128 IntJ Mobile communications. Vol 4 No. 2. 2006 An onion ring framework for developing and assessing mobile commerce security June Wei Management Information Systems College of Business, University of West Florida Pensacola. Florida 32514 USA E-mail: wei@uwf. edu Corresponding author Lai C Liu and Kai s Koong Department of Computer In Quantitative Methods College of Business administration The University of Texas-Pan American Edinburg, Texas 78541, USA E-mail: liul @ utpa. edu E-mail: koongk utpa edu Abstract: A five-layer 'onion ring framework for analysing mobile commerce curity requirements and for improving system security performance is resented in this research. Two quantifiable approaches, based on weighted scores applied to either a spider diagram or a decision solution matrix, are used to demonstrate how the security level can actually be objectively measured and evaluated in addition to the technical discussions on the framework's architecture eywords: mobile commerce security; evaluation matrix: spider and relative weighted methods. Reference to this paper should be made as follows: Wei, J, Liu, L C. and oon loping and assessing Biographical notes: June Wei is Assistant Professor in the Department of Management and Management Information Systems at the University of West Florida. She has published extensively and is an Editorial Board Member of the Interdisciplinary Journal of Knowledge and Learning Objects, Journal formation Privacy and Security, Interdisciplinary Journal of Information Knowledge and Management, and International Journal of Mobile learning Lai C. Liu is Associate Professor of Computer Information Systems and Quantitative Methods at the University of Texas Pan American and is also a Fellow of the Computing and Information Technology Center. She has published extensively and is an Editorial Board Member of E-Govermment and Interdisciplinary Journal of Knowledge and Learning Objects. opyright o 2006 Inderscience Enterprises Ltd
128 Int. J. Mobile Communications, Vol. 4, No. 2, 2006 Copyright © 2006 Inderscience Enterprises Ltd. An onion ring framework for developing and assessing mobile commerce security June Wei* Department of Management and Management Information Systems College of Business, University of West Florida Pensacola, Florida 32514, USA E-mail: jwei@uwf.edu *Corresponding author Lai C. Liu and Kai S. Koong Department of Computer Information Systems and Quantitative Methods College of Business Administration The University of Texas-Pan American Edinburg, Texas 78541, USA E-mail: liul@utpa.edu E-mail: koongk@utpa.edu Abstract: A five-layer ‘onion ring’ framework for analysing mobile commerce security requirements and for improving system security performance is presented in this research. Two quantifiable approaches, based on weighted scores applied to either a spider diagram or a decision solution matrix, are used to demonstrate how the security level can actually be objectively measured and evaluated in addition to the technical discussions on the framework’s architecture. Keywords: mobile commerce security; evaluation matrix; spider and relative weighted methods. Reference to this paper should be made as follows: Wei, J., Liu, L.C. and Koong, K.S. (2006) ‘An onion ring framework for developing and assessing mobile commerce security’, Int. J. Mobile Communications, Vol. 4, No. 2, pp.128–142. Biographical notes: June Wei is Assistant Professor in the Department of Management and Management Information Systems at the University of West Florida. She has published extensively and is an Editorial Board Member of the Interdisciplinary Journal of Knowledge and Learning Objects, Journal of Information Privacy and Security, Interdisciplinary Journal of Information, Knowledge and Management, and International Journal of Mobile Learning and Organization. Lai C. Liu is Associate Professor of Computer Information Systems and Quantitative Methods at the University of Texas Pan American and is also a Fellow of the Computing and Information Technology Center. She has published extensively and is an Editorial Board Member of E-Government and Interdisciplinary Journal of Knowledge and Learning Objects
An onion ring framework Kai S. Koong is faculty member in the Department of Computer Information Systems and Quantitative Methods at the University of Texas-Pan American nd is a Fellow and Associate Director of Economic Development of the Computing and Information Technology Center. He has published extensively and is an Editorial Board Member of international Journal of Management and Enterprise Development, International Journal of Services and Standards, Journal of Computer Information Systems, international rmation and Operations Management Education, Journal of tems Education, and Journal of International Technology and 1 Introduction Most people can now easily afford to own one, if not more, of the many varieties of available mobile devices. In addition to the traditional audio text and video features many of the latest mobile devices can facilitate real-time business transactions around the globe. It is now common to see individuals, be they at an airport or on a ship in the open seas, engaged in communicative as well as collaborative activities with customers, suppliers, and partners with portable hand-held mobile devices. Given the popularity and technological advancements in these types of mobile devices, their future contributions and roles in the proliferation of internet commerce are expected to be critical However, just as mobile devices can be used to help businesses to facilitate commercial activities, they can also be used by perpetrators and criminals to victimise the same businesses. Such possibilities and threats are inherent in the basic characteristics of mobile commerce(m-commerce) because of its utilisation of any wireless device and some data connection to exchange information, services, or goods(Abuelyaman and Wen, 2004; Andreou et al., 2002). In operating terms, an m-commerce transaction is any type of transaction of an economic value which is conducted via a mobile device that uses a wireless telecommunications network with an e-commerce infrastructure (Tsalgatidou and Veijalainen, 2000). However, without a proven security infrastructure in their wireless communications, companies involved with internet commerce practices can very easily experience internal and external security breaches. All it takes is a fairly competent perpetrator and some innovative approaches to exploit the transmission processes and steal critical business intelligence from network devices. Businesses have good reasons to be worried about the growing problem with online ommerce security, particularly m-commerce. Each year, the increasing number of internet fraud cases reported by the Federal Trade Commission has indeed been alarming Drawing from the dramatic increases in fraud reports in the recent few years, internet fraud is definitely expected to rise as the amount of commerce increases on the Net (Manuel, 1999).As online services are becoming more ubiquitous, the volume of m-commerce activity is expected to easily equal those of e-business. Put together, businesses should be seriously concerned on m-commerce security because perpetrators can now use the anonymous advantage of the internet to cause harm in real-time mode from anywhere on the globe. Worst of all, the victim or business can be harmed much more easily and quickly. It is even possible for the criminal to repeatedly harm the same
An onion ring framework 129 Kai S. Koong is faculty member in the Department of Computer Information Systems and Quantitative Methods at the University of Texas-Pan American and is a Fellow and Associate Director of Economic Development of the Computing and Information Technology Center. He has published extensively and is an Editorial Board Member of International Journal of Management and Enterprise Development, International Journal of Services and Standards, Journal of Computer Information Systems, International Journal of Information and Operations Management Education, Journal of Information Systems Education, and Journal of International Technology and Information Management. 1 Introduction Most people can now easily afford to own one, if not more, of the many varieties of available mobile devices. In addition to the traditional audio, text, and video features, many of the latest mobile devices can facilitate real-time business transactions around the globe. It is now common to see individuals, be they at an airport or on a ship in the open seas, engaged in communicative as well as collaborative activities with customers, suppliers, and partners with portable hand-held mobile devices. Given the popularity and technological advancements in these types of mobile devices, their future contributions and roles in the proliferation of internet commerce are expected to be critical. However, just as mobile devices can be used to help businesses to facilitate commercial activities, they can also be used by perpetrators and criminals to victimise the same businesses. Such possibilities and threats are inherent in the basic characteristics of mobile commerce (m-commerce) because of its utilisation of any wireless device and some data connection to exchange information, services, or goods (Abuelyaman and Wen, 2004; Andreou et al., 2002). In operating terms, an m-commerce transaction is any type of transaction of an economic value which is conducted via a mobile device that uses a wireless telecommunications network with an e-commerce infrastructure (Tsalgatidou and Veijalainen, 2000). However, without a proven security infrastructure in their wireless communications, companies involved with internet commerce practices can very easily experience internal and external security breaches. All it takes is a fairly competent perpetrator and some innovative approaches to exploit the transmission processes and steal critical business intelligence from network devices. Businesses have good reasons to be worried about the growing problem with online commerce security, particularly m-commerce. Each year, the increasing number of internet fraud cases reported by the Federal Trade Commission has indeed been alarming. Drawing from the dramatic increases in fraud reports in the recent few years, internet fraud is definitely expected to rise as the amount of commerce increases on the Net (Manuel, 1999). As online services are becoming more ubiquitous, the volume of m-commerce activity is expected to easily equal those of e-business. Put together, businesses should be seriously concerned on m-commerce security because perpetrators can now use the anonymous advantage of the internet to cause harm in real-time mode from anywhere on the globe. Worst of all, the victim or business can be harmed much more easily and quickly. It is even possible for the criminal to repeatedly harm the same
130 J. Wei, L C Liu and K.S. Koong victim or business because the fraudulent electronic transactions can be repeatedly processed within a short period of time. Given the types as well as amount of damages online perpetrators can cause to m-commerce,a major need and challenge for online commerce, at this time, is the development of new models and information systems that can secure resources from unauthorised access and prevent fraud(Olden, 2002). In particular, wireless systems that can secure networks and transmit reliable transactions in m-commerce have been identified as an area of priority by security software developers( olla and Patel, 2003) Like all business practices, there is always a need for holistic models and evaluation approaches for assessing system effectiveness. Several researchers have examined the issue of computer security and m-commerce and proposed some noteworthy models and issues that are centered on security mechanisms and performance, environmental mplementation issues, application requirements, and assessment of business key components. Some of these earlier studies and their contributions include Jansen and Karygiannis (1999) and their development of a mobile agent security system that can be used in mobile agent-based commerce applications such as contract negotiations, service brokering, auctions, and stock trading. Security requirements such as confidentiality, integrity, availability, and accountability are applied to this agent framework Andreou et al.(2002)and their study on the performance of various mobile systems can confirm that mobile systems with lower security do allow their perpetrators to imply attack. For example, the radio wireless interface is one such device that is vulnerable to attacks. This is one good reason why wireless access should al ways include encryption, authentication, and other security mechanisms. The downside of his is the increase in complexity and delay in m-commerce transmissions Vinaja(2002)and his three-dimensional framework can be used to identify security requirements for a specific mobile environment. The three dimensions include mobile users, mobile hardware, and mobile software. This framework is a useful beginning step to determine the specific implementation characteristics and needed security measures Olla and Patel(2003)and their design of a context-aware mobile system which supports users with location-specific information servers and applications. The system uses the non-intrusive Push concept to deliver information to mobile users using cell-broadcast technology Siau and Shen(2003 )and their thoughtful discussions of the challenges of mobile communications and mobile services their contribution is inherent in the mplications that were drawn from progress-to-date in technology as well as Yuan and Shang(2003)and the development of a framework to analyse m-commerce business models. Based on key business components, their taxonomy can be a useful model for businesses which need a systems approach to assess their operations
130 J. Wei, L.C. Liu and K.S. Koong victim or business because the fraudulent electronic transactions can be repeatedly processed within a short period of time. Given the types as well as amount of damages online perpetrators can cause to m-commerce, a major need and challenge for online commerce, at this time, is the development of new models and information systems that can secure resources from unauthorised access and prevent fraud (Olden, 2002). In particular, wireless systems that can secure networks and transmit reliable transactions in m-commerce have been identified as an area of priority by security software developers (Olla and Patel, 2003). Like all business practices, there is always a need for holistic models and evaluation approaches for assessing system effectiveness. Several researchers have examined the issue of computer security and m-commerce and proposed some noteworthy models and issues that are centered on security mechanisms and performance, environmental implementation issues, application requirements, and assessment of business key components. Some of these earlier studies and their contributions include: • Jansen and Karygiannis (1999) and their development of a mobile agent security system that can be used in mobile agent-based commerce applications such as contract negotiations, service brokering, auctions, and stock trading. Security requirements such as confidentiality, integrity, availability, and accountability are applied to this agent framework. • Andreou et al. (2002) and their study on the performance of various mobile systems can confirm that mobile systems with lower security do allow their perpetrators to simply attack. For example, the radio wireless interface is one such device that is vulnerable to attacks. This is one good reason why wireless access should always include encryption, authentication, and other security mechanisms. The downside of this is the increase in complexity and delay in m-commerce transmissions. • Vinaja (2002) and his three-dimensional framework can be used to identify security requirements for a specific mobile environment. The three dimensions include mobile users, mobile hardware, and mobile software. This framework is a useful beginning step to determine the specific implementation characteristics and needed security measures. • Olla and Patel (2003) and their design of a context-aware mobile system which supports users with location-specific information servers and applications. The system uses the non-intrusive Push concept to deliver information to mobile users using cell-broadcast technology. • Siau and Shen (2003) and their thoughtful discussions of the challenges of mobile communications and mobile services. Their contribution is inherent in the implications that were drawn from progress-to-date in technology as well as policy advancements. • Yuan and Shang (2003) and the development of a framework to analyse m-commerce business models. Based on key business components, their taxonomy can be a useful model for businesses which need a systems approach to assess their operations
An onion ring framework While it can be agreed that the many noteworthy applications, models, and analyses identified in the research efforts indicated above have indeed been useful. studies that can address m-commerce security technical components, as well as application processe together, are still lacking. In addition, there is also a need for proven quantifiable approaches that m-commerce experts can actually use to assess effectiveness. This study is a pioneer effort aimed at addressing both those areas of need in the m-commerce security literature. First, this study will propose and validate an onion ring framework that can logically link together all factors affecting m-commerce security performance Second, two proven assessment methods are used to demonstrate how m-commerce security can be measured and evaluated. Finally, several suggestions are offered on where future research agendas of m-commerce security should be focused given the many incidences of internet fraud in the electronic marketplace 2 The 'onion ring m-commerce security framework The notion of a multi-layer architecture for m-commerce security is definitely not a new one. The VAX/OS architecture is an excellent example of a popular operating software system which uses such an approach. Besides conceptual simplicity, the onion ring architecture offers excellent security by organising and matching access rights to increasing levels of responsibility and accountability. The research framework introduced in this paper classifies m-commerce security into five levels: mobile device security. m-commerce language security, wireless network access control security, m-commerce access management security, and m-commerce transaction security. This five-layer generic architecture was first applied to m-commerce security by Wei et al.(2003). In this study, technical specifications as well as application processes are added to explain how the proposed model can actually be developed. In addition, two assessment methods are used to demonstrate how the respective layers can be measured and evaluated. The key to understanding the success of the framework is inherent in the notion that protection needs to be in place in several layers. Each succeeding layer should also act as a kind of enclosure for the next layer thereby increasing effectiveness. This new multi-level framework to m-commerce security is depicted in Figure 1 Figure 1 Nonion ring framework for m-commerce security Transaction security
An onion ring framework 131 While it can be agreed that the many noteworthy applications, models, and analyses identified in the research efforts indicated above have indeed been useful, studies that can address m-commerce security technical components, as well as application processes together, are still lacking. In addition, there is also a need for proven quantifiable approaches that m-commerce experts can actually use to assess effectiveness. This study is a pioneer effort aimed at addressing both those areas of need in the m-commerce security literature. First, this study will propose and validate an ‘onion ring’ framework that can logically link together all factors affecting m-commerce security performance. Second, two proven assessment methods are used to demonstrate how m-commerce security can be measured and evaluated. Finally, several suggestions are offered on where future research agendas of m-commerce security should be focused given the many incidences of internet fraud in the electronic marketplace. 2 The ‘onion ring’ m-commerce security framework The notion of a multi-layer architecture for m-commerce security is definitely not a new one. The VAX/OS architecture is an excellent example of a popular operating software system which uses such an approach. Besides conceptual simplicity, the onion ring architecture offers excellent security by organising and matching access rights to increasing levels of responsibility and accountability. The research framework introduced in this paper classifies m-commerce security into five levels: mobile device security, m-commerce language security, wireless network access control security, m-commerce access management security, and m-commerce transaction security. This five-layer generic architecture was first applied to m-commerce security by Wei et al. (2003). In this study, technical specifications as well as application processes are added to explain how the proposed model can actually be developed. In addition, two assessment methods are used to demonstrate how the respective layers can be measured and evaluated. The key to understanding the success of the framework is inherent in the notion that protection needs to be in place in several layers. Each succeeding layer should also act as a kind of enclosure for the next layer thereby increasing effectiveness. This new multi-level framework to m-commerce security is depicted in Figure 1. Figure 1 An ‘onion ring’ framework for m-commerce security Transaction security Device security Language security Network access security Access management security
132 J. Wei, L C Liu and K.S. Koong 2.1 Layer 1: m-commerce device security The root layer to enable m-commerce security is inherent in all the mobile communication devices because they can become a front-end security tool for m-commerce. Such devices may include, but are not limited to mobile phones, palmtops, handheld computers, and PDAs. For example, the integrated SIM card in mobile phones can be augmented using the private key digital signature of a Public Key Infrastructure (PKI) system. Wireless terminals can also act as security devices for gaining access into buildings by using the Global System for Mobile(GSM) part of the mobile phone or via an authentication mechanism called Bluetooth technology(May, 2002). Based on these front-end setups, the SIM cards can access the gSm network and identify the wireless device to the network. The smartcard operating system can be adapted to run on a SIM chip, which allows GSM communications phones to contain digital signatures and credit card numbers It should be pointed out here that the use of wireless devices to serve as front-end security devices is still at the infant stage of development. First, some of the more common operational uncertainties include altered information, denial of access, interrupted transactions, transmission delays, and power outage. Second, instances of modified electronic signature-signing programmes on mobile devices and stolen or modified smart cards have also been found to exist. Third. an attacker can distribute malicious code. cause denial of service. and reestablish connections without reauthentication due to intermittent service failures and unreliable conditions( Ghosh and Sawinatha, 2000). Fourth, determining where a hacker is from can be a relatively difficult task because an attacker can quickly get on or off-line and not be linked to any specific geographic location(Chess, 1998). Fifth, narrow bandwidth and capacity can force developers to give up security and encryption to simplify the process(vinaja, 2002) astly, there is always the possibility for the loss of the wireless devices and the data in it While it is true that these uncertainties can be overwhelming the good news is there are already some solutions that can be used to enhance security enforcement at this layer. Some of the proven methods include strict authentication protocols, cross-platform agent authentication mechanisms so the server can verify if the agent is coming from a trusted source, password authentication, smartcards or token authentication, and biometric authentication. At the receiving end, memory protection for processes, protected kermel rings, file access control, authentication of principals to resources, differentiated user and process privileges, sandboxes for untrusted code, and biometric authentication can be also added. Put together, this is why user authentication, merchant authentication, secure (encrypted)channels, user-friendly payment schemes supporting micro payments, receipt delivery, and simple user interfaces are critical in the design and development of mobile devices(Thanh, 2000) 2.2 M-commerce language security The second layer concerns language security: that is, those elements dealing with m-commerce security system development. Proven security software applications and tested programme modules are the key to the successful functioning of this layer. The possibility of using a language where all programmes are safe is to develop a 'safe language in which all codes have restricted access to operations that can affect
132 J. Wei, L.C. Liu and K.S. Koong 2.1 Layer 1: m-commerce device security The root layer to enable m-commerce security is inherent in all the mobile communication devices because they can become a front-end security tool for m-commerce. Such devices may include, but are not limited to mobile phones, palmtops, handheld computers, and PDAs. For example, the integrated SIM card in mobile phones can be augmented using the private key digital signature of a Public Key Infrastructure (PKI) system. Wireless terminals can also act as security devices for gaining access into buildings by using the Global System for Mobile (GSM) part of the mobile phone or via an authentication mechanism called Bluetooth technology (May, 2002). Based on these front-end setups, the SIM cards can access the GSM network and identify the wireless device to the network. The smartcard operating system can be adapted to run on a SIM chip, which allows GSM communications phones to contain digital signatures and credit card numbers. It should be pointed out here that the use of wireless devices to serve as front-end security devices is still at the infant stage of development. First, some of the more common operational uncertainties include altered information, denial of access, interrupted transactions, transmission delays, and power outage. Second, instances of modified electronic signature-signing programmes on mobile devices and stolen or modified smart cards have also been found to exist. Third, an attacker can distribute malicious code, cause denial of service, and reestablish connections without reauthentication due to intermittent service failures and unreliable conditions (Ghosh and Sawinatha, 2000). Fourth, determining where a hacker is from can be a relatively difficult task because an attacker can quickly get on or off-line and not be linked to any specific geographic location (Chess, 1998). Fifth, narrow bandwidth and capacity can force developers to give up security and encryption to simplify the process (Vinaja, 2002). Lastly, there is always the possibility for the loss of the wireless devices and the data in it. While it is true that these uncertainties can be overwhelming, the good news is there are already some solutions that can be used to enhance security enforcement at this layer. Some of the proven methods include strict authentication protocols, cross-platform agent authentication mechanisms so the server can verify if the agent is coming from a trusted source, password authentication, smartcards or token authentication, and biometric authentication. At the receiving end, memory protection for processes, protected kernel rings, file access control, authentication of principals to resources, differentiated user and process privileges, sandboxes for untrusted code, and biometric authentication can be also added. Put together, this is why user authentication, merchant authentication, secure (encrypted) channels, user-friendly payment schemes supporting micro payments, receipt delivery, and simple user interfaces are critical in the design and development of mobile devices (Thanh, 2000). 2.2 M-commerce language security The second layer concerns language security; that is, those elements dealing with m-commerce security system development. Proven security software applications and tested programme modules are the key to the successful functioning of this layer. The possibility of using a language where all programmes are safe is to develop a ‘safe’ language in which all codes have restricted access to operations that can affect