5. Introduction
01 Mobile Payments Quick Review
02 Telefónica Czech Republic Experience
03 Opportunities
04 Technical Solutions
05 Risks and their Mitigations
06 Summary/Recommendations
Disclaimer: The opinions of the author expressed in this document do not
necessarily state or reflect those of Telefónica company
4
6. Mobile Payments
Most popular service
•
•
•
Users use it – it is convenient method how to perform purchases
Developers need it – provides monetization
Operators like it – gives place in the value chain and another revenue
stream
Mobile
Network
Mobile Network
Operator
Operator
Consumer
Let us do some quick review…
Content Provider
7. Payments?
What are the Mobile Payments?
Many definitions exist…
•
It generally refers to payment services performed from or via a mobile
device.
Focus on Mobile Network Operator service
•
•
•
•
Not mobile banking
Not payments using credit/debit card
Not payment through online payment provider
Not NFC
Direct to bill (D2B)
8. Experience in Telefonica CZ
Today is 10th anniversay of service
mJuice m-Platby
•
USSD based, used or cinema tickets purchase
Premium SMS – 7 years old service
Mobile web payments
m-platba – 3 years old
All these payment solutions are pre-SDP
9. Mobile Payment Methods
Premium SMS – oldest one
Mobile web – already established
In-app payments – great for freemium
InSmartphones penetration still grows…
One-off payments
Subscriptions/direct debit
Google Android
Apple iOS
200802 200806 200810 200902 200906 200910 201002 201006 201010 201102 201106
10. Limitations
Transaction fees are and will be still high
Limited use for intangible goods, mostly consummable on the
mobile device
11. Opportunity
The situation is very positive
•
•
•
•
The smartphones penetration is high
Users already have learned to pay for apps
Operators are perceived as trusted parties and have
good track of history in mobile content
User experience is better than for using payment
cards
Mobile Payments can substitute the declining
content revenues
Mobile Payments can help operators to return
to the value chain and stop being dumb pipe
13. Business Risks
Repudiation
•
•
When operator cannot prove user‘s consent user later can reject the
payment
Closely connected to subscribe identification
Provider charging without providing service
•
•
By mistake or technical failure
Biggest problem can be fraudulent use
Unclear relation to the provider
•
Not possible to get clear responsibility
14. Technical Risks
Communication is not direct anymore
Operator
Operator
Man-in-the-middle (M-I-M) attacks are possible
Provider
Provider
Operator
Operator
Even the app itself can compromise the payment security –
App-in-theApp-in-the-middle (A-I-M)*
App
App
* Known examples: fraudulent Premium SMS sending…
Provider
Provider
Operator
Operator
15. Mitigations
Possible Risk Mitigations
Payment transactions and/or spend limits (per day, month…)
Different security levels for different amount of payments
•
E.g. for purchases under 2 € lower security
Security influenced design of payment authorization
•
•
•
User giving consent as directly as possible (no M-I-M)
Verification of human interaction (login by username/password, PIN,
captcha, mouse movements/gestures…)
Alternative communication channels (SMS, USSD…), use of one-time
password
16. Mitigations
Possible Risk Mitigations
Payment notifications (by SMS and/or e-mails)
•
User gets info about payment transaction everytime
Offering opt-in model
•
Use must confirm intention to have payments enabled
Best solution would be use of SIM-based transaction signing
17. Good Balance of Security and Convenience
One click payments
No authorization
Opt-out
Convenience
Security
Authorized payments
Opt-in
SIM-Toolkit based
security
18. Recommendations
Let the user be in control of the service security settings – provide good web
selfcare
Give the user access to full history of the payments – on the web selfcare
MADo your best to have direct access to user (no M-I-M or A-I-M)
Have clear contracts with providers stating responsibility for all cases
all
17
19. Empire…
Last Days of the Roman Empire…
Mobile Network Operators had created
„empires“
Huge revenues were funding their
development
But now the „empires“ are under attacks of
„barbarians“ from outside (the Internet…)
If operators are not acting now
the position in the value chain might be lost
– the „fall of empire“