Free PDF Ebooks Files @AcrobatPlanet.Com

A variety of mobile technologies and mobile services have emerged during the last two decades. The term M-Commerce was adopted by marketers in the late 1990s, and predictions were made of rapid growth in the volume of commerce conducted through mobile devices. Recklies (2001) reported a Boston Consulting Group prediction that "global M-Commerce sales" would rise rapidly to $20bn in 2001, $60bn in 2002 and $100bn in 2003. The guesses of other consultants were wildly different. For example, Vrechopoulos et al. (2002) said that "According to Jupiter Research (2001), the global m-commerce revenues will reach $22.2 billion in 2005". See also ePayNews.com (2002).

By 2004, Jupiter Research had become vastly more optimistic, offering "Global mCommerce Revenue Projections for 2009" of $426 billion, most of it in "phone-based retail POS sales" ePayNews.com (2002). On the other hand, the slow growth had led other organisations to offer much more circumspect prognostications, e.g. "2006 will continue to see the development of experiential mobile applications and the emergence of m-commerce services, increasing in reach and importance over the next two years" (Atos 2005, p. 12). Juniper Research remains unabashed, and was quoted in early 2008 as forecasting that "over 612 million mobile phone users would generate over $US587 billion ... worth of financial transactions by 2011" (Moses 2008).

Despite one or two consultancy groups' wild enthusiasm, the growth of M-Commerce has a very patchy record. One major concern is that the risk of financial loss acts as an impediment to the adoption of mobile commerce. This may be because of widespread knowledge of actual losses, or reports of vulnerabilities, or just from uninformed concerns and natural risk-aversion. In order to understand the substance of the issue, and to avoid unnecessary delays in mobile service adoption, it is highly advisable that payment schemes intended for use in mobile contexts be subjected to risk assessment.

As with any form of trading, M-Commerce involves multiple steps, including partner discovery, information exchange, negotiation, contracting, delivery and settlement. The settlement step necessitates considerably greater care than the others, because the payments process creates considerable opportunities for funds to be stolen, with low likelihood of the thief being apprehended or the proceeds recovered, and with the possibility that the victim may not even be aware that the theft has occurred.

The term 'mobile payments' is used in this paper to refer to any payment that is conducted by means of a mobile access device and wireless network connection. By 'mobile access device' is meant 'any device that provides users with the capacity to participate in transactions with adjacent and remote devices by wireless means'. Such devices comprise at least a processor, systems software, application software and wireless communications capability. They are commonly also capable of at least some forms of physical interaction with one or more storage devices such as magnetic disks, CDs, DVDs, and solid-state tools (e.g. 'thumb drives' or 'memory sticks' or, currently, 'USB sticks').

In 2008, relevant mobile access devices fall into the following categories:

• mobile telephones;
• handheld computing devices. These are numerous and diverse, and include personal digital assistants (PDAs) of various kinds, games machines, music players like the iPod, and 'converged' / multi-function devices such as the Apple iPhone;
• wearable computing devices, such as watches, finger-rings, key-rings, glasses, necklaces, bracelets, anklets and body-piercings;
• processing capabilities housed in other, generally much smaller packages (or 'form factors'), such as credit-cards and RFID tags. Subcutaneous or embedded chips are emergent, and may need to be treated as 'wearable' or as a separate category.

In general, transactions from desktops and portable PCs are excluded from this analysis, even if conducted over a wireless network connection. It may, however, be appropriate to include within the scope the nomadic use of portables, e.g. transactions conducted on the move, in aircraft, trains and cars.

Relevant transmission means include:

• cellular networks that were originally designed for mobile phones and that have had data transmission capabilities added, such as GSM/GPRS, CDMA and W-CDMA;
• wide-area and local area networks that were designed for data transmission, including both standards-based approaches such as 'WiFi'/IEEE 802.11x and 'Wimax'/IEEE 802.16 and proprietary protocols such as iBurst; and
• other forms of wireless communication, such as infra-red links and the related techniques used by contactless cards, radio frequency identification (RFID) tags and near field communications (NFC).

Mobile payments using such devices over such networks may be made in a variety of circumstances (Pousttchi 2003), including:

• MCommerce itself (e.g. the purchase of content, such as location specific data and audio and video streams);
• the purchase of goods and services in conventional eCommerce in both Business-to-Consumer (B2C) and Business-to-Business (B2B) patterns;
• the purchase of goods and services at conventional points of sale; and
• consumer-to-consumer (C2C) transactions involving transfers of value between individuals.

A considerable technical literature exists, but it is characterised by enthusiasm and narrow focus. Typical of the approach adopted is Herzberg (2003), which focusses on the links and flows between providers, and makes unjustified assumptions about the links and flows between users' devices and providers. Many of the infrastructural features assumed in this literature have not been deployed, or have been deployed but not adopted. In addition, industry coalitions have published technical specifications, such as MPF (2006). But these lack clear requirements statements against which specific designs and implementations can be assessed.

In a survey of papers published in the IS literature between January 2000 and September 2004, Scornavacca et al. (2005) found only 4 of 253 articles that addressed security. By the end of 2007, the specialist M-Business literature index at Scornavacca (2007) contained over 1,100 references, of which 30 had 'security' in the title, 33 had 'payment' in the title, but only one had both (Linck et al. 2006). Dahlberg et al. (2007) identified three that "discussed technologies in terms of m-payment security", three that "proposed new tools or mechanisms to improve security", and a further four papers of an empirical nature that dealt with security topics. Lee et al. (2004) includes several chapters on the security of mobile transactions. A limited amount of attention has also been paid to it in adjacent literatures, e.g. Choi et al. (2006).

Many authors have considered mobile payments from a technical perspective, but far less attention has been paid to practical application, security aspects, and acceptability by the users of mobile devices. See, however, Rawson (2002) which considered legal aspects of mobile transactions, Pousttchi (2003) and Kreyer et al. (2003) which discussed security as one among many factors in the adoption of mobile commerce, and Zmijewska (2005). Based on an empirical study, van der Heijden H. (2002) found that "security was emphasized, both for merchants and for consumers, but it was usually framed in a factor that can best be described as 'perceived risk'". Misra & Wickramasinghe (2004) proposed a 'trust model' for mobile commerce generally.

The purpose of this paper is to present a framework within which risk assessment of mobile payment arrangements can be undertaken. It commences by reviewing the experiences of payment mechanisms that have been used both prior to the emergence of open, public networks and more recently. This provides a basis on which a framework can be developed which reflects the technical and commercial infrastructure, and the relevant categories of harm, threats, vulnerabilities and safeguards. A report is provided of a small test application of the framework. Implications are drawn for policy, practice and research.

Download
PDF Ebook A Risk Assessment Framework for Mobile Payments