Global Messaging 2009 - Mobile Ticketing and Payments
-
Upload
masabi -
Category
Technology
-
view
1.080 -
download
5
description
Transcript of Global Messaging 2009 - Mobile Ticketing and Payments
Secure Payment and Ticketing Applications
Tom Godber - CTO Masabi
Agenda
Who Are Masabi
The Mobile Experience
Mobile Ticketing
Taking Mobile Payments
About Masabi
2002 •First in-gamemicropayments
2004 •First mobile viral
2006•Playtech mobile casino•750+ handsets•6 languages
2007•First certified mobile security•3Kb EncryptME•Award winning
2008•Ticketing•Money transfers•Banking
• 20 currencies• 4 alphabets
• 2 Factor Authentication• Secure messaging• UK Rail Ticket Standard
The Mobile Experience – All Sweetness and Light?
Mobile Masochism
The mobile experience is about PAIN Texting on a Moto… Pretty much anything at all on
Nokia’s touchscreen S60…
User experience is becoming important Ex-RAZR users often won’t Moto again But nothing is perfect, even Steve
Many Services Will Fail
Good ideas are common
Good ideas which actually work aren’t Given handset constraints… Given real world conditions… Compared to existing alternatives…
Pick Your Battles
A successful service must offer a significant advantage to the user An mPayment must be easier than cash
and cards
Just because a user can do something, doesn’t mean they will
Offer net pain relief
Considerations
User probably moving Must be simple Must be resilient
Has user got alternatives? Cash Debit/credit cards PC
Connecting With The RealWorld
UK Rail Barcodes
Reliable, fast Offline scanning Tickets still work when Internet doesn’t!
Open security PKI signatures prevent modification Public Key verification is cheap, easy
Royalty free, open barcodes Aztec scans best on a handset screen
UK Train Ticketing
Phone becomes your ticket
Today’s reality: Only supported on a few routes Eg. our National Express trial
3-6 months: Train franchises start to go live Some rollout of barcode reading gates
Not Just a Ticket
UK Rail Barcode has space for other entitlements Eg. Free coffee Bundle other sales together with ticket
Barcodes have plenty of other uses Remove cash from high-risk
environments to reduce ‘shrinkage’
MobileTicketDelivery
Handset Support
Chiltern Railways ticket app trial showed: Adopted outside young
male demographic Often user’s first
transaction with a phone
Tickets must be supported on everything! Smartphones are a niche
Not All About The iPhone
0
10
20
30
40
50
60
70
80
90
100
Other NokiasNokia 5800iPhone
Q1
20
09
Sh
ipp
ed
Un
its (
m)
Ticket Delivery
SMS tickets
Wap tickets
Local application ticket wallet
Pure SMS Ticketing
Picture messaging can carry small barcodes 3 SMS per picture is expensive
Too small for new rail ticket barcodes Simple insecure 1D or 2D barcodes only No text details for visual inspection
▪ Scanner always required
Can be forwarded and reused
Wap Ticketing
Wap Push with ticket URL
User downloads ticket Saves image like a wallpaper Must trust OMA DRM
A lot of effort to size image Handsets often rescale an image that is
slightly too big or small This plays havoc with barcode scanners!
Java Ticket Wallet
User installs local ticket wallet
Server sends tickets over SMS One encrypted binary msg/ticket
Delivered directly to wallet app
App can display ticket details and barcode Better barcode rendering
> faster scanning Details readable to an inspector
BUT
Address Customer Needs!
UK Rail Tickets – mainly bought in the station!
User Needs
Ticket delivery is an extension of online Fairly useful for users
without printers BUT most train tickets
not bought onlineSell from phone
Buy in taxi / on street / in station
Avoid queues
Mobile Payment Channels
SMS Premium SMS > phone bill Credit card over SMS
Payment through the browser
Payment through a local app
SMS
Premium SMS payment Good for simple transactions Easy to set up, works on everything 30-60% operator cut Best for low-value high-margin items
SMS insecure for any other payment Messages be read on stolen phones Messages be read on the network
Mobile Browser Purchase
Wap purchase is multi-step Repeat page loads slow and expensive
▪ Requires continuous connection Data mis-entry becomes painful
▪ Limited opportunity to help user with validation etc – not like full web AJAX
Often insecure Wap1 inherently insecure Transcoders can mess with Wap2 and
the mobile web
Mobile Browsers
WAP SECURITY
Inherently insecure:
Used on older browsers, “Wap” settings
WAP2 SECURITY
Like the web:
Most handsetsuse this with “Internet” settings
Transcoders with HTTPS
Some transcoders leave HTTPS aloneOthers will insert themselves in the
connection Handset cannot verify end certificate Just like a man-in-the-middle attack!
Java Ticket Sales App
Ticket purchase in UK Aimed at repeat users
Intelligent client Helps user with data entry
=> minimises resends After 1st purchase, just enter CVV
Submits credit card purchase with one encrypted SMS Good when signal strength low
Integrated into ticket wallet
Technology Notes
Java (someone has to like it)
You don’t have to be the ‘best’ Sometimes being the only option is good
enough
NOT suitable for everything Remember, pick your services
Good for: Recurring purchases Flaky connections
▪ Retries, SMS fallback, fat intelligent client
Near Field Communication
A lot like “Oyster on your phone” (Almost) no handset support
Common by 2013?NFC already embedded on cards
Habit: you pay with a card, why use a phone?
Who will pay for the infrastructure?
NFC – Not TodayNOKIA HANDSETS NOKIA NFC HANDSETS
Some Notes On Oyster
Great in London Almost everyone has to use
public transport Locals ‘bribed’ to adopt with lower fares Large government subsidies
Not economically viable to roll out elsewhere Even London overground train lines
required £40m subsidy to support it