) Standard for the GSM SIM to communicate
  with the mobile device

30
Smart card Standards

• Industry Standards
• EMV Euro pay, Master Cards Visa defines a
  standard to allow safe ,easy electronic commerce
  standard
• Mobile 3D Visas international new global
  specification that ensure security of internet
  payments made over mobile phones.
• Open card Framework Provides an architecture
  and a set of API that enable application
  developer to build application in java which use
  smart card reader.
• PC/SC Personal computer/ Smartcard is a win 32
  based specification to allow the manufactures to
  develop products independently.
• CEPS Common Electronic Purse Standard
• Java Card