Security in Next Generation Mobile Payment Systems: A ...

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.

Digital Object Identifier 10.1109/ACCESS.2017.DOI

Security in Next Generation MobilePayment Systems: A ComprehensiveSurveyWAQAS AHMED1, AAMIR RASOOL2, ABDUL REHMAN JAVED1*, NEERAJ KUMAR3, THIPPAREDDY GADEKALLU4, ZUNERA JALIL1, NATALIA KRYVINSKA5*1Department of Cyber Security, Air University, Islamabad, Pakistan2Institute of Avionics and Aeronautics, PAF Complex, E-9, Air University, Islamabad, Pakistan3Department of Computer Science and Engineering, Thapar Institute of Engineering & Technology, Patiala (Pb.),India4School of Information Technology and Engineering, Vellore Institute of Technology, Tamil Nadu, India5Faculty of Management, Comenius University in Bratislava Odbojárov 10, 82005 Bratislava 25, Slovakia

Corresponding author: [email protected], [email protected]

ABSTRACT Cash payment is still king in several markets, accounting for more than 90% of the paymentsin almost all the developing countries. The usage of mobile phones is pretty ordinary in this presentera. Mobile phones have become an inseparable friend for many users, serving much more than justcommunication tools. Every subsequent person is heavily relying on them due to multifaceted usage andaffordability. Every person wants to manage his/her daily transactions and related issues by using his/hermobile phone. With the rise and advancements of mobile-specific security, threats are evolving as well. Inthis paper, we provide a survey of various security models for mobile phones. We explore multiple proposedmodels of the mobile payment system (MPS), their technologies and comparisons, payment methods,different security mechanisms involved in MPS, and provide analysis of the encryption technologies,authentication methods, and firewall in MPS. We also present current challenges and future directions ofmobile phone security.

INDEX TERMS Mobile Payment Method, Online System, Transaction, Mobile Commerce, Cyberattacks

I. INTRODUCTIONCash payment is still monarch in several markets, accountingfor more than 90% of the payments in all almost all the devel-oping countries [1]. Nowadays, the use of mobile devices bypeople has increased tremendously. A considerable numberof people use mobile phones to perform day-to-day tasks [2].These devices can be used for many tasks, such as makingphone calls, web surfing, emailing, gaming, and many othertasks.

The current research in the area is focused on the usage ofmobile phone to perform payment securely. However, mobilesystems face different limitations [3], [4], [5] such as lowstorage and computation power, due to which they cannotperform heavy encryption operations. Different attacks arereported on mobile devices due to lack of security patchessuch as spoofing, phishing, malware, and sniffing attacks [6],[7], [8], [9]. In order to effectively design the MPS, theseattack scenarios must be considered for safety and security.

Information and communication technology (ICT) is being

extensively used all around the world [10]. The traditionalface-to-face interaction requirement for payment transactionsis avoided, and remote communication is adopted. There isno need for direct contact between a payer and the payee thatchanges the business environment and leads toward using theinternet to do different transactions. This situation requireselectronic money or digital bits; the system resembles liketraditional payment but with the usage of internet infras-tructure and digital data for money transfer. There are manyadvantages of using e-money, like the client’s anonymity orthe client’s presence is not required during transactions. Atthe same time, it also has some disadvantages, like com-promising of confidentiality, integrity, and availability (CIA)[11].

The vast development of mobile phone technology enablesthe growth of internet services. Internet brings the electronictransaction systems [12] to the mobile phones and also m-commerce [13] becomes an alternative for e-commerce. Asm-commerce is growing at a tremendous pace, it is get-

VOLUME 4, 2016 1

arX

iv:2

105.

1209

7v2

[cs

.CR

] 1

0 Ju

l 202

1

Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS

CONSUMER / CUSTOMER

FIN TECH / BANKSSERVICE PROVIDER

MERCHANT / SELLER

Customers plays a key role in mobilepayment system and are the nucleusof the whole mobile payment world.They initiate the business transactionthat results in mobile paymentsystem’s event to trigger.

They are the money regulators of thesystem and are custodian of themonetary transactions. They acts asa bridge between consumer andseller for movement of money withinmobile payment system.

Merchants / businesses are thecornerstone of the whole system.They interact with the customerswith business offerings in the form ofproducts and services and gain theirmonetary benefits in return throughmobile payment system.

Service providers are the backboneof the whole system. The wholesystem runs on the communicationservices offered by these providers.They are the main custodian of CIATriad of data in movement as well asthe mobile payment serviceavailability to end users.

FIGURE 1: Major Components Of MPS

ting much more attention than e-commerce nowadays. M-commerce has the same characteristics [14] as e-commercewith some extra advantages like Mobile Payment System(MPS), that allows clients to perform transactions in real-time by using mobile phones anywhere; all it needs is internetconnectivity. Another advantage is that, unlike a PC, one cancarry his/her mobile phone anywhere. Some other benefitsare interoperability, speed, cost, and cross-border payments.

Figure 2 shows a Mobile Management system.A MPS should include authentication, access control, con-

fidentiality, integrity, non-repudiation, and availability [15].Authentication process included two steps: verification ofthe user and verification of the origin. In authentication, twoprocesses include verifying the user and the origin of thesource of data. Access control can grant access to an autho-rized person to the payment system and block unauthorizedpersonnel from accessing the payment system. The informa-tion must also remain hidden to avoid passive attacks againsttransaction data. Availability ensures that the payment systemis accessible. Integrity avoids the modification of data andnon-repudiation ensures that a specific user has transmittedthe message.

Security is essential for MPS, and many security standardssuch as PCI DSS (Payment Card Industry Data SecurityStandard) [16], which was first released in 2004, is usedto maintain the CIA triad. The people or merchants whouse payment cards follow PCI DSS standards but securityviolations can still occur [6], [17]. When security violationsoccur, personal information, payment card information such

as expiration date, ATM card number, security code, andtransaction ID are at risk, and it can lead to fraud or illegalusage of service. There are two methods of Mobile PaymentSystems: account based payment system and token basedpayment system [18].

1) Account Based Payment System

In the account-based transaction, we need cards or informa-tion cards like ATM or credit card. Using this process, theamount is charged from the user’s bank account after gettingthe required details or getting confirmation of the transactionfrom the user.

Risk Factor: If any misuse of card or details is done orany forgery or identity theft is done, then it will affect thissystem.

2) Token Based Payment System

It is a new electronic payment method based on tokensinstead of cash or credit cards. These tokens are generated byany bank, service provider, or telecom company. Moreover,it is used in the same way as cash is used. By using suchtokens, users can pay to any company through mobile, andthose tokens will be sent to that company which they canencash, or the provider will pay them for each token.

Risk Factor: These tokens will have no worth if the userhas tokens in their account and the merchant does not acceptthose tokens.

2 VOLUME 4, 2016


FIGURE 2: Mobile Management System

A. MOTIVATION

Mobile phones’ usage is highly elevated in the current eracompared to their usage a decade before. The number ofmobile phones is higher than the number of bank accountsthat exist. Due to its high usage level, most business organiza-tions, the entertainment industry, banks, the education sector,and almost all fields turn towards mobile phone adaptability.To benefit from this device, they launch their applicationsfor the comfort of people. Almost all banks facilitate con-sumers with mobile phone applications. People use mobilephones for shopping, transferring money, and getting variousservices. The maximum use of mobile devices and versatilitymotivates us to focus on mobile payment systems (MPSs).Different models of payment systems have been proposed,but many limitations exist; security and privacy concerns.Figure 3 shows the increased usage of MPS in the UnitedStates from 2016 to onwards and sheds light on the adoptionrate and numbers of users (in millions) in a single glance.

MP USERS (IN MILLIONS) MP ADOPTION %AGE201618.8 5.8

201722.4 6.9

201825.9 7.9

201929.1 8.8

202031.9 9.6

202134.3 10.3

202236.3 10.8

MOBILE PAYMENT (MP) ADOPTION IN USYEAR

FIGURE 3: Proximity mobile payment adoption in theUnited States from 2016 onwards

B. CONTRIBUTIONThis research paper aims to present an in-depth analysis andsurvey of MPS. This paper makes the following contribu-

VOLUME 4, 2016 3


tions:1) We present an overview and discussed different compo-

nents of MPS. We present a review of the existing MPSstructure and its limitations.

2) We discuss and analyze the two main methods of MPSincluded: account-based payment system and token-based payment system.

3) We provide detailed history, development, and deploy-ment of MPS and discussed aspects of MPS includedsocioeconomic conditions, cost efficiency, diffusion ofmobile phones, convenience, new initiatives, heavy re-strictions and regulations, limited collaboration, under-developed ecosystem, and security problems.

4) We discuss key attributes of MPS, and stakeholder andcommunication entities’ roles in MPS form differentaspects.

5) We demonstrate the security mechanisms involved inMPS. Provide analysis of the encryption technologies,authentication methods, and firewall in MPS.

6) We present authentication techniques (one way, twoway, and multiple way authentication) in MPS. Dis-cussed the pros and cons of the mentioned techniques.

7) Provide analysis of the various possible attacks on MPSincluded attacks against user privacy, attacks on authen-tication techniques, attacks on user confidentiality data,attacks on the data integrity, and attacks against MPSservices availability.

8) Next, we provide key challenges developers and re-searchers face in implementing and deploying MPS.At the end of the research paper, we present differentresearch directions related to MPS.

The rest of the paper is organized as follows: section II-Adiscusses the history, development, and deployment of themobile payment system; section II-D discusses the genericarchitecture of the M-Payment system; section VI presentstechnologies used in the M-Payment system and their com-parison; section VII provides security aspects comparison ofdifferent mobile payment models; and at the end section IXprovides the current challenges, future direction followed bySection VIII which concludes the works.

II. RELATED WORKCash payment is still monarch in several markets, accountingfor more than 90% of the payments in all almost all thedeveloping countries [1]. Therefore, it is essential to realizethe importance of MP acceptance. Different researchers havecompleted several research studies on MP after the first PMtransaction performed in 1997 [19], [20]. Several studieson MP implementation have the focus to work on the userside. Considering the user’s behavior on MP is significant toadvance MP services to improve users acceptance intention[21].

[22] tried to respond to certain questions related to thesecurity of online payment systems and presents severalways to overwhelmed different security threats associatedwith online payment systems. [23] presents different types of

TABLE 1: List of Abbreviations

Abbreviation DescriptionMPS Mobile Payment SystemICT Information and Communication TechnologyCIA Confidentiality, Integrity and AvailabilityMMS Mobile Management SystemPCI Payment Card IndustryDSS Data Security StandardPTC Pakistan TelecommunicationTAM Technology Acceptance ModelEPS Electronic Payment SystemTE Technology EvolutionCPT Cart Present TransactionsSEM Structural Equation ModelNFC Near Field CommunicationQR Quick ResponseSMS Short Message ServiceMB Mobile BankingMP Mobile PaymentsMW Mobile WalletsMC Mobile CurrencyMFS Mobile Financial SystemMNO Mobile Network OperatorsDS Digital SignatureCA Certificate AuthorityRA Register AuthoritiesSKE Symmetric Key EncryptionPKE Public-Key EncryptionPIN Personal Identification NumberMFA Multifactor AuthenticationSFA Single-Factor Authentication2FA Two-Factor AuthenticationDDOS Distributed Denial-of-Service AttackDOS Denial-of-Service AttackOTP One Time PasswordUSSD Unstructured Supplementary Service DataGSM Global System for MobileRFID Radio Frequency IdentificationQRC Quick Response CodeWAP Wireless Application ProtocolU2F Universal 2nd FactorMAC Message Authentication CodeSAP Secure Authentication Protocol

online payments such as credit card, e-wallet, debit card, netbanking, smart card, mobile payment, and amazon pay. Theauthors also present some requirements for online paymentssuch as integrity and authorization, out-band authorization,password authorization, signature authorization, confiden-tiality, and availability and reliability. [24] proposed a new se-cure authentication protocol (SAP) for mobile payment. Theauthor used cryptography techniques for the authenticationbetween server and client. The proposed technique providessecurity to user data account and provides privacy during thepayment transaction.

This research work reviews the literature work of MPin the following significant areas: mobile payment system(MPS): history, development, and deployment; factors lim-iting MP development; MPS key attributes; and MP stake-holders and entities. Table 2 presents the comparison of theexisting survey papers on MP.

4 VOLUME 4, 2016


A. MOBILE PAYMENT SYSTEM (MPS): HISTORY,DEVELOPMENT, AND DEPLOYMENT

MPS provide several payment facilities for different kind ofservices, products, and bills through mobile phone by usingwireless characteristics and other features and benefits ofa communication system [35]. Mobile devices like smart-phones, smart tablets are utilized in different payment sce-narios such as purchasing online tickets, electronic materials,online electronic transactions, and transport fares such aspaying bills and other invoices. It is also possible to purchaseproducts physically through MPS, either from the point-of-sale (PoS), ticketing machines, and vending machine sta-tions. Besides that, most electronic payment systems andpayment instruments nowadays have also been mobilized[36].The field of MPS is relatively new, and little is known aboutit. Mobile phones are more than just a payment method. In-stead, it is a method of initiating, processing, and confirmingfinancial transactions. Mobile payments are not only aboutusing mobile devices to access online payment services.While the mobile version of the service may have similarfunctionality, the design and implementation of mobile pay-ments are also different due to different methods and struc-tures. Numerous factors boost MPS evolution in developingcountries. Following are some of the factors.

1) Socioeconomic Conditions

The lack of cash alternatives is the most critical factorfostering MPS growth in emerging developing economicscountries [35]. Maximum people in developing economiescountries have not checked accounts and have not to debutor credit card. Well-developed mobile payment applicationswith the advantage of low fees for money transfer servicesfrom one application to other make MPS attractive [36]. Inalmost all countries, people move toward the mobile bankingsystem to save their valuable time and avoid getting robbed.

2) Cost Efficiency

In developing countries, most online conducted transactionsare very low in terms of value, but they are very high involume [37]. Introducing a new bank branch is infeasible be-cause of massive initial equipment, investment requirement,infrastructure, and well-trained HR included security staff.Bank without different branches looks appealing because itutilizes local infrastructure and leverages local resources andhuman resources and equipment and resources, includingagent shops and mobile phones. Mobile Payment Systems(MPS) are reflected as valuable because of their bottom-of-the-pyramid, lower-class families and unbanked population.The fee for a usual payment transfer is almost 1% in allmobile payment systems. E.g., the fee for sending moneythrough Wizzit and MTN in South Africa (SA) is almostUS$0.05. But earlier than the Wizzit and MTN paymentsystem, the average fee is almost US$30 to US$50 for thedelivery of cash.

3) Diffusion of Mobile PhonesAs cell phones become cheaper, financial systems are stillrelatively limited, and Mobile Payments (MP) are more con-venient [38]. In most countries, individuals may have oneor more cell phones. Sub-Saharan Africa has more familieswith more cell phones than sustainable electricity or drinkingwater resources.

4) ConvenienceIn advanced countries, MP is more suitable. People can payor withdraw money without leaving their homes, which willsignificantly save their time and cost of the expensive fees.However, this is not an issue in advanced countries, as ATMsand banks are opposite [39].

5) New InitiativesNon-governmental organizations and international organiza-tions (e.g., IFC, the World Bank, GSMA, Gates Foundation)have proposed new initiatives to promote and facilitate MPSimplementation. For example, M-PESA Kenya was launchedand developed by Safaricom and Vodafone with help fromUK’s Department for International Development. Pakistantelecommunication (PTC) (Easypaisa) received a $ 6.5Mgrant from Gates Foundation in 2012. On the other side,many factors limit the growth of MP.

On the other side, several factors are limiting further MPdevelopment.

B. FACTORS LIMITING MP DEVELOPMENT1) Heavy Restrictions and RegulationsThis is the most destructive factor in the development ofmobile payments. Pressure on banks plays a key part in theecosystem also decreases the development of MP. Unfor-tunately, compared to technological advances, most mobilepayment methods are changing slowly [36].

2) Limited CollaborationIn most situations, non-cooperation is an obstacle to theecosystem. For example, M-PESA has worked with com-mercial banks for five years to ensure that their valuablecustomers withdraw their money from ATMs and banks.Collaboration is very significant as most customary banks donot implement to handle MP.

3) Underdeveloped EcosystemLack of standards, undeveloped infrastructure of systems,limited mobile resources, and saturated telecommunicationsnetworks (including disruptions) prevent developing coun-tries from launching Mobile Payment Systems (MPS) [40]. Insome situations, interoperability concerns and a specific typeof broker are needed to solve the trust problem and reducethe chicken and egg problem.

VOLUME 4, 2016 5


TABLE 2: Research Literature ComparisonRef. Proposed Outcomes[25] To integrate Choice-Based Conjoint (CBC) and System Dynamics (SD),

the author develops an empirical data-driven simulation methodologyto analyze several competing diffusion dynamics Mobile Payment plat-form.

To collect multi-attribute preference data, a choice-based conjoint analysis methodology is used on adifferent platform. To evaluate the effect of platform design strategies, an empirical user preference SDsimulation model is developed with the help of an empirical user preference data model.

[26] The author in this study aims to compare different factors that defineconsumers’ acceptance for near field communication (NFC) and shortmessage service (SMS) as examples of means for mobile payment offuture payment systems.

From the most relevant literature review, a model is driven and used in this research that applies theperceived security (PS) and technology acceptance model (TAM). The results succeeded in this researchwork in determining the differences between the different factors that define the acceptance of the MobilePayment Systems and the intention to use level of the users.

[22] The author discussed the data security which the application user hasshared during online payments.

In this research paper, the author answers specific questions related to online payments security anddiscussed different ways to reduce the security threats associated with online payments.

[27] The paper investigates and increases awareness associated with differ-ent electronic payment systems (EPS), including security considera-tions, challenges, and advantages.

The author conducted a detailed survey regarding all aspects of EPS after analyzing the existing researchstudies related to online payment systems.

[21] The author discussed distributed systems and their regulatory compli-ance related to this approach which is not decentralized yet.

For instant payment systems, the author reviewed some distributed protocols to find the possibility tosyndicate distributed systems with centralized services effectively in the mobile payment system.

[28] With the case of Mobile Payment Technology, the author focus onidentifying different technological trajectories in the ecosystem (tech-nological).

The novelty in this research is finding the technological evolution with the help of patent citation and socialnetwork analysis. The case of the Mobile Payment Technology ecosystem is analyzed quantitatively. Thisresearch aims to provide a path to develop and integrate the primary services to categorize TechnologyEvolution (TE) with the help of the Mobile Payment landscape.

[29] The author focused on innovations and new attempts or dominantsystems to improve the electronic Mobile Payment System (MPS).

This survey consists of a review of its dominant system and present cart transactions (CPT). At CambridgeUniversity, several types of research are conducted to designate different attacks against authenticationmethods in MPS.

[30] The research study aims to analyze and examine the effects of con-sumers’ and consumer preferences for MPS and features of the marginalusefulness of biometric and mobile payments.

Based on the study results, theoretical effects for mobile payment consumer preference and proposeddifferent market strategies for the dispersal of main next-generation MPS from different aspects areanalyzed.

[31] The objective of the author is to analyze the factors that affect users’intention in the Mobile Payment System and the status of Near FieldCommunication in the transportation system.

To achieve the objectives of the research, a survey was completed with 180 mobile payment users. Awidespread review of scientific collected works validates the progress of interactive model that clarifies theintention of near field communication MPS with the help of structural equation model (SEM). The studyresults show that perceived risk, effort expectancy, service quality, and satisfaction define the persistenceaim to use MPS.

[32] The research study compares the different factors that determineconsumer acceptance quick response(QR), near field communication(NFC), and short message service (SMS) in MPS.

To achieve the objectives, the intention to use mobile payments, a comprehensive review of literature hasnecessary for the improvement of the behavioral model. The novelty and results of the study lie in thepreparation of different behavior rendering to use given by MPS users to each planned payment application.

[33] The research study focused on the urban consumer’s perception andattitude towards digital MPS.

A convenient survey was conducted to achieve the research objective among 100 urban respondents withan interview schedule. The ranking method, independent sample t-test, one-way Enova, and percentageanalysis are used in this study.

[34] The author Review the E-MPS in E-Commerce. This study aims to analyze the available literature related to e-payment and e-commerce to underline thepossibility of e-payment and identify the research gaps, and for future studies, the methodology of previousresearchers is recommended.

4) Security Problems

Cybercriminals’ activities are more in advanced countriesconcerning others countries. First, advanced countries of-ten lack an adequate legal framework and implementationtools to fight cybercrime. Secondly, occasionally customershave not knowledge and attention is very little to securityproblems. This means that high technology is unlikely to besuitable for developing countries.

Given the various influences that drive and delay thedevelopment of MP, all critical factors in the ecosystem mustbe focused on the longstanding goals of the MPS. Of course,the utmost important objective of any MS is to improve com-petence, conducive to financial development. In MP, it is analternative to financial transactions and specializes in smallpayments that cannot be made in cash. However, it remainsto be seen whether the key players in the development andimplementation of the technology are willing to make large-scale commitments [41].

Given the various influences that drive and delay thedevelopment of MP, all critical factors in the ecosystem mustbe focused on the longstanding goals of the MPS. Of course,the utmost important objective of any MS is to improvecompetence, conducive to financial development. In MP,it is an alternative to financial transactions and specializesin small payments that cannot be made in cash. However,whether the key players in developing and implementing thetechnology are willing to make large-scale commitments re-

mains to be seen. MPS lead to the growth of new marketplaceecosystems, containing mobile operators, card operators,retailers, service providers, banks, hardware vendors, trustedservice managers, and technology vendors. Several criticalregulatory issues emerged, such as electronic money and pay-ment systems, consumer data protection, MPS, principles,and confidentiality. MPS are used in developed countriesand Asia, and Africa. Mobile payment systems are usedfor interpersonal transfers (P2PT), handling small purchases,paying bills and expenses, and purchasing specific goods orservices. Almost all mobile network operators that providemobile payment systems operate in the few countries/regionsthey are located in, thus facilitating international transactionsand remittances [41].

There are no separate laws for MPS in several cases,especially in undeveloped countries. On the other hand,depending on the types of mobile, payment, retail and con-vergent value chain technologies described and classifiedabove, the program is multifaceted and extensive [41]. Thebond structure is unmoving in its beginning but applied inall areas and at all system levels. With the development oftechnological threats and economic and financial benefits,mobile payment systems began to develop. The regulatoryissue of mobile payments is new for at least two reasons.First, it summarizes the different areas of data privacy, e-money, ICT, mobile services, e-payments, user protection,and information and rules and regulation. Second, there aresome specific problems with innovation, namely the inter-

6 VOLUME 4, 2016


pretation of electronic money and the oversight of paymentsystems.

C. MOBILE PAYMENT SYSTEM KEY ATTRIBUTESAll mobile payment systems provide greater convenience ofusing mobile devices to process electronic payments [42].However, it should be noted that because they perform manyfunctions in a universal payment system, mobile payment ser-vices have different features that will affect the preferencesand decisions of the user. Therefore, mobile payment serviceshave complex features, including a combined process ofmerchant visits, identity verification, and payments. Table 3presents the mobile financial system (MFS) key attribute.All mobile payment systems provide greater convenience ofusing mobile devices to process electronic payments [42].However, it should be noted that because they perform manyfunctions in a universal payment system, mobile payment ser-vices have different features that will affect the preferencesand decisions of the user. Therefore, mobile payment serviceshave complex features, including a combined process ofmerchant visits, identity verification, and payments. It isstill significant to explain the concept of MFS, containingmobile banking (MB), mobile payments (MP), mobile wal-lets (MW), and mobile currency (MC). Considerate thesefacilities are the main research encounter in mobile moneytransfers [43]. MB mentions providing banking servicesthrough mobile communication devices, including financialtransactions (for example, money orders and bill payments)and non-financial business transactions (for example, balancesurveys). Some researchers believe that the functions of MBand MC intersection [44].

AC

CESS M

OD

ESMS

IVR

USSD

WAP

K-JAVA

POS

APP

MO

BIL

E PA

YM

ENT

SYST

EM

MOBILE PAYMENT AGENT

MOBILE PAYMENT PLATFORM

SERVICE PROVIDER

BANKS / FINANCIAL

INSTITUTIONS

BUSINESS OPERATIONS

SUPPORT SYSTEM

FIGURE 4: Structure Of MPS

While MB is primarily seen as a straight link betweenconsumers and banks [45], mobile payments are categorizedas a service technique that affiliated service suppliers can usedeprived of the involvement of banks. Mobile payments arecommon and generally refer to any payment that uses a mo-bile terminal to confirm and authorize a payment transaction[46]. Alternatively, mobile wallets are defined as progressivemobile applications that replace physical wallets and havenumerous functions like storing payment info and affiliation

card and executing transactions. Finally, the mobile currencyis a currency that can use and accessed via an MP. Especiallysince it allows users to run a business (e.g., money orders)without a bank account, it is extensively used among ruralinhabitants and cannot use traditional financial institutions[47].

D. M-PAYMENT STAKEHOLDERS AND ENTITIES1) Stakeholders in MPSThere are many diverse stakeholders in implementing M-Payment, including consumers/clients, merchants/providers,mobile network operators (MNO), mobile device manufac-turers, financial institutions, banks, software, and technologyproviders. The government is the stakeholder in the M-Payment implementation process. Each stakeholder has dif-ferent incentives, roles, and strategies. Sometimes these in-terests and strategies between different stakeholders conflict,e.g., the network provider would like to maximize revenuesthrough each m-payment transaction, whereas customers andmerchants would like to minimize costs for each M-Paymenttransaction. In another study [48], the author highlights thecritical finding that mobile payment method depends on theirproviders to connect the merchants and consumers to thedegree that satisfies the stakeholders.

2) Communication Entities in MPSFor the payment process, there are multiple entities (as shownin Table 4) that perform their role. In Figure 6, [49] shows theentities that communicate in mobile payment process. Theentities can be less or more according to the protocol.

Steps that involve in M-Payment process1) Client request to a merchant for the payment.2) Merchant requests to the payment gateway for the trans-

action amount to be a deposit.3) Client request to the payment gateway for checking the

deduction amount from the account.4) Payment clearance is held in the payment gateway.5) Payment gateway response to the client request in the

form of rejection or approval.6) Payment gateway response to the merchant request in

the form of acknowledgment receipt.7) Merchant gives the payment receipt to the client and

confirms the transaction.

Figure 5 represents the model of primitive transactions inwhich the client makes payment to the merchant. The valueof the payment is subtracted from the client’s account onthe issuer’s request by the payment system, and then on therequest of the acquirer, the merchant transfers/adds the valuefrom the payment gateway to its account.

III. MOBILE PAYMENT SYSTEM SECURITY MECHANISMMPS security mechanism included: Encryption technology,authentication, and a firewall [50].

VOLUME 4, 2016 7


TABLE 3: Mobile Financial System

Mobile Financial System DescriptionMobile Currency MC is a currency that can be opened and used by an MP deprived of a bank account [47].Mobile Payment MP is a payment system used by an MP to authorize, initiate and confirm a transaction [46].Mobile Wallets MW is a mobile application that can replace physical wallets and include the following features:

The ability to store information about payments, membership cards, and membership cards, andother marketing plans [46].

Mobile Banking MB means providing banking services via mobile phones, including financial and non-financialtransactions. Wireless device [44].

TABLE 4: Entities that involve during mobile payment process

Entities DescriptionClient An entity who wants the transactionMerchant An entity that has products or services to sell. It could be a computational one (like a standard web server)

or a physical one.Payment Gateway another entity acts as an intermediary between the acquirer/issuer on the bank’s private network side and

the client/merchant on the Internet for payment clearing purposes.Issuer The client’s financial institution manages the client’s account and affords the electronic payment instruments

to be used by the client.Acquirer The merchant’s financial institution manages the merchant’s account and verifies the deposited payment

instrument.

FIGURE 5: Primitive transactions

CLIENT MERCHANT

MOBILE PAYMENT GATEWAY

ISSUER ACQUIRER

71

2

3

5

6

4 4

FIGURE 6: Entities involvement in M-Payment process

A. ENCRYPTION TECHNOLOGYEncryption technology included: Symmetric encryption andpublic-key encryption.

1) Symmetric Key Encryption (SKE)

SKE system uses a common key to encrypt messages, whichmeans both sender and receiver will hold a common keyfor encryption and decryption. Before transmission of databetween both parties, the common key is shared on thesecure channel between both entities [51]. Exchanging keysbetween both entities is important for encryption processes.Short size and weak keys are easily attacked opposite tolonger keys. Symmetric encryption is still commonly usedin insecure data communication.

2) Public-Key Encryption (PKE)

PKE system is a type of asymmetric encryption because thesame key is not used to encrypt and decrypt the messages.In the PKE system, two different keys are used, called publicand private key [51].

3) Comparison between SKE and PKE

There are numerous differences between the SKE system andthe PKE system. Table 5 presents the comparison of the SKEand PKE.

B. AUTHENTICATIONAuthentication included: Digital signature and certificate au-thority.

1) Digital Signature

Digital signature (DS) is a string value calculated using textvalue to a Hash value. DS is used to verify the origin ofthe received text and prove whether the received text iswithout any changes. To certify the availability of DS, PKIis frequently used. It suggests a complete set of securityassurance and follows different public key encryption stan-dards for different sectors like online banking, e-banking, e-government, and e-commerce securities [52].

8 VOLUME 4, 2016


TABLE 5: Comparison of Encryption Methods

Characteristics Symmetric Key Public KeySeveral keys are used for encryp-tion, and decryption

The same key is used for encryption-decryption Two different keys are used for encryption and decryption.

Speed of encryption and decryption Faster than public-key encryption Slower than symmetric key encryptionSize of ciphertext Usually less than or same as the plain text More than plain textKey exchange A big problem No issueKey usage Used for confidentiality but not for digital signa-

tureUsed of confidentiality and digital signature as well

2) Certificate AuthorityThe Certificate Authority (CA) is a trusted organization thatpublishes and manages network security public keys infras-tructure (PKI) and credentials for message encryption. Aspart of the PKI, the CA will use the registry for verification.Users have the right to verify the information in the digitalcertificate provided by the applicant. Suppose RA (RegisterAuthorities) verifies the applicant’s data and issue a digitalcertificate. Communicates users are responsible for distribut-ing and revoking certificates. Depending on the PKI, Uponrequest, the certificate may contain the holder’s public key,the certificate, the name of the certificate holder, and otherinformation about the holder of the public key [53].

C. FIREWALLThe firewall can simultaneously protect the system /localnetwork against network-based threats. The firewall allowsaccess to the outside world to the local network. In mostscenarios, a firewall is necessary because it is difficult toequip all devices with different security devices. Typically,the firewall is inserted between two networks.

IV. AUTHENTICATION METHODS IN MPSAuthentication methods are widely used to test user iden-tity in mobile transactions as the user identity is requiredto execute transactions [54]. Below are some authentica-tion methods: knowledge-based authentication verification,object-based authentication verification, and biometric au-thentication. With Knowledge-Based, users used personalidentification number (PIN) or password to validate theiridentity [55]. This is based on well-known traditional au-thentication methods, so they have fewer security issues. Usephysical tokens (such as smart cards) to perform object-basedauthentication. While objective knowledge-based methodscan create inexpensive and straightforward authenticationsystems for various computing applications, they can closethe security incident vulnerabilities. In addition, the abovetwo methods are likely to be lost or forgotten by the users,which can be an intellectual burden for application users [56].To overwhelmed the restrictions of the above traditionalmethods, some advanced authentication systems have beendeveloped that provide consumers with helpful security [57].Biometric methods based on user personal identity (i.e.,Physical Characteristics) have been effectively applied toprotect and verify users’ identities. Identity verification basedon human-specific biometrics (such as fingerprints, voice, or

iris) is unlikely to be easily stolen or transferred. Previousresearch has shown that the apparent advantages of biometricauthentication systems improved account security and theperceived pleasure and reduced cognitive load and time,which provides more excellent value to consumers [58].Biometric technology has its limitations. Because of the com-plication of high-quality images, many factors in a biometricsystem will reduce user identification accuracy [59]. Physicalissues like wet surfaces, dirty fingers, or scratches are famil-iar illustrations that can delay biometric authentication. Inaddition, the biometric system also has some privacy issuesrelated to users’ identity management. However, there isalso an advanced "Knowledge Based" authentication method.In the meaning of some useful security features, graphicalprompts (such as design drawings) have also been proposedas a substitute to the above authentication methods [60]. Arecent study found that using different e-payment authenti-cation methods will affect users’ perception of security andavailability of these three authentication types. Therefore, inthis study, the method of identity verification was selectedas one of the primary resources for creating the preferencestructure of mobile payment users [54].

A. TYPES OF AUTHENTICATION FACTORS

Three types of authentication factors named single-factorauthentication (SFA), two-factor authentication (2FA), andmulti-factor authentication (MFA) can be understood throughthe definitions proposed by the research of [61] and [62].They proposed that a process allowing individual users toseek access from authenticating parties for attestation of theirpersonalities with the utilization of single attribute associateswith their identifies is termed as Single-Factor Authentication(SFA). An example of such an attribute would be the useof a PIN for unlocking cell phones. The user-friendly andstraightforward nature [63] of this authentication type made ita preferable choice for many companies; however, its vulner-ability to various forms of attacks [62] made it unsuitable forapplication in financial institutes. [62] Defined Two-FactorAuthentication (2FA), mentioning that users seeking requestsfor access from authentication party through attestation oftheir personality with two attributes are a process that comesunder the concept of Two-Factor Authentication. These at-tributes include knowing something personal or possessingsomething personal that can be associated with one’s per-sonality. Hence, attackers are bound to be aware of twoidentifiers to get the same authentication as the original users

VOLUME 4, 2016 9


in 2FA. This particular feature of 2FA makes it acceptableand applicable by financial institutions. However, this typeremains loopholes, leaving it vulnerable to a MITM attack,eavesdropping, and Trojan horse attack. Furthermore, it hasits limitations when considered for its effectiveness againstphishing [63].For defining the third type of authentication factor namedMultifactor Authentication (MFA), [62] describes that it in-volves users seeking requests for access from authenticationparties through attestation of their personality with multipleattributes make up. Biometrics are used along with ownershipand knowledge as an attribute by MFA. MFA’s higher level ofsecurity makes it a better choice for various critical servicesand computing devices. Physical separation of authenticationfactors from the user device can allow MFA to be moresuccessful. The addition of biometric factors makes MFAachieve improved identity proof resulting in more securesystems [63], [64].

V. CYBERATTACKS ON MOBILE PAYMENT SYSTEMDifferent level attacks on MPS can come from unauthorizedmalicious users. Following are some identified attack pointssusceptible to comprise in this regard.

The first attack is targeted at the users of mobile money.It includes accessing the PIN of users via shoulder-surfingwhen it is unmasked PIN of four to five digits [65]. Access tothis PIN can enable attackers to make fraudulent transactions.Brute force attacks can also be performed by attackers con-sidering the straightforwardness of the PIN [66], [67], [68]

The second type of attack involves comprising of moneycommunication channels. The hacking and controlling ofMMS traffic and manipulation of accounts for making trans-actions can be made possible using these points [66], [67],[68].

The third type of attack is at the server of the mobile moneyapp. Availability of server to both mobile money agents andusers is suspended when such attack is carried out at server.As per the findings of Castle et al. [66], attackers divert faketraffic to mobile money servers resulting in it being over-whelmed, which eventually leads to blocked requests frommobile money agents and users. It can also include installingmalware on the mobile money app server for deducting someamount from wallets of mobile money agents and users fordeposition into the attacker’s account without letting theseusers or agents discover the transaction [69].

The fourth point of attachment is the IT administrator. Theadministrator’s computer can be hacked by an unauthorizedperson making it inaccessible to the administrator by chang-ing its credentials. Mobile money agents can be considered asanother attack point. The PIN of the commission agent canbe stolen by an attacker using shoulder surfing techniques.Attackers can also practice giving the wrong PIN repeatedlywhile making transactions to access agents’ PINs. [70] and[71] Identified adversaries gave that wrong phone numbersrepeatedly to obtain the PIN of agents and use it for gainingunauthorized access to the float accounts of agents.

Bank’s server provides another attack point for adver-saries. A distributed denial-of-service attack (DDoS) is madein such cases to create the unavailability of a bank server tothe mobile money user trying to make a transaction.

Notification message channels where messages can bemodified creates another attack point for malicious users.Adversaries may hack the communications channels of thenotification message and make changes in the message asper their requirements while sending the modified versionsof these messages to the intended users [72], [73].

A. ATTACKS AGAINST PRIVACY[74] Defined privacy as the right of users to have freedomfrom intrusions and infringements by other users. In mobilemoney, privacy attacks include the compromised PINs of theusers for illegal access to their financial assets and informa-tion details utilized in unauthorized transactions. Stealing ofuser information can result in a problematic situation for notonly the user but also for the economy as well [74]. Illegalaccess to the mobile money database containing the financialinformation of users can allow attackers to update or deleterecords using the stolen PINs.Moreover, a variety of user-related information can be stolenwhen an attacker gets access to mobile money database[74]. Personal information such as email addresses, mobiletelephone numbers, NIN, and even names of users and agentscan be compromised, failing privacy safeguards [74]. Un-scrupulous insiders may end up abusing highly sensitive dataafter gaining control and access in this way. Attackers cando so with the generation of a databank to give control andaccess to personal information. There are situations in whichsome users request the agents for assistance in performingtransactions, and they end up sharing their PINs with theagents [75]. It raises the bar for the required level of protec-tion to agents and mobile money users against unauthorizedaccess.

B. ATTACKS AGAINST AUTHENTICATIONThe identity of a user is forged by an attacker impersonatingan authorized user in this form of attack. According to [76]authentication attack is a crime in which the mobile moneyauthentication process is subjected to exploitation when abrute force attack is being carried out against the PIN.Various attacks are included in this form of attacks, suchas Trojan horse attack, phishing attack, social engineeringattack, spoofing attacks, masquerade attack, replay attacks,and impersonation attack. An attacker assumes the identityof a legitimate user in an impersonation attack [76], [77],[70], [71], whereas entire communication is subjected toeavesdropping in replay attack before intercepting [78]. Ina masquerade attack, the PIN and SIM card are acquired bythe users.Moreover, an attacker pretends to be a mobile system ad-ministrator in a spoofing attack. When users are manipulatedfor them to give up their personal information, a socialengineering attack is said to be launched [79]. Similarly, a

10 VOLUME 4, 2016


phishing attack involves deceitful attempts by adversariesfor accessing personal information needed to impersonate alegitimate user in the system [76]. Another method of com-promising an authentication system involves using Trojansoftware as a virus to access users’ personal information.

C. ATTACKS AGAINST CONFIDENTIALITYAttacks on confidentiality involve eavesdropping on the com-munication channels between the application server and mo-bile money users for tapping information like PIN of usersthat can be used for impersonation or in making unauthorizedtransactions. The four types of such attacks include guess-ing attacks, brute force attacks, eavesdropping, and shouldsurfing attacks. Attackers secretly hear the communicationchannels in the eavesdropping attacks by taking advantage ofthe lack of security of the network communication. The plaintext form of transmitted data is commonly vulnerable to suchattacks [80], [81].For brute force attacks against confidentiality, the adversarycan guess the mobile money agent or user’s PIN neededto access the mobile money account. Despite being verysimple, such types of attacks have shown a high rate ofsuccess [76], [77], [70], [71]. When an adversary sees mobilemoney PIN during authentication, a guessing attack is beinglaunched. Shoulder surfing attack also comes under the typeof attacks against confidentiality in which the adversariesacquire confidential data and PINs simply by looking overthe shoulder of the victim as they make transactions [77].[82] discussed one of the approaches that can be utilizedto extract useful network information to identify the detailsof the endpoint of the communication parties on the localnetwork.

D. ATTACKS AGAINST INTEGRITYWhen information of the user is accessed and modified inthe MMS, the integrity of user information is compromised.They can be categorized into insider attacks, salami attacks,and MITM attacks. An intruder intercepting the communica-tion between various agents (including users) in the mobilemoney application network performs Man a middle attack.Sitting between the mobile money user and MMS, the at-tacker makes them believe they communicate in the MITMattack. [81] and [68] Showed that an attacker could gaincontrol over the entire conversations when a MITM attack isbeing launched as the content of the conversation is modifiedby the attacker at both ends.Employees of financial institutions can conduct salami at-tacks and insider attacks against the financial institutions.Like a Trojan horse, a salami attack involves installing ma-licious software to a financial institution system, allowingadversaries to withdraw money from users’ accounts, de-positing it in their accounts. Both external and internal ad-versaries can launch salami attacks in which small deductionsare made to user wallets as the software allows modificationof some details in the system [83], [84], [85]. [86] and [87]Highlighted the fact that a high degree of risk of money

fraud comes from the employees of the financial institutionswho are aware of the security protocols and MMS in thesystem. MMSP employees with sufficient knowledge aboutthe organization’s security practices can be involved in theinsider attacks identified by [75], and [86].

E. ATTACKS AGAINST AVAILABILITYWhen the bank server or application server is suspended foragents and mobile money users by an adversary on purpose,an attack is assumed against availability. Services are ren-dered unavailable by adversaries in this type of attack usingvarious techniques. Mobile theft, DOS, and distributed denialof service (DDoS) attacks come under this category. DDoSand DoS are launched when adversaries send fake traffic tooverwhelm servers to block legitimate traffic or requests ofusers [76]. Such attacks aim to flood mobile money serverswith so many fake requests that the server fails to receiveand respond to legitimate users’ actual requests, making theservice unavailable.[76], [67] Described mobile phone theft attacks as the typeof availability attack in which the mobile phone of users oragents is stolen, and the wallet account of SIM card is madeunavailable that can be swapped by the attacker. Service anddata access can be lost due to phone theft attacks, as theattacker can take charge of the victim’s e-wallet account,resulting in its unavailability to the actual user.

VI. TECHNOLOGIES USED IN M-PAYMENT PROCESSWe have also seen an M-Payment system based on thetechnology used; it is classified in Figure 7. M-Paymentsystem uses mobile technology for communication betweenthe entities involved in the payment process.

Near field communication (NFC) [88] is a communica-tion protocol that enables the communication between twodevices. Global system for mobile (GSM) [89] is a standardsystem for mobile communication. Radiofrequency identifi-cation (RFID) [90] uses an electromagnetic field to identifyor track tags attached to an object. Short messaging service(SMS) [91] is a text messaging service that is used for com-munication over the mobile phone. Quick Response Code(QR-Code) [92] is a two-dimensional matrix barcode, whichhas a label in which information is stored. Bluetooth [93]is a standard for wireless technology; by using this, we cancommunicate to fix devices over a short period of distance.Identity-based signature (IB-Signature) [94] is a type ofpublic key infrastructure (PKI) in which a publicly knownstring that represents an individual is used as a public key,e.g., email address, the wireless application protocol (WAP)[95] is a standard protocol used in the wireless networkto access information. Universal 2nd Factor (U2F): It is astandard of open authentication which provides two-factorsecure authentication.

1) Reviewed ApproachesThis study has reviewed multiple schemes or models ofmobile payment systems based on different technologies or

VOLUME 4, 2016 11


• U2F (Universal Second Factor)

• Bluetooth

• QR-Code

• NFC (Near Field Communication)

• GSM / SMS

• RFID (Radio Frequency Identification)

1

2

3

4

5

6

FIGURE 7: Technologies used in M payment system

architectures. Paper [96] uses RFID & SIM, which enablesusers to use their mobile phone as ATM card/credit card.By using RFID readers at ATM, users can withdraw money.Paper [97] uses Bluetooth with Java technology by whichusers can pay at POS (point of sale) by using a mobile phone.Java components are used here to provide encryption. Paper[98] works on existing models; it enhances SEMOPS (SecureMobile Payment Service) model by involving a trusted thirdparty. Papers [99], [100], [101] used GSM technology toimplement a secure m-payment system. It provides low-cost architecture by using the existing GSM mechanism.Papers [100], [101], [102], [103] used NFC communication,which provides more speed for communication than othertechnologies. In [101], the proposed scheme also providesuser anonymity and the un-linkable transaction to defendagainst attacks. [102], [104], [105] use QR-Code, which isfast and supports the buy-and-sale process easily and effi-ciently. In [103] using SMS service; mostly SMS service inmobile communication is used for authentication. In [106],using the SMS based authentication system and proposedthe application based system in which authentication codecan only be accessed by an authorized user and using IB-Signature, which is simple and less costly, the identity ofan entity is used in this technology for authentication or forgranting access. Authors in [106] also use the OTP codefor securing communication; it prevents the system fromreplay attack and uses a password for only one time. WAPor Bluetooth technology is used in [107] which provides fastcommunication but over a small range of areas. It is for peer-to-peer communication and less in cost. [108] uses SMSfor sending a notification, but for transactions purpose, ituses unstructured supplementary service data (USSD), whichprovides a more responsive service than SMS. In [109], the

author uses U2F technology, which is fast and much secure; itperforms cryptographic functions with a single touch & gen-erates asymmetric keys. It authenticates both the client andserver in a reliable manner so transactions can be done se-curely. Query processing over encrypted data is the solutionto tackle the extra overhead caused by the use of encryption,and such techniques result in remarkable improvements inthe scenario where near real-time data processing is required[110].

2) Analysis

The overall average of technological usage of M-Paymentsystems is depicted in Table 3. We analyzed technologies andfound that SMS is used in primarily m-payment systems.The use of NFC, GSM, and QR-Code is also every day inpayment schemes or models. They provide many advantageslike we know NFC provides faster speed, GSM providesmany already implemented services that make these modelsimplementation easy and straightforward, QR-Code is a lesscostly and straightforward technology used in many mobilepayment systems. U2F is much secure and reliable than QR-code, NFC, or Bluetooth.

VII. SECURITY ANALYSIS OF M-PAYMENT SYSTEMS

This section presents the security analysis of M-Paymentssystem. Security analysis comprise of various services:Authentication, Mutual Authentication, Integrity, CustomerAnonymity and Non Repudiation. Figure 8 the overall ser-vice hierarchy of m-payment system. Below we explain eachservices in detail

12 VOLUME 4, 2016


TABLE 6: Comparison of reviewed papers on the basis of payment system technology, architecture, communication entityinvolvement, assumption, advantages and disadvantages of solutions (I)

Ref M-PaymentBased On

ArchitectureUsed

M-Payment Be-tween

Provides Assumption Advantage Disadvantage

[105] RFID RFID & SIM User & POSUser & Serviceprovider Usercan also depositmoney

Easy to pay serviceand ATM/Credit cardfunctionality throughmobile

RFID readers areinstalled at stations,shopping malls, & atATM,

Flexibility, time,workforce reduction,safety & mobility

Some issues in security &privacy in RFID Chancesof unauthorized use arepresent in case of theft orloss of mobile.

[107] J2EE and J2MEcapabilities

Java, Bluetooth Payment server &mobile clients

Confidentiality andAuthentication

MIDP application isuploaded to client’smobile

It overcomes the API andtechnical limitations, aswell as security considera-tion

As the number of clientsincreases the delay (mil-liseconds) will increaseover Bluetooth environ-ment

[111] Existingmodels

SEMOPS &trusted thirdelements

Customer & Mer-chant

Privacy & Non-Repudiation

All parties possesscertificates amongeach other

It introduces trusted thirdelements & follows newMechanism to achieve pri-vacy & non-repudiation

Difficult to implement

[112] Multiple layers SMS, GSM Consumer & con-tent provider

Security & High Scal-ability

- It provides low cost andtechnical requirement,high scalability, andsecurity

The system required to bemore simplified, improvethe security & applicationof digital signatures

[109] Scenario for m-payment mod-els

NFC, QR code Customer & Mer-chant

Speed & Security - For speed, transaction isinitiated by merchant be-cause he has more reliable& continuous connectionwith 3rd party

For every newpurchase, there willbe authentication bymerchant’s involvementwhich can make himbusy and it can affect hisavailability

TABLE 7: Comparison of reviewed papers based on payment system technology, architecture, communication entity involve-ment, assumption, advantages and disadvantages of solutions (II)

Ref M-PaymentBased On

Architecture Used M-Payment Be-tween


[106] Identity BasedCryptography(IBC)

IB Signatures andOne Time Key

Consumer andMerchant

Privacy and Security oftransferred data

- IBC framework is simpleand less costly

Higher number of crypto-graphic operations

[100] GSM NFC and GSM Point-of-Sale(POS) and thecustomer

Security for low valuepayments, customeranonymity and ubiquitousimplementation

Secure channel betweenpayment gateway and shopPOS

Re-using existing GSM se-curity mechanisms Pay-ment is same as paying bydebit or credit card.

-Short length of encryp-tion key. -Merchants needto register themselves withmobile operator -protocolis complex as comparedto m-payment via SMS orWAP

[113] SMS SMS, WAP or Blue-tooth and J2ME.

Payer’s orPayee’s bank

Secure M-Payment formacro transactions -lessencryption or decryptionoperations

Trusted payment gatewayis involved betweenpayer’s and payee’s banks

This scheme sharespayee’s financial data withbanks only

If mobile got stolen andPIN got also leaked thenthere are chances of finan-cial loss

[114] PKI QR-Code and PKI Client and mer-chant

Additional layer of secu-rity for m-payment sys-tems

Trusted third party is in-volved to secure encryp-tion keys and to ensure le-gitimate users

This scheme uses RSAwhich is considered asstrongest asymmetric en-cryption system

For stronger securitylonger key pair is requiredwhich leads to larger sizeof QR code

[115] 3G 3G, SMS and IVR Client and server(Mobile PaymentPlatform)

Intelligent travel design byusing m-payment system

- By using this user can payfines, insurance amount orcan query traffic violationsrules etc

Initial connection in thissystem takes longer time

[116] 2D Bar CodeQR 2D BarCode

Point-of-Sale (POS)and the customer

Advantages tosupport buy-and-sale products andservices base on2D Barcodes

Trusted third party authen-tication server is used asCertification authority

- Products can be tradedanywhere, anytime Easy touse Reduce user input

Computations are littlecomplex

[117] SMS SMS P2P Peer-to-peer It provides features like se-curity, privacy, speed andless cost

- Money transfer can bedone by transmitting mo-bile number only

Huge number of differ-ent device OS and devel-opment environment mayprevent Support for all de-vices

1) Confidentiality

In [97], confidentiality is provided by using Java components.In [98], [115] uses cryptography to provide confidentiality.In [106] OTP and PKI infrastructure are used to provideconfidentiality. In [100] GSM security mechanism is usedwhich provide confidentiality via A5 and A8 algorithm. In[103], [107] confidentiality is achieved by using Symmetrickey cryptography to provide confidentiality. Paper [104] usesRSA encryption mechanism to provide confidentiality. In

[111] DES and ECC are used to achieve confidentiality. In[105] confidentiality is achieved by using AES and RSA.In [112] secured end-to-end encryption is used to provideconfidentiality. In [118] symmetric key encryption is used toprovide confidentiality. In [114] RSA encryption mechanismis used to achieve the confidentiality. In [109] Asymmetriccryptosystem is used to provide encryption. In [101] AESis used to provide confidentiality which is a type of sym-metric key cryptography. [116] provides confidentiality by

VOLUME 4, 2016 13


TABLE 8: Comparison of reviewed papers on the basis of payment system technology, architecture, communication entityinvolvement, assumption, advantages and disadvantages of solutions (III)

Ref M-Payment BasedOn

Architecture Used M-Payment Be-tween


[118] Cryptographic Pro-tocol Shape Ana-lyzer (CPSA)

CPSA Merchant andpayment gateway

Payment mechanism ensuringaccountability and un-linkableanonymity less number ofcryptographic operations

Customer browses through themerchant website

Customer has an option ofmaking payment using cards ofdifferent banks

Limited to a maximum of twogateways

[114] Traceablesignatures, identity-based signatures,anonymoussignatures

Signatures Ternminal andPassenger

Provides mechanism to protectpassenger’s privacy

Off-board terminal trusts on-board terminal

It can be applied to off-line mo-bile payment systems

-

[108] UnstructuredSupplementaryService Data(USSD)

USSD and SMS User to Agentand Agent toUser

Secured transaction by usingtwo layers of authentication

Mobile wallet number is sameas mobile number and there islarge no. of agent points acrossthe country

Mitigate human error and pre-vent cyber-frauds

Doesn’t consider confidential-ity and integrity aspect

[109] Universal 2nd Fac-tor (U2F)

U2F, USIM User to Server Secure mutual authenticationprotocol for m-payment sys-tems

- Provides a reliable service andprotect user’s account informa-tion and privacy

In registration process, it willtake time since it is usingasymmetric cryptosystem

[106] NFC Wi-Fi, 4G, GSM NFC Bank to bank(POS)

Enhance the security of theEMV(Europay, MasterCard,and Visa) exchanged messages

Mobile network operator(MNO) is trusted by NFCenabled Mobile

Adds a security layer to EMVand ensures confidentiality andmutual authentication

It will be failed if POS entity isdishonest

[118] NFC NFC User and TSM(Trusted ServiceManager)

Secure protocol which is com-patible with EMV

TSM and Bank own their keypairs of a PKI cryptosystem

User can perform transactionwithout disclosing his identity.

Requires a high computationpower for TSM and bank

[116] NFC enable phone NFC and trusted thirdparty

User and Mer-chant

User anonymity - Un-linkable anonymity to user -

[119] SMS - User and bank,bank and gateway

Secure transaction with formaltechnique

- Less time take for key genera-tion and encryption decryption,and scheme security is verifiedby tools

Only for Android and Java 2Micro Edition device

[115] Application Based Mobile transactionauthenticationnumber system

User and Bank Application-based system thatis comparatively more securethan SMS based system

Attacker can get access to weband SMS at the same time

More security than SMS basedMTAN

Less efficient than MTAN

M Payment Security

Confidentiality

SymmetricA Symmetric

PIN & Account No.

Mobile & QR Code

Short Code

PKI / Digital Signatures

GSM Encryption /

A5

AES / DESKey

Management

RSA

Authentication

Multi FactorSingle Factor

One Time Password

ECCSMS &

Secret Key

CPSA RFID

FIGURE 8: M-Payment Security

encrypting the information using asymmetric keys and thekey pair stored in the secure storage [117] to protect fromunauthorized access. In [113] confidentiality is achieved byusing ECC which is a type of asymmetric key cryptography.

2) Authentication

In [96] authentication is performed by reading the RFIDtag, which is embedded in the SIM card. RFID reader au-

thenticates the user in this scheme. In [97] authentication isprovided by asking for a PIN and account number. In [99]Control and communicating interface are used to provideauthentication. In [102] authentication is done by using NFCenabled mobile phone and QR-code/PIN. In [100] tripleauthentication mechanism is ensured by using the challenge-response protocol. In [107] authentication is provided byusing SMS and secret key. Paper [111] ensures authentication

14 VOLUME 4, 2016


TABLE 9: MPS technology specific categorization

Technology Papers %NFC [102], [103], [101], [100], [106], [116] 28.57GSM [96], [99], [100], [101] 19.04SMS [99], [100], [107], [111], [112], [108], [113], [115] 38.09RFID [96] 4.76QR-Code [102], [104], [105] 14.28Bluetooth [97], [107] 9.52U2F [109] 4.76

by using signature schemes (DES and ECC). Paper [112]uses short-codes to provide authentication. In [118] Isomor-phic shapes are used for authentication.

3) Mutual AuthenticationIn [98], [106], [113] Payment requests are signed by signingkey (Digital Signatures) of both client & merchant to achievemutual authentication. In [104] mutual authentication is en-sured by using the RSA-PKI mechanism. In [105] RSA-Digital Signature is used to provide mutual authentication.In [114] identity-based signatures are used to achieve mutualauthentication. In [108] mutual authentication is achievedby using Mobile Wallet number and PIN. In [109] mu-tual authentication is provided by using Asymmetric keys,valid username & password. For authentication [101] usesSession-key and challenge-response authentication. To en-sure mutual authentication [103] uses secret key and publickey infrastructure (PKI). In [116] authentication is providedby using digital signatures. In this scheme, mutual authenti-cation is only between the user and the bank.

4) IntegrityTo ensure the data has not tampered during transaction [114],[113], [106], [109], [100], [101] use hash packets and verifythe hash. Paper [107] uses a private banking network andsecure payer confirmation to ensure integrity. In [104] in-tegrity is ensured by using QR-Code. In [105] RSA-Digitalsignature algorithm is used to ensure integrity. [100] Achievethe integrity by Message Authentication Code (MAC) thatis embedded in the ciphertext. In [116], the informationis encrypted with shared key among bank/user and signedwith user’s private key that protects the information fromunauthorized modification.

5) Customer AnonymityIn [98] there is no need to get registered to the merchantor any 3rd party before or during the transaction, whichensures the anonymity of the client. In [100] the client’slong-term ID is not revealed to the merchant, which ensuresthe client’s anonymity. In [112] anonymity of consumeris ensured because it only requires the consumer’s mobilenumber or short-code provided by them-payment applicationservice provider. In [118] customer’s identity is dynamic andupdated frequently to ensure the anonymity of a customer.In [114] client’s anonymity is ensured by hiding session andtransit information. [116], [103] achieve anonymity by using

virtual accounts for clients whom the bank assigns. [120] pro-poses a novel approach of ensuring privacy, confidentiality,and authentication using a hybrid scheme for location andpayment authentication.

6) Non RepudiationIn [116] Non-repudiation is ensured by using the signingkey and timestamp. In [106] IBC-Signatures are used whichensures non-repudiation in their scheme. In [107] three fac-tors are used to prove non-repudiation of the client (bychecking the status response of the client, session key, and theoffline PIN). Paper [105] uses RSA-Digital Signature to signtransaction information which ensures non-repudiation oftransactions. Papers [109], [113] use signatures to ensure thelegitimate user and non-repudiation. [101] ensures the non-repudiation by hashing the transaction data with the sharedkey. In [121], authors explore data sharing and privacy forpatient IoT devices using block-chain. In [116], the securestorage of NFC generates the key pair (public, private) for avirtual account, and a private key signs all messages duringthe transaction process, which ensures non-repudiation intheir scheme.

TABLE 10: Security specific categorization of reviewed re-search papers

Security feature Papers %Confidentiality [97], [98], [100], [101], [111],

[112], [103], [104], [105], [107],[106], [109], [118], [114], [116],[113], [115]

80.09

Authentication [96], [97], [98], [99], [102], [100],[101], [103], [104], [105], [107],[111], [112], [108], [118], [106],[109], [114], [116], [113], [115]

100

Integrity [100], [101], [103], [104], [105],[107], [106], [109], [114], [116],[113], [115]

57.14

Mutual Authentication [98], [101], [103], [104], [105],[108], [106], [109], [114], [116],[113], [115]

57.14

Customer Anonymity [98], [116], [114], [118], [112],[100], [103]

33.33

Non-Repudiation [98], [101], [105], [107], [106],[109], [116], [113]

38.09

The overall security features provided by each paper in ourstudy are described in Table 10. It tells us that all the systemswe have reviewed ensure authentication, and most of themalso provide encryption. The main aspects considered in eachpayment system are encryption and authentication; withoutthese two aspects, no system can be said as secure enough.Integrity and registration of clients or merchants have alsogot much importance and value while designing any paymentsystem.

VIII. CHALLENGES AND FUTURE WORKDue to the increase in technology used worldwide to easedaily life activities, mobile payment systems also emergedrapidly for the same reasons. Tasks that take hours to performby visiting the banks are now at the fingertips using smart-

VOLUME 4, 2016 15


phones and allied payment infrastructure in digital forms.This ease also brought some related issues, the most danger-ous of which is the threat of malicious actors hacking thepayment system to steal money. The recent hacking of block-chain-based cryptocurrency exchanges, which were previ-ously considered the most secure digital payment system,rings the bells that the hackers circumvent ways to bypass thesecurities in place. This new battleground between the goodand the bad for enhancing and ensuring the security of mobilepayment systems against emerging threats is an affluent areato explore in the future.

In any field, there is always the possibility of enhance-ments and improvement. In the future, we intend to focus onunderstanding the preferences of consumers and the reasonsto utilize or not utilize a specific technology-enabled serviceas it is vital to design viable services that generate value toconsumers and the other stakeholders of an ecosystem. Theusage of mobile phones is high, and it is in almost everyperson’s approach. Most of the work or daily transactions orcommunication is done through a mobile phone; that is whymany companies introduced their services for mobile phones.Mobile payment methods are also available nowadays, but itneeds more security than other mobile phone services.

An increase in mobile payment solutions will increasethe user base, which is already sufficient compared to othertraditional methods. This increase will ultimately result in aload on the network infrastructure, which is the backboneof the success of such solutions. Advancement in next-generation networks and their impact on mobile paymentsolutions will be another research area to explore. Further tothis, research can be done on current bottlenecks resultingin lesser mobile payment solutions and remedial measuresusing network advancements.

This research has some practical and theoretical limita-tions that may provide valuable findings for future research.For example, we do not consider the potential impact of digi-tization on mobile payment systems, making behaviors morecomplex than those resulting from modular reorganizationalone. Our goal when choosing this project is to record dy-namics that cannot be found in developed countries. We hopeour findings can be applied to other mobile payment systemsin emerging economies. However, future comparative studiesusing larger samples or more extreme cases will confirmthe extent to which our results can be generalized. Since allcases are based on mobile network operators (MNOs), futureresearch on banks or third-party models will help discussmobile payment systems in the literature.

IX. CONCLUSIONThis paper has discussed various payment schemes and theirusage, technology, and provided security. Most paymentmethods are account-based payment systems, and their mainfocus is on security, privacy, confidentiality, and authen-tication. We present an overview and discussed differentcomponents of MPS. We present a detailed survey of theexisting MPS structure and its limitations; provide detailed

history, development, and deployment of MPS. Discusseddifferent aspects of MPS included socioeconomic conditions,Cost Efficiency, diffusion of mobile phones, convenience,new initiatives, heavy restrictions and regulations, limitedcollaboration, underdeveloped ecosystem, and security prob-lems; the key attributes of MPS, and stakeholder and com-munication entities roles in MPS form different aspects. Wediscussed different security mechanisms involved in MPS.Provide analysis of the encryption technologies, authentica-tion methods, and firewall in MPS. All the papers suggestdifferent techniques to provide different security aspects.However, the main point is that keeping in check the CIAtriad, each payment should be made with authentication andencryption because the future of MPS depends on its securityfeatures.

REFERENCES[1] S. F. Verkijika, “An affective response model for understanding the

acceptance of mobile payment systems,” Electronic Commerce Researchand Applications, vol. 39, p. 100905, 2020.

[2] A. R. Javed, M. O. Beg, M. Asim, T. Baker, and A. H. Al-Bayatti, “Al-phalogger: Detecting motion-based side-channel attack using smartphonekeystrokes,” Journal of Ambient Intelligence and Humanized Computing,pp. 1–14, 2020.

[3] S. Cimato, “Design of an authentication protocol for gsm javacards,”in International Conference on Information Security and Cryptology,pp. 355–368, Springer, 2001.

[4] S. Kungpisdan, B. Srinivasan, and P. D. Le, “A practical framework formobile set payment,” in Proceedings of International ESociety Confer-ence, pp. 321–328, 2003.

[5] L. Marvel and C. Boncelet, “Authentication for low power systems,” in2001 MILCOM Proceedings Communications for Network-Centric Op-erations: Creating the Information Force (Cat. No. 01CH37277), vol. 1,pp. 135–138, IEEE, 2001.

[6] Y. Wang, C. Hahn, and K. Sutrave, “Mobile payment security, threats,and challenges,” in 2016 second international conference on mobile andsecure services (MobiSecServ), pp. 1–5, IEEE, 2016.

[7] S. Deep, X. Zheng, A. Jolfaei, D. Yu, P. Ostovari, and A. Kashif Bashir,“A survey of security and privacy issues in the internet of things fromthe layered context,” Transactions on Emerging TelecommunicationsTechnologies, p. e3935, 2020.

[8] C. Iwendi, Z. Jalil, A. R. Javed, T. Reddy, R. Kaluri, G. Srivastava, andO. Jo, “Keysplitwatermark: Zero watermarking algorithm for softwareprotection against cyber-attacks,” IEEE Access, vol. 8, pp. 72650–72660,2020.

[9] A. Rehman Javed, Z. Jalil, S. Atif Moqurrab, S. Abbas, and X. Liu, “En-semble adaboost classifier for accurate and fast detection of botnet attacksin connected vehicles,” Transactions on Emerging TelecommunicationsTechnologies, p. e4088, 2020.

[10] M. Baza, N. Lasla, M. Mahmoud, G. Srivastava, and M. Abdallah,“B-ride: Ride sharing with privacy-preservation, trust and fair paymentatop public blockchain,” IEEE Transactions on Network Science andEngineering, 2019.

[11] R. M. Mohammad and H. Y. AbuMansour, “An intelligent model fortrustworthiness evaluation in semantic web applications,” in 2017 8thInternational Conference on Information and Communication Systems(ICICS), pp. 362–367, IEEE, 2017.

[12] D. Preuveneers, T. Heyman, Y. Berbers, and W. Joosen, “Feature-basedvariability management for scalable enterprise applications: Experienceswith an e-payment case,” in 2016 49th Hawaii International Conferenceon System Sciences (HICSS), pp. 5793–5802, IEEE, 2016.

[13] E. Turban, J. Outland, D. King, J. K. Lee, T.-P. Liang, and D. C. Turban,“Mobile commerce and the internet of things,” in Electronic Commerce2018, pp. 205–248, Springer, 2018.

[14] M. Hubert, M. Blut, C. Brock, C. Backhaus, and T. Eberhardt, “Accep-tance of smartphone-based mobile shopping: Mobile benefits, customercharacteristics, perceived risks, and the impact of application context,”Psychology & Marketing, vol. 34, no. 2, pp. 175–194, 2017.

16 VOLUME 4, 2016


[15] S. EDITION, “Cryptography and network security.”[16] “Securing the future of payments together.” Last accessed 14 May 2020.[17] T. Depot, “The home depot reports findings in payment data breach

investigation,” 2014.[18] J. Téllez and S. Zeadally, Mobile Payment Systems. Springer, 2017.[19] T. Dahlberg, J. Guo, and J. Ondrus, “A critical review of mobile payment

research,” Electronic Commerce Research and Applications, vol. 14,no. 5, pp. 265–284, 2015.

[20] T. Dahlberg, N. Mallat, J. Ondrus, and A. Zmijewska, “Past, presentand future of mobile payments research: A literature review,” Electroniccommerce research and applications, vol. 7, no. 2, pp. 165–181, 2008.

[21] J. Lee, M. H. Ryu, and D. Lee, “A study on the reciprocal relationship be-tween user perception and retailer perception on platform-based mobilepayment service,” Journal of Retailing and Consumer Services, vol. 48,pp. 7–15, 2019.

[22] S. Saxena, S. Vyas, B. S. Kumar, and S. Gupta, “Survey on onlineelectronic paymentss security,” in 2019 Amity International Conferenceon Artificial Intelligence (AICAI), pp. 756–751, IEEE, 2019.

[23] A. Thangamuthu, “A survey on various online payment and billingtechniques,” Humanities, vol. 7, no. 3, pp. 86–91, 2020.

[24] A. Saranya and R. Naresh, “Efficient mobile security for e health careapplication in cloud for secure payment using key distribution,” NeuralProcessing Letters, pp. 1–12, 2021.

[25] J. Wang and J.-Y. Lai, “Exploring innovation diffusion of two-sidedmobile payment platforms: A system dynamics approach,” TechnologicalForecasting and Social Change, vol. 157, p. 120088, 2020.

[26] F. Liébana-Cabanillas, I. Ramos de Luna, and F. Montoro-Ríos, “Inten-tion to use new mobile payment systems: a comparative analysis of smsand nfc payments,” Economic research-Ekonomska istraživanja, vol. 30,no. 1, pp. 892–910, 2017.

[27] M. Masihuddin, B. U. I. Khan, M. Mattoo, and R. F. Olanrewaju, “Asurvey on e-payment systems: elements, adoption, architecture, chal-lenges and security concepts,” Indian Journal of Science and Technology,vol. 10, no. 20, pp. 1–19, 2017.

[28] V. Kumar, K.-K. Lai, Y.-H. Chang, P. C. Bhatt, and F.-P. Su, “A structuralanalysis approach to identify technology innovation and evolution path:a case of m-payment technology ecosystem,” Journal of KnowledgeManagement, 2020.

[29] S. Solat, “Security of electronic payment systems: A comprehensivesurvey,” arXiv preprint arXiv:1701.04556, 2017.

[30] M. Kim, S. Kim, and J. Kim, “Can mobile and biometric payments re-place cards in the korean offline payments market? consumer preferenceanalysis for payment systems using a discrete choice model,” Telematicsand Informatics, vol. 38, pp. 46–58, 2019.

[31] F. Liébana-Cabanillas, S. Molinillo, and M. Ruiz-Montañez, “To use ornot to use, that is the question: Analysis of the determining factors for us-ing nfc mobile payment systems in public transportation,” TechnologicalForecasting and Social Change, vol. 139, pp. 266–276, 2019.

[32] I. R. de Luna, F. Liébana-Cabanillas, J. Sánchez-Fernández, andF. Muñoz-Leiva, “Mobile payment is not all the same: The adoption ofmobile payment systems depending on the technology applied,” Techno-logical Forecasting and Social Change, vol. 146, pp. 931–944, 2019.

[33] M. Sumathy and K. Vipin, “Digital payment systems: Perception andconcerns among urban consumers,” IJAR, vol. 3, no. 6, pp. 1118–1122,2017.

[34] S. Fatonah, A. Yulandari, and F. Wibowo, “A review of e-payment systemin e-commerce,” in Journal of Physics: Conference Series, vol. 1140,p. 012033, IOP Publishing, 2018.

[35] S. Evans and A. Pirchio, “An empirical examination of why mobilemoney schemes ignite in some developing countries but flounder in most.university of chicago coase-sandor institute for law & economics researchpaper no. 723,” 2015.

[36] P. Van der Boor, P. Oliveira, and F. Veloso, “Users as innovators indeveloping countries: The global sources of innovation and diffusion inmobile banking services,” Research Policy, vol. 43, no. 9, pp. 1594–1607,2014.

[37] S. Dodini, A. A. Lopez-Fernandini, E. A. Merry, L. Thomas, et al.,“Consumers and mobile financial services 2016,” tech. rep., Board ofGovernors of the Federal Reserve System (US), 2016.

[38] R. Duncombe, “Researching impact of mobile phones for development:concepts, methods and lessons for practice,” Information technology forDevelopment, vol. 17, no. 4, pp. 268–288, 2011.

[39] A. Dermish, C. Kneiding, P. Leishman, and I. Mas, “Branchless andmobile banking solutions for the poor: a survey of the literature,” Inno-

vations: Technology, Governance, Globalization, vol. 6, no. 4, pp. 81–98,2011.

[40] J. Liu, R. J. Kauffman, and D. Ma, “Competition, cooperation, and reg-ulation: Understanding the evolution of the mobile payments technologyecosystem,” Electronic Commerce Research and Applications, vol. 14,no. 5, pp. 372–391, 2015.

[41] N. Iman, “Is mobile payment still relevant in the fintech era?,” ElectronicCommerce Research and Applications, vol. 30, pp. 72–82, 2018.

[42] A. A. Ozok and J. Wei, “An empirical comparison of consumer usabilitypreferences in online shopping using stationary and mobile devices: re-sults from a college student population,” Electronic Commerce Research,vol. 10, no. 2, pp. 111–137, 2010.

[43] A. A. Shaikh and H. Karjaluoto, “Mobile banking adoption: A literaturereview,” Telematics and informatics, vol. 32, no. 1, pp. 129–142, 2015.

[44] E. L. Slade, M. D. Williams, and Y. Dwivedi, “Extending utaut2 toexplore consumer adoption of mobile payments.,” UKAIS, vol. 36, 2013.

[45] T. Oliveira, M. Thomas, G. Baptista, and F. Campos, “Mobile payment:Understanding the determinants of customer adoption and intention torecommend the technology,” Computers in Human Behavior, vol. 61,pp. 404–414, 2016.

[46] V. Kumar, N. Nim, and A. Sharma, “Driving growth of mwallets inemerging markets: a retailer’s perspective,” Journal of the Academy ofMarketing Science, vol. 47, no. 4, pp. 747–769, 2019.

[47] R. Glavee-Geo, A. A. Shaikh, H. Karjaluoto, and R. E. Hinson, “Driversand outcomes of consumer engagement,” International Journal of BankMarketing, 2019.

[48] M. G. Nejad, T. Apanasevic, J. Markendahl, and N. Arvidsson, “Stake-holders’ expectations of mobile payment in retail: lessons from sweden,”International Journal of Bank Marketing, 2016.

[49] J. T. Isaac and Z. Sherali, “Secure mobile payment systems,” IT Profes-sional, vol. 16, no. 3, pp. 36–43, 2014.

[50] J. Sun and N. Zhang, “The mobile payment based on public-key secu-rity technology,” in Journal of Physics: Conference Series, vol. 1187,p. 052010, IOP Publishing, 2019.

[51] P. Chaudhury, S. Dhang, M. Roy, S. Deb, J. Saha, A. Mallik, S. Bal,S. Roy, M. K. Sarkar, S. Kumar, et al., “Acafp: Asymmetric key basedcryptographic algorithm using four prime numbers to secure messagecommunication. a review on rsa algorithm,” in 2017 8th Annual Indus-trial Automation and Electromechanical Engineering Conference (IEME-CON), pp. 332–337, IEEE, 2017.

[52] J. Zhang, “A study on application of digital signature technology,” in2010 International Conference on Networking and Digital Society, vol. 1,pp. 498–501, IEEE, 2010.

[53] S. F. Al-Janabi and A. K. Obaid, “Development of certificate authorityservices for web applications,” in 2012 International Conference onFuture Communication Networks, pp. 135–140, IEEE, 2012.

[54] O. Ogbanufe and D. J. Kim, “Comparing fingerprint-based biometricsauthentication versus traditional authentication methods for e-payment,”Decision Support Systems, vol. 106, pp. 1–14, 2018.

[55] A. K. Jain, P. Flynn, and A. A. Ross, Handbook of biometrics. SpringerScience & Business Media, 2007.

[56] C. S. Weir, G. Douglas, T. Richardson, and M. Jack, “Usable security:User preferences for authentication methods in ebanking and the effectsof experience,” Interacting with Computers, vol. 22, no. 3, pp. 153–164,2010.

[57] H. Crawford, K. Renaud, and T. Storer, “A framework for continuous,transparent mobile device authentication,” Computers & Security, vol. 39,pp. 127–136, 2013.

[58] S. Byun and S.-E. Byun, “Exploring perceptions toward biometric tech-nology in service encounters: a comparison of current users and potentialadopters,” Behaviour & Information Technology, vol. 32, no. 3, pp. 217–230, 2013.

[59] I. M. Alsaadi, “Physiological biometric authentication systems, advan-tages, disadvantages and future development: A review,” InternationalJournal of Scientific & Technology Research, vol. 4, no. 12, pp. 285–289,2015.

[60] A. Alzubaidi and J. Kalita, “Authentication of smartphone users usingbehavioral biometrics,” IEEE Communications Surveys & Tutorials,vol. 18, no. 3, pp. 1998–2026, 2016.

[61] M. Rouse, “Single-factor authentication (sfa),”https://searchsecurity.techtarget.com/, 2017.

[62] A. Rahav, “The secret security wiki,”https://doubleoctopus.com/security-wiki/ authentication/single-factor-authentication/, 2018.

VOLUME 4, 2016 17


[63] A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev, T. Mikkonen, andY. Koucheryavy, “Multi-factor authentication: A survey,” Cryptography,vol. 2, no. 1, p. 1, 2018.

[64] C. Hamilton and A. Olmstead, “Database multi-factor authenticationvia pluggable authentication modules,” in 2017 12th International Con-ference for Internet Technology and Secured Transactions (ICITST),pp. 367–368, IEEE, 2017.

[65] K. K. Lakshmi, H. Gupta, and J. Ranjan, “Ussd—architecture analysis,security threats, issues and enhancements,” in 2017 International Con-ference on Infocom Technologies and Unmanned Systems (Trends andFuture Directions)(ICTUS), pp. 798–802, IEEE, 2017.

[66] S. Castle, F. Pervaiz, G. Weld, F. Roesner, and R. Anderson, “Let’stalk money: Evaluating the security challenges of mobile money in thedeveloping world,” in Proceedings of the 7th Annual Symposium onComputing for Development, pp. 1–10, 2016.

[67] B. Reaves, J. Bowers, N. Scaife, A. Bates, A. Bhartiya, P. Traynor,and K. R. Butler, “Mo (bile) money, mo (bile) problems: Analysis ofbranchless banking applications,” ACM Transactions on Privacy andSecurity (TOPS), vol. 20, no. 3, pp. 1–31, 2017.

[68] R. Mahajan, J. Saran, and A. Rajagopalan, “Mitigating emerging fraudrisks in the mobile money industry,” Deloitte: Mumbai, India, 2015.

[69] F. Salahdine and N. Kaabouch, “Social engineering attacks: a survey,”Future Internet, vol. 11, no. 4, p. 89, 2019.

[70] M. W. Buku and R. Mazer, “Fraud in mobile financial services: protectingconsumers, providers, and the system,” tech. rep., The World Bank, 2017.

[71] S. Lonie, “Fraud risk management for mobile money: An overview.2017,” 2017.

[72] P. Sharma, “A contemplate on multifactor authentication,” in 2019 6thInternational Conference on Computing for Sustainable Global Develop-ment (INDIACom), pp. 824–827, IEEE, 2019.

[73] A. Kumari, S. Jangirala, M. Y. Abbasi, V. Kumar, and M. Alam, “Eseap:Ecc based secure and efficient mutual authentication protocol usingsmart card,” Journal of Information Security and Applications, vol. 51,p. 102443, 2020.

[74] L. Katusiime, “Mobile money use: The impact of macroeconomic policyand regulation,” Economies, vol. 9, no. 2, p. 51, 2021.

[75] K. McKee, M. Kaffenberger, and J. M. Zimmerman, “Doing digitalfinance right: The case for stronger mitigation of customer risks,” FocusNote, vol. 103, 2015.

[76] G. Ali, M. Ally Dida, and A. Elikana Sam, “Evaluation of key securityissues associated with mobile money systems in uganda,” Information,vol. 11, no. 6, p. 309, 2020.

[77] R. Gwahula, “Risks and barriers associated with mobile money transac-tions in tanzania,” 2016.

[78] G. Ali, M. Ally Dida, and A. Elikana Sam, “Two-factor authenticationscheme for mobile money: A review of threat models and countermea-sures,” Future Internet, vol. 12, no. 10, p. 160, 2020.

[79] D. Kunda and M. Chishimba, “A survey of android mobile phone authen-tication schemes,” Mobile Networks and Applications, pp. 1–9, 2018.

[80] F. S. G. Talom, R. K. Tengeh, et al., “The impact of mobile money on thefinancial performance of the smes in douala, cameroon,” Sustainability,vol. 12, no. 1, pp. 1–1, 2019.

[81] B. W. Nyamtiga, A. Sam, and L. S. Laizer, “Enhanced security model formobile banking systems in tanzania,” Intl. Jour. Tech. Enhancements andEmerging Engineering Research, vol. 1, no. 4, pp. 4–20, 2013.

[82] W. Ahmed, F. Shahzad, A. R. Javed, F. Iqbal, and L. Ali, “Whatsappnetwork forensics: Discovering the ip addresses of suspects,” in 202111th IFIP International Conference on New Technologies, Mobility andSecurity (NTMS), pp. 1–7, 2021.

[83] A. Chowdhury, “Recent cyber security attacks and their mitigationapproaches–an overview,” in International conference on applications andtechniques in information security, pp. 54–65, Springer, 2016.

[84] M. S. Sadekin and A. Shaikh, “Security of e-banking in bangladesh,” J.Financ. Account, vol. 4, no. 1, 2016.

[85] A. F. Altwairqi, M. A. AlZain, B. Soh, M. Masud, and J. Al-Amri, “Fourmost famous cyber attacks for financial gains,” Int. J. Eng. Adv. Technol.IJEAT, vol. 9, pp. 2131–2139, 2019.

[86] N. Shaw, “The mediating influence of trust in the adoption of the mobilewallet,” Journal of Retailing and Consumer Services, vol. 21, no. 4,pp. 449–459, 2014.

[87] N. Kshetri, “Cybercrime and cybersecurity in africa,” 2019.[88] L. Tamazirt, F. Alilat, and N. Agoulmine, “Nfc-based ubiquitous moni-

toring system for e-industry,” in 2017 Third International Conference onMobile and Secure Services (MobiSecServ), pp. 1–4, IEEE, 2017.

[89] A. Bhatta and A. K. Mishra, “Gsm-based commsense system to measureand estimate environmental changes,” IEEE Aerospace and ElectronicSystems Magazine, vol. 32, no. 2, pp. 54–67, 2017.

[90] Y.-C. Tsao, Q. Zhang, and Q. Zeng, “Supply chain network designconsidering rfid adoption,” IEEE Transactions on Automation Scienceand Engineering, vol. 14, no. 2, pp. 977–983, 2016.

[91] S. Dix, I. Phau, K. Jamieson, and A. S. Shimul, “Investigating the driversof consumer acceptance and response of sms advertising,” Journal ofPromotion Management, vol. 23, no. 1, pp. 62–79, 2017.

[92] S. Mukherjee and S. Mondal, “A scheme for qr code based smart doorlocks security system using an arm computer,” in Proceedings of the FirstInternational Conference on Intelligent Computing and Communication,pp. 613–621, Springer, 2017.

[93] S. S. Hassan, S. D. Bibon, M. S. Hossain, and M. Atiquzzaman, “Securitythreats in bluetooth technology,” Computers & Security, vol. 74, pp. 308–322, 2018.

[94] L. Deng, H. Huang, and Y. Qu, “Identity based proxy signature from rsawithout pairings.,” IJ Network Security, vol. 19, no. 2, pp. 229–235, 2017.

[95] J. M. Kizza, “Security in wireless networks and devices,” in Guide toComputer Network Security, pp. 397–427, Springer, 2017.

[96] M. A. Qadeer, N. Akhtar, S. Govil, and A. Varshney, “A novel scheme formobile payment using rfid-enabled smart simcard,” in 2009 InternationalConference on Future Computer and Communication, pp. 339–343,IEEE, 2009.

[97] S. Manvi, L. Bhajantri, and M. Vijayakumar, “Secure mobile paymentsystem in wireless environment,” in 2009 International Conference onFuture Computer and Communication, pp. 31–35, IEEE, 2009.

[98] J. Liu, J. Liao, and X. Zhu, “A system model and protocol for mobilepayment,” in IEEE International Conference on e-Business Engineering(ICEBE’05), pp. 638–641, IEEE, 2005.

[99] X. Zheng and D. Chen, “Study of mobile payments system,” in EEEInternational Conference on E-Commerce, 2003. CEC 2003., pp. 24–27,IEEE, 2003.

[100] W. Chen, G. Hancke, K. Mayes, Y. Lien, and J.-H. Chiu, “Nfc mobiletransactions and authentication based on gsm network,” in 2010 SecondInternational Workshop on Near Field Communication, pp. 83–89, IEEE,2010.

[101] M. Al-Tamimi and A. Al-Haj, “Online security protocol for nfc mobilepayment applications,” in 2017 8th International Conference on Informa-tion Technology (ICIT), pp. 827–832, IEEE, 2017.

[102] S. Nseir, N. Hirzallah, and M. Aqel, “A secure mobile payment systemusing qr code,” in 2013 5th International Conference on ComputerScience and Information Technology, pp. 111–114, IEEE, 2013.

[103] S.-W. Chen and R. Tso, “Nfc-based mobile payment protocol with useranonymity,” in 2016 11th Asia Joint Conference on Information Security(AsiaJCIS), pp. 24–30, IEEE, 2016.

[104] A. T. Purnomo, Y. S. Gondokaryono, and C.-S. Kim, “Mutual authenti-cation in securing mobile payment system using encrypted qr code basedon public key infrastructure,” in 2016 6th International Conference onSystem Engineering and Technology (ICSET), pp. 194–198, IEEE, 2016.

[105] T. Ma, H. Zhang, J. Qian, X. Hu, and Y. Tian, “The design and implemen-tation of an innovative mobile payment system based on qr bar code,” in2015 International Conference on Network and Information Systems forComputers, pp. 435–440, IEEE, 2015.

[106] Y. Rui-xia, “Design of secure mobile payment system based on ibc,” in2015 10th International Conference on Broadband and Wireless Comput-ing, Communication and Applications (BWCCA), pp. 422–425, IEEE,2015.

[107] H. Harb, H. Farahat, and M. Ezz, “Securesmspay: secure sms mo-bile payment model,” in 2008 2nd International Conference on Anti-counterfeiting, Security and Identification, pp. 11–17, IEEE, 2008.

[108] M. H. Firoz and Z. Ahmed, “Defensive protocol to ensure safe mobilefinancial transaction in current context,” in 2017 Third Asian Conferenceon Defence Technology (ACDT), pp. 54–58, IEEE, 2017.

[109] K. Fan, H. Li, W. Jiang, C. Xiao, and Y. Yang, “U2f based secure mutualauthentication protocol for mobile payment,” in Proceedings of the ACMTuring 50th Celebration Conference-China, pp. 1–6, 2017.

[110] F. Shahzad, W. Iqbal, and F. S. Bokhari, “On the use of cryptdb forsecuring electronic health data in the cloud: A performance study,” in2015 17th International Conference on E-health Networking, ApplicationServices (HealthCom), pp. 120–125, 2015.

[111] C. Ruan, F. Xiao, and J. Luo, “Desgn and implementation of mobilepayment system for intelligent travel,” in 2014 IEEE 3rd International

18 VOLUME 4, 2016


Conference on Cloud Computing and Intelligence Systems, pp. 547–552,IEEE, 2014.

[112] B. Singh and K. Jasmine, “Comparative study on various methods andtypes of mobile payment system,” in 2012 International Conference onAdvances in Mobile Network, Communication and Its Applications,pp. 143–148, IEEE, 2012.

[113] S. Bojjagani and V. Sastry, “A secure end-to-end sms-based mobile bank-ing protocol,” International journal of communication systems, vol. 30,no. 15, p. e3302, 2017.

[114] J. Kang and D. Nyang, “A privacy-preserving mobile payment system formass transit,” IEEE Transactions on Intelligent Transportation Systems,vol. 18, no. 8, pp. 2192–2205, 2017.

[115] W. A. Khan, Y. Saleem, G. A. Shah, and A. Farooq, “Modified mobiletransaction authentication number system for 2-layer security,” in 2016International Conference on Intelligent Systems Engineering (ICISE),pp. 89–93, IEEE, 2016.

[116] J. N. Luo, M. H. Yang, and S.-Y. Huang, “An unlinkable anonymouspayment scheme based on near field communication,” Computers &Electrical Engineering, vol. 49, pp. 198–206, 2016.

[117] G. Platform, “The trusted execution environment: Delivering enhancedsecurity at a lower cost to the mobile market,” White Paper February,2011.

[118] V. Sureshkumar, R. Anitha, N. Rajamanickam, and R. Amin, “Alightweight two-gateway based payment protocol ensuring accountabilityand unlinkable anonymity with dynamic identity,” Computers & Electri-cal Engineering, vol. 57, pp. 223–240, 2017.

[119] S. Bojjagani and V. Sastry, “Ssmbp: A secure sms-based mobile bankingprotocol with formal verification,” in 2015 IEEE 11th InternationalConference on Wireless and Mobile Computing, Networking and Com-munications (WiMob), pp. 252–259, IEEE, 2015.

[120] D. Lavanya, R. Ramaprabha, B. Thangapandian, and K. Gunaseelan,“Novel privacy preserving authentication scheme based on physical layersignatures for mobile payments,” SN Computer Science, vol. 2, no. 2,pp. 1–11, 2021.

[121] G. Srivastava, R. M. Parizi, A. Dehghantanha, and K.-K. R. Choo,“Data sharing and privacy for patient iot devices using blockchain,” inInternational Conference on Smart City and Informatization, pp. 334–348, Springer, 2019.

VOLUME 4, 2016 19

Security in Next Generation Mobile Payment Systems: A ...

Documents

Transcript of Security in Next Generation Mobile Payment Systems: A ...