paywear: wearable identification in the context of payment ... › studier › emner › matnat ›...
TRANSCRIPT
PayWear Wearable Identification in the Context of Payment Transactions
INF5261 Final Report, November 2014
Christopher Neumann Ruud, Robin Alexei Pettersen, Ying Li, Ingvild Eide and Alisa Odincova
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
1
1 Abstract .......................................................................................................................................................... 2
2 Introduction ................................................................................................................................................... 2
2.1 Initial Idea.............................................................................................................................................. 2
2.2 Main Research Question ........................................................................................................................ 3
2.3 Limitations ............................................................................................................................................. 3
2.3.1 Scope ................................................................................................................................................ 3
2.3.2 Deliverables....................................................................................................................................... 3
3 Literature Review............................................................................................................................................ 3
3.1 Mobile Payment .................................................................................................................................... 3
3.2 Authentication Mechanisms .................................................................................................................. 3
3.3 Wearable Technology and Ubiquitous Computing (Ubicomp) ................................................................. 4
3.4 Limitations and Challenges with Ubicomp .............................................................................................. 5
3.5 Privacy/Legal Concerns .......................................................................................................................... 6
3.5.1 Current Norwegian legislation on electronic transactions ................................................................... 6
3.6 A matter of privacy ................................................................................................................................ 6
3.7 Minimal Attention User Interface (MAUI) ............................................................................................... 6
4 Technology Review ......................................................................................................................................... 7
4.1 Android Wear ........................................................................................................................................ 7
4.2 Apple Pay .............................................................................................................................................. 7
4.3 Google Wallet ........................................................................................................................................ 7
4.4 mCash ................................................................................................................................................... 7
4.5 Microsoft Zero-Effort Payments (ZEP) .................................................................................................... 8
4.6 Zwipe .................................................................................................................................................... 8
5 Data Collection Methods................................................................................................................................. 8
5.1 Ethnographic Studies ............................................................................................................................. 8
5.1.1 Ethnographic Observation at KIWI ..................................................................................................... 8
5.1.2 Results .............................................................................................................................................. 9
5.2 Investigating Scenarios with SPES........................................................................................................... 9
5.2.1 SPES Experiment................................................................................................................................ 9
5.3 Interviews............................................................................................................................................ 10
5.3.1 Interview with Skandiabanken ......................................................................................................... 10
5.3.2 Interview with People on the Street ................................................................................................. 10
6 Findings and Prototyping .............................................................................................................................. 11
6.1 Scenarios ............................................................................................................................................. 11
6.2 Storyboarding ...................................................................................................................................... 11
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
2
6.2.1 Customer pays with single coins, queue builds up as a consequence ................................................ 11
6.2.2 Customer payment methods are rejected ........................................................................................ 12
6.2.3 Customer tries to remember balance/decide which card to use ....................................................... 12
6.2.4 Customer’s wallet is somewhere else............................................................................................... 13
6.2.5 Customer is busy packing their bags when payment is prompted ..................................................... 13
6.2.6 Customer stands in line carrying a baby ........................................................................................... 14
7 Discussion ..................................................................................................................................................... 14
7.1 Our Proposed Solution ......................................................................................................................... 14
7.2 Deciding the Threshold between Usability and Security........................................................................ 15
7.3 Graceful Fallbacks ................................................................................................................................ 15
7.4 Context awareness and accessibility..................................................................................................... 15
7.5 Make it seamless ................................................................................................................................. 16
7.6 Ethical issues of facilitating spending ................................................................................................... 16
7.7 One question leads to another ............................................................................................................. 17
7.8 Limitations and issues .......................................................................................................................... 17
8 Further Work ................................................................................................................................................ 17
8.1 Payment Limits .................................................................................................................................... 17
8.2 Payment everywhere? ......................................................................................................................... 17
9 References.................................................................................................................................................... 18
1 Abstract In this report we look into the payment process. We want to find out if the situation can be done in a different way,
but still be safe. Where does the boundaries between safety and seamlessness go? To find this out we looked in to
technology that already exists, we have interviewed users and Skandiabanken, and we observed people in the
situation. We also made scenarios and storyboards to illustrate the situations. We found out that there are ways of
being secure and at the same time be user-friendly. With two-factor identification we can make sure that the
system is safe. We have looked at different ways of identification, to day you have your bankcard and a PIN code.
We have looked at wearable technology, like the smartwatch and how that can be used together with fingerprint
and facial recognition.
2 Introduction 2.1 Initial Idea The group wanted to explore how wearable technology could facilitate the identification aspect of the payment
process: The balance between security and usability must be adjusted according to the users and context of
application.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
3
2.2 Main Research Question How can wearable technology make personal identification seamless when conducting a payment transaction?
2.3 Limitations 2.3.1 Scope The target user group for this project are young adults between the age of 20 and 30. The reasoning behind this is
that the chosen age group consists of those who more or less grow up with the mobile technology present and use
mobile devices on a daily basis. We also have easy access to people this age, and that is relevant because we have
short amount of time.
2.3.2 Deliverables The technology that would be involved in developing a high-fidelity prototype, is difficult to acquire. Additionally,
the development time and cost would be too high. Therefore, the group aims to deliver a low-fidelity prototype
through storyboarding, depicting an ideal scenario.
3 Literature Review 3.1 Mobile Payment Mobile payment are full of potentials along with the growth of mobile device user population and the innovation
of different payment solutions. The mobile devices are effective in authorising and managing payment and banking
transactions. This offer security and convenience advantages compared to other devices such as PC (Herzberg,
2003). It has been predicted that by 2017, mobile payments will grow to over 1.3 trillion US dollar worldwide,
which is a growth of over 400% since 2012. It is also noticeable that as a conversion in recent years, the trackable
transactions are being substituted for anonymous transactions such as anonymous cash, gift card and barter
transactions. It opens more opportunities for mobile payments because as a ubiquitous artefact, the mobile device
has the ability of tying a transaction to a payer and a recipient (Sherman, 2014), which provides both security and
convenience.
The reasons behind the recent rapid growth of mobile banking and mobile commerce are, the reduced costs for
banks to provide mobile transaction, and the increased revenues caused by mobile banking attracting more users
to the financial system based on their simple access (Sherman, 2014).
While the growth of mobile payment is impressive on a worldwide scale, there are also the growing worries
regarding reliable mobile payment in the areas of authentication, commercial infrastructure, regulations, etc. The
core issue among these is authentication. We are going to discuss this next.
3.2 Authentication Mechanisms Mobile devices usually contains a lot of private information about the users. Exposing this information could cause
the users serious trouble. Regarding our project, extra caution is needed because the smartwatch is used as means
to make payment. This means the smartwatch will also contain the user’s credit card information in addition to all
the other private identification information. Therefore, the risk of exposing users’ sensitive information is extra
high and the responsibility of protecting the users’ privacy is significantly bigger.
Authentication is the process of identifying whether a person or a device should be given the access to the system,
the application or the data of the devices. Authentication schemes aim at lowering the risk of the devices being
misused by any unauthenticated or unauthorized users. It is a very important thing to be taken into consideration
when designing the smartwatch in our project.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
4
In order to find a good solution for our product, we did a review on the most popular authentication schemes that
are currently adopted on mobile devices. The usual authentication schemes can be broadly divided into three
categories:
Knowledge, i.e., what we know, e.g., the traditional username/password, PIN-based authentication,
graphical passwords,
Ownership, i.e., what we have, e.g., smartcards, electronic tokens, RFID (Radio-frequency Identification)
tags, magnetic stripe cards, NFC (Near Field Communication) tags,
Inherence, i.e., what we are, e.g., biometric-based authentication, such as finger prints, faces, the iris,
voices, the handwriting, the gait, gestures, pulse (possibly in our case of smartwatch) etc.
Authentication schemes work against a variety of attacks. There are several attacks that concern our smartwatch
project:
Capturing. Several of this type of attacks that relate to our case are: shoulder surfing, meaning the user’s
being watched when entering sensitive information; spyware, meaning the users’ information are secretly
collected by other devices; eavesdropping, which relate to the misuse of NFC tags.
Cracking, which means using various ways to crack the authentication system of the devices.
Physical attacks. Theft is one major concern. Since the smartwatch contains important data, it may be a
natural target for thieves.
For each type of the attacks, different authentication schemes perform differently. There is hardly a single one
scheme that works perfectly for all types of attacks. Therefore, we should analyse the most common attacks in our
case and choose the authentication scheme accordingly.
Another concern is usability. Naturally, the more complicated the authentication schemes are, the more layers of
schemes the device uses, the more secure the device is. However, it’s not practically possible because the usability
will be very low if the case. The users themselves will have to go through several layers of complicated
authentication schemes in order to use the device every time. Therefore, we should also consider the balance
between usability and the design of authentication schemes (Schlöglhofer & Sameting, 2012).
3.3 Wearable Technology and Ubiquitous Computing (Ubicomp) Even though the word portable comes from French language and means “to wear” there is a distinction between
wearable and portable computers (Mann, 2013). The goal of wearable computing is to intertwine human and
computer in such a way that humanistic intelligence is achieved (ibid). It can be defined as “intelligence that arises
by having the human being in the feedback loop of the computational process”(ibid). Thus wearable computing
extends beyond “smart clothing”, while allowing for the possibility of some technology to be implanted inside the
human body (ibid). Features of such wearable technology would be constancy of human-computer interaction and
the ability for human to multitask (ibid). The main goal however, is to let users move freely in environments while
wearable computers have an awareness of the users’ personal context (Cheng & Robinson, 2011). That means that
users interact with virtual information that wearable computers associate with real world objects around users
(ibid).
In wearable computing, one’s context relationships are continually present so user’s divided attention is a must
(Agre, 2001). This could also mean that mapping between activities and places would dissolve making everything
accessible for everyplace all the time (ibid). The loosened mapping between activity and place hold such challenges
as complication of context awareness and emerging of loosely coupled activities that are hard to map (ibid). Main
tradition of solving this problem in system design is to “restructure activity itself in a way that computer can
capture relevant aspects of it” (ibid). Even though this helps integrating computers system into social systems, it
might degrade human performance, or the system might end up being used in a superficial way (ibid). That is what
can be considered the biggest challenges for context-aware computer systems (ibid). As a solution model systems
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
5
have to be confined to few aspects of contexts, impose grammar to the activity or register instead those aspects
that can serve as a proxy for variables or objects of interest (ibid). This means that systems might fail or become
failable once the choices of context aware systems become significant (ibid).
Coined by Mark Weiser in his article The computer for the 21st century (1991), "Ubiquitous Computing" (ubicomp)
envisions computers invisibly embedded in the environment and communicating with each other (ibid). Weiser's
vision took the regular computer that you brought with you or that was situated in one place only, and created a
space in which everything was a computer, interconnected with other computers to create a seamless working and
leisure environment. The proposed method was that the environment reacted to your presence (via some sort of
identifying device) and adjusted its content accordingly.
Where ubicomp lets the environment react to you, wearable computing can be defined as the opposite: a device
that you bring reacting to the surroundings (Rhodes, Minar & Weaver, 1999). The idea of a smart room that
contain multiple sensors is closely related to the concept of ubicomp. The main problems of pure ubicomp lie in
privacy and personalisation which can be considered a serious privacy risks (ibid). Such systems have potential to
leak actions, location and preferences of users and it’s difficult to maintain personalisation of a single user profile
(ibid).
On the other hand wearable technology offers excellent solution to problems mentioned above. Wearables would
travel with the user and thus require no environmental infrastructure or transfer of personal profiles to new
environments (ibid). Wearable computers don’t leave a person and therefore can be a more private location for
sensible data, as well as evolve user profile over time (ibid). Even though wearable technology is well suited for
privacy and personalisations, it can lack in localized control or information. It’s problematic for wearable system to
sense information beyond user’s local area or get updated on changes in such area (ibid). Likewise wearable
system won’t be suited to do low level controls over other devices in the environment or manage resources among
several people (ibid). Though a solution of a peer-to-peer network of wearable and ubiquitous components with
proper information flow as suggested by Rhodes, Minar and Weaver can mutually benefit and solve problems of
both paradigms simultaneously (ibid).
3.4 Limitations and Challenges with Ubicomp Despite the splendid picture ubicomp probably will bring us, some concerns are also raised. Technology is to bring
people and the society something good. People’s abilities to adapt to new technologies are surprisingly good. This
can be proved by the recent rapid adoption of smart phones and tablets as well as the embedding of their use in
our daily lives (Ling, 2014). We have enough reasons to believe that ubicomp as a technology to make life even
easier, is a future trend. However, this is just half the story. The other important half is how to make sense of this
technology in our society. In other words; how does the technology fit into the existing social structure (Ling, 2012)?
People perceive the technology in a different way. Some are deeply attached to the technology while some care
much less. Either use some certain technology or not is normally people’s individual choice. However in the case of
ubicomp, things may look a bit different (Ling, 2014).
Ubicomp diffuses the technology into different devices and enables people with a seamless social life. It is
therefore also considered as a social interaction mediation. Ubicomp makes it much easier to conduct social
interaction. In another word, it becomes much easier to involve people in the social interaction, no matter the
ones want it or not. It was only several years ago, people could be legitimately unreachable in the pre-mobile
world. There was no social requirement that people should be available to one another all the time. However as
the mobile phone becomes more or less a part of the social life, there is a collective demand/expectation from our
family, friends, work that we should be available via the mobile phone (Ling, 2014). With ubicomp, this expectation
is taken into a further level. As a social mediation technology, ubicomp is able to connect people’s social lives
together, such as mobile phone, calendar, clock, etc. When this technology embeds in society and gains a critical
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
6
mass of users either in society as a whole or in some groups, the people in it will therefore be governed by the
group-based expectations of being a part of it (Ling, 2012). Either in, or you are totally out.
“As a technology becomes more ubiquitous and taken for granted it moves from being an oddity to becoming
expected.” (Ling, 2014, p. 177).
For example, as a competent co-worker we need to use the electronic calendar system in order to keep our
schedule updated with others; as a good parent we need to keep the mobile phone charged and have the sound
turned on all the time. Instead of acting only as artefacts that facilitate our daily live, ubicomp on the contrary of
being calming, can be a way in which the power is executed (Ling, 2014). The ubiquitous expectation can turn out
to be a big burden along with the convenience ubicomp provides us. We need to be always aware of this when
designing the system.
3.5 Privacy/Legal Concerns 3.5.1 Current Norwegian legislation on electronic transactions As of 2014, the legislation concerning electronic payments and identification is stated in Esignaturloven (2001) and
Betalingssystemloven (1999.)
To grasp what can be done to the payment and e-ID systems we also need to define what the current legislation
requires and if anything is impossible in the current landscape.
Betalingssystemloven does not give any clear guidelines on how to define electronic transactions, only that they
have to be "secure and effective" (§3-3 ref §3-1) and registered with the financial authorities (§3-2)
Esignaturloven on the other hand gives far more specific requirements for the handling of electronic identification,
both simple and qualified signatures (§4) This legislation should not pose any hindrance for development of a
ubicomp-system since this kind of system would rely mostly on the same conventions already in place on the
internet and regular payment systems.
3.6 A matter of privacy Besides the purely legal requirements, electronic identification and by extension electronic payment raises a few
privacy issues, some of which are already taken into account into the legislation mentioned above, but some are
governed elsewhere. Personopplysningsloven (2000) handles much of the current legislations concerning
electronic handling of personal information, but since this law is built upon "basic perspectives of privacy" (§1, 2nd
sentence) and the EU Data Protection Directive (1995) it has to be supplemented by those. Schartum & Bygrave
(2011) lists a number of considerations that thus would form the "basic perspectives" that the law relies on, and in
the case of mobile payments, the following are relevant:
The interest of deciding the access to information concerning own person (Ibid, p. 46)
The interest of right of access and knowledge. (Ibid, p. 55)
The interest of quality of information and procedure. (Ibid, p. 60)
The interest in user-friendly proceedings. (Ibid, p. 74)
3.7 Minimal Attention User Interface (MAUI) Pascoe (2000) researched using mobile technology in fieldwork environments, and identified four characteristics
for these types of users of this technology: dynamic user configuration, limited attention capacity, high speed
interaction, and context dependency. Based on these characteristics, he proposed two principles based on
observation and prototype evaluation that could be applied to interface design when developing for such users:
MAUI (Minimal Attention User Interfaces), which is based on minimising attention required to operate an interface,
and context awareness, which allows for the technology to negate certain user input by providing trivial
information like location and time through sensory technology.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
7
Three of the characteristics of Pascoe's (ibid.) observed field workers are true also for the PayWear user group:
firstly, the seamlessness that is part of PayWear's goal, indicates that it must draw on catering for users with
limited attention capacity. Secondly, along the same lines, in order to make a payment transaction seamless, the
technology must be able to handle high-speed interaction for e.g. users that are in a hurry. Lastly, context
dependency should be applied for the technology to handle rules defined by the users; e.g. when in this store, pay
with that account, and limit payment to certain amount. In addition to these characteristics identified by Pascoe, it
is also unlikely that a user will be stationary whilst shopping (unless shopping online), therefore the use of
PayWear will be truly mobile, not just portable (ibid.), and cater for wandering users.
PayWear explores how the payment process can be made more seamless. Therefore, both MAUI, and the context
dependency principles should be applied to reduce or even remove attention required by the interface, and
provide information to the device through context awareness so that the user can focus elsewhere. MAUI suggests
that minimal attention is exerted whilst operating the technology through modes of interaction that are effective
for certain situations (and are often tailored accordingly). However, PayWear would ideally require no attention
from the user during regular use, because the information provided by the context-awareness of the technology
(such as time and location) would ideally provide enough information to complete a payment without interaction
from the user.
4 Technology Review There are numerous digital wallet technologies available. We have chosen to review the technologies we felt
related most to PayWear due to their wearable and mobile applications:
4.1 Android Wear Android Wear uses Android’s platform to connect the smart watch with other devices and receive notifications
from the existing android applications. A new concept “glanceability” is created, meaning the users can get the
updating notifications “at a glance” by using Android Wear. Instead of tapping icons to launch apps as other
devices, a typical Wear app adds a card to the stream at a contextually relevant moment, which enables both
bridged notifications (between wearable and handheld) and contextual notifications (Android.com, 2014).
4.2 Apple Pay Apple Pay uses Apple’s platform to provide means of payment through their mobile and wearable devices, utilising
NFC. The service provides an interface for the user’s credit and debit cards, and is intended to be an easier and
more secure in terms of digitising and hiding away card numbers and PIN codes (Apple.com, 2014). Although, it
may still be a question whether Apple Pay will be widely adopted in the market. Based on the recent action of
blocking Apple Pay by several retail heavyweights in the US, the market of mobile payment is definitely full of
potential, opportunities and challenges (Williams, 2014).
4.3 Google Wallet Google Wallet uses Google’s mobile platform to provide payment options for users. As with Apple Pay, credit and
debit cards are digitised and hidden from view, providing privacy protection. The gift cards and loyalty
programmes can also be stored in the application so that the users do not need to carry a number of physical cards
everywhere. Google Wallet also enables money transaction directly from the bank account or Wallet Balance to
the targeting email address (Google.com, 2014).
4.4 mCash Mcash provides a common platform for banks, merchants, and users to manage and conduct transactions. They
provide their service on the mobile platform, and allow users to pay, and merchants to charge, through their own
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
8
devices. Unlike Apple Pay and Google Wallet, mCash uses QR codes to provide even greater compatibility between
devices (Mca.sh, 2014).
4.5 Microsoft Zero-Effort Payments (ZEP) Microsoft ZEP is a research project aimed at rethinking mobile payments - Payment without interacting with [users]
smartphones or opening their wallets (Microsoft, 2013). A prototype was set in place for a conference, where users
could pay for coffees by using only facial recognition, albeit aided by staff confirming face recognition. The users
received their receipt by email when the purchase was completed.
4.6 Zwipe The Zwipe MasterCard is a fingerprint authenticated contactless payment card. It requires no PIN code during the
transactions. The card includes an integrated biometric sensor and the Zwipe secure biometric authentication
technology which stores the cardholder's fingerprint data. It also contains an EMV certified secure element and
MasterCard’s contactless application. During the transaction, the user activates the card with a simple fingerprint
scan and can make payments of any amount. The Zwipe MasterCard aims at providing more convenient and secure
payment transaction with its featured less than 1 second fingerprint scan and no PIN requirement (Zwipe, 2014).
5 Data Collection Methods 5.1 Ethnographic Studies According to Lazar et al (2010), ethnography is defined as the researcher being completely immersed and
participative in regards to the subjects being examined (usually over a long period of time), we deployed a short-
term ethnography as complete observers in order to examine how payments were completed in the real world,
and to understand the requirements of the PayWear project: The gathered data was intended to be used as input
for creating scenarios at a later stage. We chose a fully observational approach as we regarded the payment as a
stressful part of shopping and we believe that people generally would not react kindly to disturbances in this
situation.
5.1.1 Ethnographic Observation at KIWI We completed two instances of observational ethnography. Before the observation, we created a template which
recorded the following information: duration of payment (measured from last item scanned to card
removed/change received), sex, method of payment, and other noteworthy events such as PIN code error, one-
handed operation, card rejections, etc. The observation was intended to last for 30-60 minutes.
5.1.1.1 Observation 1
Observation completed at KIWI Kringsjå from 16:30 - 17:00 on Wednesday 29th of October 2014.
Average payment time: 16,55 seconds. Payment methods: 16 paid with card, 4 paid with cash. Customer sex: 12 male customers, 8 female customers.
5.1.1.1.1 Notable comments
Most people who pay with card will put the card into ATM before scanning the product is finished.
Put coins into the coin machine one by one (this is a technical limitation of the coin machines)
Takes extra time to scan the gift card (or member card, etc.) first before paying on the ATM.
First time failure, put in the card a second time.
First time failure, put in the card a second time, it takes long time for ATM to read the card the second
time, but succeed.
The customer checks first if he has enough coins, then decides to pay with a paper cash.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
9
The customer takes long time to take out the wallet from her bag, then take out the card from the wallet,
but was doing this while the products being scanned, due to the large amount of the products, the
customer was ready with the card to pay before the scanning is finished.
Pay with coin and paper cash, it takes long time for the paper cash machine to accept the paper cash.
Typed something wrong the first time, tried a second time.
Put the card into ATM before the scanning of the product is finished, something's wrong, took out the
card and tried a second time.
5.1.1.2 Observation 2
Observation completed at KIWI Slependen from 15:00 - 15:40 on Tuesday 28th of October 2014.
Average payment time: 19,6 seconds.
Payment methods: 26 paid with card, 6 paid with cash.
Customer sex: 15 male customers, 17 female customers.
5.1.1.2.1 Notable comments
Paid partly with pantelapp.
Card not read first time.
Busy packing.
Card inserted before shopping complete.
Child could not reach coin machine.
Carrying baby, managed to find card with one hand.
Could not find card, paid with cash.
Card inserted before shopping complete.
Card rejected, had to pay with another card.
5.1.2 Results The intended purpose of conducting an observatory ethnographic study was to gather data as input for creating
scenarios that could be used as a starting point for how to design PayWear.
5.2 Investigating Scenarios with SPES When conducting SPES, users are followed during their normal activities and are provided with very simple mock-
ups. The mock-ups help users envision and enact use scenarios as fruitful situations or incidents arise; reminiscent
of a future ethnography (Iacucci et al., 2000).
5.2.1 SPES Experiment The idea of using SPES to envision how technology could be, by using for instance, an imagined device, both the
designer and user can get an insight into how the technology can be implemented, and how and where it will be
used.
5.2.1.1 Summary
Due to time constraints and project scheduling, the SPES - enactment has not been conducted in a satisfactory
manner, although the technique itself has inspired the way the proposed solution (fig. 7.1) is drawn.
5.2.1.2 Application in PayWear
By conducting SPES, participants should provide insight into how the technology could be imagined in a real-life
use-scenario and thus implemented. The aim of this, is to extract utopian requirements of imagined technology
from the experiment, which then can be used to design and create the low-fidelity prototype. The SPES will also
provide means of acting out the storyboards, and perhaps give opportunities for adjusting the storyboards.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
10
5.3 Interviews Interview is a qualitative method with the ability to “go deep”. The interview can be structured differently, it
depends on what you want to get out of the interview object. We used semi-structured interviews, where the
structure is loose, there is room to ask for clarification, add questions and follow interviewee comments wherever
they may take you (Lazar et al., 2010, p.190). We chose this structure to get the information we needed, we did
not necessarily know what the interviewee had that was interesting for us before the interview, so we felt it was
necessary to add questions along the way.
5.3.1 Interview with Skandiabanken We conducted a structured interview with Skandiabanken in order to get some bearings on what choices were
made in regards to security while developing their mobile banking app. The reason for doing this, was to get some
real-world input to what the threshold between usability and security should be when identifying users.
5.3.1.1 Summary Skandiabanken wanted to offer their users a solution that was at least as user friendly as their other banking
solutions, and decided to use a static personal identification number (PIN) that the user has to enter to log in. This
PIN is used together with the footprint of the phone to provide a two-factor authentication mechanism. Ideally,
this would hinder thieves accessing the user’s banking information unless they stole the user’s mobile device and
knew the PIN, in which case the user could block their device using one of the bank’s other banking solutions.
There were two different authentication mechanisms; one for logging in, and one for signing contracts.
5.3.1.2 Application in PayWear The decisions taken by Skandiabanken suggests that a static PIN can be used to identify the user, as long as there is
another factor involved in the authentication process. Ideally, this would involve an element of randomness to
ensure that if parts of PIN was snagged by people with malicious intent, it would render useless due to the
randomness.
5.3.2 Interview with People on the Street We interviewed 65 people in a shopping mall, 15 on a Friday afternoon and 50 a Monday afternoon in September.
We started out on Friday with open ended questions, we found out that it was hard to get the same data from the
interviewees.
5.3.2.1 Summary Of the 50 we spoke to on Monday, 15 did not have any trouble with the payment transaction today. 29 forget the
PIN now and then, 22 forget the card now and then, 18 had trouble remembering which card they had money
on/how much money, 5 lost a card during the last year, and 24 had cards not working of different reasons the last
year.
Of the 65 we asked in total, only 15 expressed that they would be open for paying with e.g. a smartwatch. Other
responses were varied, suggesting that the new ways of paying (e.g. Apple Pay), needs to mature before they are
adopted by the general public, and will most likely start with a certain group of users, as suggested by Ling (2014).
5.3.2.2 Application in PayWear The general consensus taken from the interviews suggests that users forget their PIN occasionally, and that there
will be a certain level of resistance to using new payment technologies. There are also minor annoyances when
using physical objects to complete a payment (e.g. forgetting/losing a card, and card not working).
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
11
6 Findings and Prototyping 6.1 Scenarios According to Carroll (2000), a scenario is an informal narrative description. These are used to facilitate specification
of use cases using the familiarity of storytelling, and is often the first step of establishing requirements with
stakeholders as they can participate in the process (Rogers et al., 2011). After completing the ethnographic
observation, we examined the notable comments recorded during the observation, and had an open discussion on
other possible scenarios in order identify the pain-points or bottlenecks of traditional payment methods. We
decided on the following:
Customer pays with single coins, queue builds up as a consequence.
Customer payment methods are rejected.
Customer stands in line, carrying a baby.
Customer tries to remember balance/decide which card to use.
Customer’s wallet is somewhere else.
Customer is busy packing their bags when payment is prompted.
6.2 Storyboarding According to Rogers et al (2011), low-fidelity prototyping through storyboards used in conjunction with scenarios,
allow stakeholders to explore and interact (through role-play) with the idea. Storyboards often consist of a series
of sketches, playing out steps of a scenario. Low-fidelity prototyping through scenario storyboarding was the
chosen prototype deliverable for the PayWear project, and also as a way to visualise the collected data for use in
further prototyping. We decided early on this level of abstraction in our prototypes because we were uncertain of
the feasibility for using existing technology for higher fidelity prototyping.
6.2.1 Customer pays with single coins, queue builds up as a consequence
6.2.1.1 Frames
Fig. 6.1: Payment scenario with lots of single coins
6.2.1.2 Description
Customer is asked for payment, and gets out a big bag of single coins and starts paying with these. After some time,
the queue builds up and gets really long, while other customers get annoyed.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
12
6.2.2 Customer payment methods are rejected
6.2.2.1 Frames
Fig 6.2: Payment methods rejected
6.2.2.2 Description
Customer is asked for payment, and attempts to pay with coins, or a debit card. Two things could happen:
Coins are rejected based on recognition algorithm.
They enter their PIN code, but the payment is rejected due to the PIN code being entered incorrectly,
most likely because the customer could not remember the right one, or assumed they were using a
different card.
6.2.3 Customer tries to remember balance/decide which card to use
6.2.3.1 Frames
Fig 6.3: Customer is not sure what card he has brought
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
13
6.2.3.2 Description
Customer is asked for payment, and gets their wallet out. The customer struggles with deciding between multiple
cards as they are trying to decide which one to use for this particular shopping list.
6.2.4 Customer’s wallet is somewhere else
6.2.4.1 Frames
Fig 6.4: Customer has forgotten her wallet
6.2.4.2 Description
Customer is prompted to pay for a selection of items, only to realise their wallet containing all forms of payment
has been forgotten at home.
6.2.5 Customer is busy packing their bags when payment is prompted
6.2.5.1 Frames
Fig 6.5: Customer has initiated packing and is busy packing when prompted for payment
6.2.5.2 Description
Customer is asked for payment, but is busy packing their bags and cannot hear the cashier asking for payment due
to all the noise in the environment. Delays occur, and queue gets long.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
14
6.2.6 Customer stands in line carrying a baby
6.2.6.1 Frames
Fig 6.6: Customer has impatient child, causing frustration
6.2.6.2 Description
A woman stands in line with her baby on the arm, after a while the baby gets restless and do not want to sit on the
arm anymore. This causes great distraction to the customer, and she is frazzled whilst trying to complete a
payment.
7 Discussion
7.1 Our Proposed Solution During the PayWear project, we discovered that there are technologies that offer ways of simplifying the payment
process (e.g. Apple Pay, Microsoft ZEP, Google Wallet, etc.). As we wanted to free the project of technology
constraints, we decided to use selected features of the reviewed technologies, and imagine a utopian combination
that would offer the best balance between usability and security. Even though we decided to imagine the PayWear
solution on unspecified wearable technology, we framed the project using a smartwatch, as this seemed to be the
most suitable technology for the payment process.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
15
Fig 7.1: Proposed way of fitting the PayWear - system into an existing ecosystem
7.2 Deciding the Threshold between Usability and Security In order to offer identification that is both easy to use and secure, users identify using PayWear through a two-
factor authentication scheme which is based on checking both physical and digital presence: the digital presence is
provided by the wearable device itself (e.g. the smartwatch that the user is wearing), and the physical presence is
provided through unobtrusive facial recognition (i.e. a user’s face is recognised without much effort required by
the user to “pose”). Together, these provide two different steps/factors that the user must fulfil in order to identify
themselves.
7.3 Graceful Fallbacks We have thought about utilising different methods for identification of a user, and the issue about what to do
when the system does not work as intended arose pretty early.
For instance, if the system uses facial recognition as positive identification for a transaction, a scenario where you
are in a bad mood or have a different hair cut could render the system unable to complete the transaction. A
fallback could be to old legacy systems like VISA card.
This would seem to defeat the purpose of having a new technology if you have to fall back to the old systems ever
so often. But we argue that the current fallback systems, namely cash, rarely comes into play because of system
failures. We imagine that the occurrences where the new systems fail will be so rare that even though legacy
systems will be needed, they will not be more intrusive than what already exists.
7.4 Context awareness and accessibility The idea that the mobile payment application can react to the surroundings and the current use-context could
help alleviate challenges involved when thinking about accessibility when using normal payment systems. In a
normal use-case, the disadvantaged user could potentially have issues with identifying cards, keypad-layout for PIN
(is "1" at the top or the bottom?) identifying and handling coins when confronted with an automatic machine etc.
We believe that via ubiquitous computing environments that react to the presence of the user, the payment
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
16
context and the preset behaviour of the PayWear-system these barriers could be mostly removed in the same way
as proposed by Pascoe’s (2000) prototype for the field workers on the move.
On the other hand, if the system relies too much on user-specific input at the Point-of-sale, regular accessibility
issues will have to be taken into account for a system like this.
7.5 Make it seamless So how can we pay seamlessly without risking too much? We first thought of a smart-watch where we can use our
fingerprint instead of a PIN code. But that would not make it more seamless than today. You still need to use both
your hands and the watch to do a payment. From our interviews we know that people are sceptical to buy a watch
just to pay; they want it maybe even more seamless. So we thought of a gadget, maybe a chip, that can be in a
device of your choice, used for payment. It is like a banking card that is aware of the surroundings and knows when
you are going to pay. And instead of the tactile card, you can have it anywhere you like, and you never need to
look for it in your big bag. Instead of using our hands to pay we want to use our presence, facial image or our eyes,
in combination with the payment gadget. With this solution, you do not need to operate with your hands, which is
one of the things that restrict us in the daily life. This solution is dependent on awareness between different
technologies. Imagine you are wearing the PayWear, in your clock, your bag or as another item. You are standing in
line, now it is your turn. You put your groceries on to the cashier’s desk and you move to the front to pack your
groceries. When the cashier is done he tells you how much you need to pay. Then you look up in this camera,
blinks, and the payment is done. That sounds nice. But there are some things that can cause problems, For
instance, how do you select an account. If we connect the gadget to your phone or smart-watch, if you got one,
you can do your regular tasks like checking the balance, changing cards etc. But to avoid this under the normal
circumstances we thought that maybe it would be nice to have a set of rules like; which card to use in what shop,
which card to use in what part of the day and a maximum payment if you like that. This depends on the technology
being aware of the situation, the shop, the time of day and so on. It needs to be aware of the variables you would
like to apply rules to. So you define your everyday life, and just need to interact with the phone/watch when you
do something different from your routine.
Other issues might be the ecosystem or the infrastructure. To use PayWear you need shops who offers the
solution. This could be a problem in the beginning, or if the solutions does not work, if so you need something to
fall back to.
In addition, much of the Point-of-sale (POS) transactions today are dominated by few but large actors (Visa, MC on
the transaction - side, and store chains on the sales-side) Dinside.no (2014), who would have economic or logistical
interest in having control of the legacy systems. It is not clear if already established powers in the payment
industry would readily allow other players onto their field without guarding their own investments and practices.
The best solution for avoiding these interrelated issues seems to have a system like (fig. 7.1) that adds context-
awareness to already existing systems, but leaves most of the transactions in the hands on the established
infrastructure.
7.6 Ethical issues of facilitating spending Raghubir & Srivastava (2008) finds that there is a distinct causation between what form your payment appears in
and how much you are willing to spend. They conclude that our "mental accounting" Thaler (1999) loses track of
our spending when not handling real cash. This leads to the question if enabling even easier access to financial
transactions will lead to even more spending and a rise in the frequency of impulse purchases. This is the same
mechanism (among others) that is being exploited in so called "free-to-play" games (Shokrizade, 2013) when
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
17
forcing players to purchase virtual currencies and then spend that currency in the game; leading the player to lose
track of what you really spend.
In a ubicomp-system like PayWear this coupling between your real money and your ability to spend them should
be made clear, possibly with a notification stating the current balance on your accounts, or "after this purchase,
your account balance will be ..." - if the user so chooses. Although this is a bit contradictory to the MAUI-approach,
some kind of notification system should be made possible because otherwise you may end up over-spending. For
stores selling goods this could be a good thing (increasing sales) but for the customer spending the money this is
one step away from having real freedom.
7.7 One question leads to another We have also seen that many of the things we address is based on the queue getting longer, and that things take
time. We should look more into how PayWear can be used to make the shop more efficient, like packing while in
the shop and register your groceries on the way so when you are normally putting your groceries on the disk you
actually skip that part and just blink at the camera. This of course opens other discussions of security, trust, the
personnel in the shops gets new work tasks and so on. What we dream of is not just a seamless pay situation but a
seamless shopping situation, but that will be another project.
7.8 Limitations and issues We had many thoughts of how to do this project. Not everything went as we planned. We have maybe taken on a
too big project for our expectations. Due to the time and scale limit of the project, we did not get all the data we
wanted. We went from a goal of solving the payment challenge to a more theoretical approach. We wanted to use
the SPES method but we did not have the time. The two ethnographic studies were both done in KIWI which might
introduce bias or limitation based on the same store type. We also wanted to have a more finished picture of the
solution, but that will be for another project.
8 Further Work 8.1 Payment Limits We can make use of the notion that is brought up by Android Wear: Glanceable. This is something that is unique
about wearable device which can differ our design from Apple Pay and so on.
An idea of combining suggestion 1 and 2 would be:
When the transaction is low amount or within a certain limit during a day, we adopt the idea of
eliminating ALL interactions between the user and the device, so that the user can finish the payment
simply by providing the device to the receiving end.
When the transaction is over the amount limit, a two-factor authentication will be needed. In this case,
wearable device provides a natural advantage because of its glanceable feature. Besides providing the
device (digital presence), the user must also provide one other type of authentication such as physical
means, e.g. facial recognition, fingerprint, etc. This requires SOME interaction between the user and the
device, but with the wearable device, the energy input is very low.
8.2 Payment everywhere? In addition to creating an easier bridge between your finances and the POS-transaction, the PayWear - solution
could just as well interface with any other mobile device you could have with you, and act as a general
identification and payment solution for online services or virtual goods.
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
18
9 References Aagre, P 2001, Changing place: Contexts of awareness in computing. Interactions.
Android.com, 2014. Android Wear [online] Available at: http://www.android.com/wear/ [Accessed 6. October,
2014]
Apple.com, 2014. Apple Pay [online] Available at: https://www.apple.com/apple-pay/ [Accessed 3. October, 2014]
Braz, C., Seffah, A., & M’Raihi, D. (2007). Designing a trade-off between usability and security: a metrics based-
model. In Human-Computer Interaction–INTERACT 2007 (pp. 114-126). Springer Berlin Heidelberg.
Carroll, J. M., 2000. Introduction to the Special Issue on Scenario-Based Systems Development, Interacting With
Computers 13(1), 41-42.
Dinside.no, 2014, Derfor kan du ikke betale med mobilen på matbutikken [online] Available at
http://www.dinside.no/931285/derfor-kan-du-ikke-betale-med-mobilen-paa-matbutikken [Accessed 18.
November, 2014]
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data Official Journal L
281 , 23/11/1995 P. 0031 - 0050
Google.com, 2014. Google Wallet [online] Available at: https://www.google.com/wallet/ [Accessed 3. October,
2014]
Herzberg, A. , 2003. Payments and banking with mobile personal devices. Magazine Communications of the ACM -
Wireless networking security. New York, USA, volume 46 issue 5, pp 53-58.
Iacucci, G. et al., 2000. On the Move with a Magic Thing: Role Playing in the Design of Mobile Services and Devices.
In the Proceedings of DIS2000, Designing Interactive Systems, New York City, USA, pp. 193-202.
Lazar, Feng & Hochheiser, 2010. Research methods, in human-computer interaction. United Kingdom, Wiley.
Ling, R., 2012, Taken for Grantedness: The Embedding of Mobile Communication into Society. MIT Press,
Cambridge, MA.
Ling, R, (2014) From ubicomp to ubiex(pectations), Telematics and Informatics, Volume 31 Issue 2, Pages 173-183
Lov om behandling av personopplysninger (Personopplysningsloven) Lov av 2000-04-14 nr 31 Available at:
https://lovdata.no/dokument/NL/lov/2000-04-14-31 [Accessed 16. November 2014]
Lov om betalingssystemer mm. (Betalingssystemloven) Lov av 1999-12-17 nr 95. Available at:
http://lovdata.no/dokument/NL/lov/1999-12-17-95 [Accessed 15. October 2014]
Lov om elektronisk signatur (esignaturloven). Lov av 2001-06-15 nr 81. Available at:
http://lovdata.no/dokument/NL/lov/2001-06-15-81 [Accessed 15. October 2014]
Mann, S, 2013, Wearable Computing. In: Soegaard, Mads and Dam, Rikke Friis (eds.). "The Encyclopedia of Human-
Computer Interaction, 2nd Ed.". Aarhus, Denmark: The Interaction Design Foundation. Available online at
https://www.interaction-design.org/encyclopedia/wearable_computing.html
Mca.sh, 2014. Payments done right [online] Available at: https://mca.sh/en/ [Accessed 3. October, 2014]
Microsoft.com, 2013. Zero-Effort Payments (ZEP). Available at:
http://research.microsoft.com/apps/video/default.aspx?id=188623 [Accessed 3. October, 2014]
INF5261 Final Report C. Ruud, R. Pettersen, Y. Li, I. Eide, A. Odincova
19
Pascoe, J., Ryan, N. & Morse, D.: Using While Moving: HCI Issues in Fieldwork Environments. Transactions on
Computer-Human Interaction, Vol. 7, No.3. ACM (2000) 417-437
Shokrizade, R. The Top F2P Monetization Tricks [online] Available from:
http://www.gamasutra.com/blogs/RaminShokrizade/20130626/194933/The_Top_F2P_Monetization_Tricks.php
[Accessed 2014-11-16]
Rogers et al., 2011. Interaction Design – Beyond Human-Computer Interaction, Third Edition West Sussex, United
Kingdom: Wiley
Herman, M., 2014, An introduction to mobile payments: market drivers, applications, and inhibitors. In the
Proceeding 2014 Proceedings of the 1st International Conference on Mobile Software Engineering and
Systems. New York, USA, pp 71-74.
Raghubir,P. , Srivastava, J., 2008, "Monopoly Money: The Effect of Payment Coupling and Form on Spending
Behavior" Journal of Experimental Psychology: Applied 2008, Vol. 14, No. 3, 213–225
Rhodes BJ., Minar N. & Weaver J., 1999: Wearable Computing Meets Ubiquitous Computing: reaping the best of
both worlds. Symposium on wearable computing.
Schartum, D. W., Bygrave L, A. , 2011, Personvern i informasjonssamfunnet 2 utgave. Oslo: Fagbokforlaget
Vigmostad og Bjørke
Schlöglhofer, R., Sametinger, J. 2012. Secure and usable authentication on mobile devices. In the Proceedings of
MoMM 2012, Proceedings of the 10th International Conference on Advances in Mobile Computing & Multimedia.
New York, USA, pp. 257-262.
Thaler, R. H. , 1999. Mental accounting matters. Journal of Behavioral Decision Making, 12, 183–206.
Zwipe.no, 2014. Zwipe [online] Available at: http://www.zwipe.no/ [Accessed 27. October, 2014]
Weiser M., 1991, The computer for the 21st century. ACM SIGMOBILE mobile computing and communications
review, vol 3(3). ACM Press, New York, pp 3–11
Williams,O. 2014 [online] Available at: http://thenextweb.com/apple/2014/10/25/us-retailers-disabling-nfc-
readers-block-apple-pay/ [Accessed 27. October, 2014]