Secure Payment and Ticketing Applications

Tom Godber - CTO Masabi

Agenda

Who Are Masabi

The Mobile Experience

Mobile Ticketing

Taking Mobile Payments

About Masabi

2002 •First in-gamemicropayments

2004 •First mobile viral

2006•Playtech mobile casino•750+ handsets•6 languages

2007•First certified mobile security•3Kb EncryptME•Award winning

2008•Ticketing•Money transfers•Banking

• 20 currencies• 4 alphabets

• 2 Factor Authentication• Secure messaging• UK Rail Ticket Standard

The Mobile Experience – All Sweetness and Light?

Mobile Masochism

The mobile experience is about PAIN Texting on a Moto… Pretty much anything at all on

Nokia’s touchscreen S60…

User experience is becoming important Ex-RAZR users often won’t Moto again But nothing is perfect, even Steve

Many Services Will Fail

Good ideas are common

Good ideas which actually work aren’t Given handset constraints… Given real world conditions… Compared to existing alternatives…

Pick Your Battles

A successful service must offer a significant advantage to the user An mPayment must be easier than cash

and cards

Just because a user can do something, doesn’t mean they will

Offer net pain relief

Considerations

User probably moving Must be simple Must be resilient

Has user got alternatives? Cash Debit/credit cards PC

Connecting With The RealWorld

UK Rail Barcodes

Reliable, fast Offline scanning Tickets still work when Internet doesn’t!

Open security PKI signatures prevent modification Public Key verification is cheap, easy

Royalty free, open barcodes Aztec scans best on a handset screen

UK Train Ticketing

Phone becomes your ticket

Today’s reality: Only supported on a few routes Eg. our National Express trial

3-6 months: Train franchises start to go live Some rollout of barcode reading gates

Not Just a Ticket

UK Rail Barcode has space for other entitlements Eg. Free coffee Bundle other sales together with ticket

Barcodes have plenty of other uses Remove cash from high-risk

environments to reduce ‘shrinkage’

MobileTicketDelivery

Handset Support

Chiltern Railways ticket app trial showed: Adopted outside young

male demographic Often user’s first

transaction with a phone

Tickets must be supported on everything! Smartphones are a niche

Not All About The iPhone

0

10

20

30

40

50

60

70

80

90

100

Other NokiasNokia 5800iPhone

Q1

20

09

Sh

ipp

ed

Un

its (

m)

Ticket Delivery

SMS tickets

Wap tickets

Local application ticket wallet

Pure SMS Ticketing

Picture messaging can carry small barcodes 3 SMS per picture is expensive

Too small for new rail ticket barcodes Simple insecure 1D or 2D barcodes only No text details for visual inspection

▪ Scanner always required

Can be forwarded and reused

Wap Ticketing

Wap Push with ticket URL

User downloads ticket Saves image like a wallpaper Must trust OMA DRM

A lot of effort to size image Handsets often rescale an image that is

slightly too big or small This plays havoc with barcode scanners!

Java Ticket Wallet

User installs local ticket wallet

Server sends tickets over SMS One encrypted binary msg/ticket

Delivered directly to wallet app

App can display ticket details and barcode Better barcode rendering

> faster scanning Details readable to an inspector

BUT

Address Customer Needs!

UK Rail Tickets – mainly bought in the station!

User Needs

Ticket delivery is an extension of online Fairly useful for users

without printers BUT most train tickets

not bought onlineSell from phone

Buy in taxi / on street / in station

Avoid queues

Mobile Payment Channels

SMS Premium SMS > phone bill Credit card over SMS

Payment through the browser

Payment through a local app

SMS

Premium SMS payment Good for simple transactions Easy to set up, works on everything 30-60% operator cut Best for low-value high-margin items

SMS insecure for any other payment Messages be read on stolen phones Messages be read on the network

Mobile Browser Purchase

Wap purchase is multi-step Repeat page loads slow and expensive

▪ Requires continuous connection Data mis-entry becomes painful

▪ Limited opportunity to help user with validation etc – not like full web AJAX

Often insecure Wap1 inherently insecure Transcoders can mess with Wap2 and

the mobile web

Mobile Browsers

WAP SECURITY

Inherently insecure:

Used on older browsers, “Wap” settings

WAP2 SECURITY

Like the web:

Most handsetsuse this with “Internet” settings

Transcoders with HTTPS

Some transcoders leave HTTPS aloneOthers will insert themselves in the

connection Handset cannot verify end certificate Just like a man-in-the-middle attack!

Java Ticket Sales App

Ticket purchase in UK Aimed at repeat users

Intelligent client Helps user with data entry

=> minimises resends After 1st purchase, just enter CVV

Submits credit card purchase with one encrypted SMS Good when signal strength low

Integrated into ticket wallet

Technology Notes

Java (someone has to like it)

You don’t have to be the ‘best’ Sometimes being the only option is good

enough

NOT suitable for everything Remember, pick your services

Good for: Recurring purchases Flaky connections

▪ Retries, SMS fallback, fat intelligent client

Near Field Communication

A lot like “Oyster on your phone” (Almost) no handset support

Common by 2013?NFC already embedded on cards

Habit: you pay with a card, why use a phone?

Who will pay for the infrastructure?

NFC – Not TodayNOKIA HANDSETS NOKIA NFC HANDSETS

Some Notes On Oyster

Great in London Almost everyone has to use

public transport Locals ‘bribed’ to adopt with lower fares Large government subsidies

Not economically viable to roll out elsewhere Even London overground train lines

required £40m subsidy to support it

tom@masabi.com+44 7967 551670

@tomgodber