The use of smartphones for secure transactions

Abstract

This work focused on the use of smartphones for secure transaction, with the objective of having a practical physical wallet substitute. The research consisted of a review of the mobile payments scenarios, classifying them as proximity or remote, and person-to-person or consumer-to-business. A review of the mobile transactions enabling technologies and secure protocols in use by the industry. Then an evaluation of commercially deployed platforms making use of smartphones for secure transactions, was carried out analysing their strengths and weaknesses. From this it emerged that the majority of the implementations are modestly a virtual substitute for the traditional credit/debit plastic card, with the application merely relying the same information to a point of sale, as the physical card would. These provide little in terms additional functionality, offer little incentive for widespread use, and moreover still heavily depend on the traditional financial institutions. This work, has taken the challenge to design a solution that better adapts to the aim of having a practical e-wallet in the smartphone. The solution consists of a mobile application as well as the backend infrastructure components required to support it, including user/merchant and service operator portals, merchant point of sale emulator and database. The design makes use of web-services to provide remote communication between remote and backend components, and NFC and QR Codes for proximity communication. The design is an online model with limited offline support, and rotates around three key concepts in order to provide a secure robust environment for transaction processing. The fir5t is that communication between all devices, remote and central system components is done via a single delimited string, encapsulating the transaction detail. Second that all the messages exchanged are encrypted using cryptography. The messages encryption design makes use AES, using symmetric private key unique to each device, which is constantly changed on each round trip communication with the server. The exchange of the first key is carried out through the web-portal protected by SSL certificate, and uses QR Code to transfer to the smartphone device. Subsequent keys are exchanged by being embedded as part of the encrypted messages exchange. The third that actual transactions involving funds transfer, are executed only on at the database level using SQL Transactions for consistency. A proof of concept of the design was successfully implemented. This includes an Android app, Merchant PoS simulator, Web Portal, WCF Service using C# and database using SQL server. Evaluation of the implementation was carried out using multiple devices and simulated both p2p and c2b scenarios successfully. This work proves that smartphone could provide a practical and secure way to do transactions. It also forms a basis for further development.