Security will test m-commerce

The crucial challenge for businesses wanting a piece of the action in m-commerce is to avoid the security traps that plague the...

The crucial challenge for businesses wanting a piece of the action in m-commerce is to avoid the security traps that plague the Internet. Nick Huber reports

Vodafone is the first of an expected stream of companies to offer micro-payments - the £5 (or less) spending bracket not served by credit or debit cards. The fact that Vodafone is processing payments for the service itself is significant.

While telecoms companies have extensive networks and experience in customer billing some analysts predicted that they would work with banks to provide payment services. From the banks' point of view this would certainly make sense, giving them a slice of a potentially lucrative market.

Vodafone's move into the micro-payment market has been widely predicted. From April a draft European Commission directive will allow almost any organisation to provide electronic payment services. The Financial Services Authority has just finished a consultation on the e-money directive and will draw up regulations for the new payment market.

Jim Wadsworth, head of m-commerce at Vodafone, said experience in billing and payment systems made it logical to offer micro-payment services.

He also argued that there was a gap in the financial services market for small-value payment services. "For the higher end £5-plus [payment services] the financial services infrastructure works well. But for micro-payments, such as for digital services, [users] are not well served by the existing infrastructure," he said.

Vodafone shows no signs of wanting to move into handling larger value payments. If telecoms companies offered full-blown payment services instead of the current subscriber-based merchant system they would become subject to a host of banking regulations. Industry experts believe this red tape will deter telecoms companies from taking on the banks.

Wadsworth refused to reveal how long it took to integrate the iPin payment system into Vodafone's existing systems, beyond admitting that the project took "months".

The main technical challenge was integrating the new platform with Vodafone's existing billing and pre-payment systems.

The 50 or so content providers signed up to the service had to create a Java-based application program interface (API) to the payment platform. This typically took a couple of days, Wadsworth said.

But Vodafone faces a more pressing issue than the mechanics of payment processing - security. To purchase goods on their mobile phones using wireless application protocol customers give a Pin number for authentication. For Internet purchases a user name and password need to be given.

Security for the service will need to cover two main areas: first, ensuring that the right customers are billed and for the right amounts; and second protecting the central database of customer accounts.

Time will tell whether the measures they have developed are sufficient. They will have to cope with the kind of unpredictable security headaches that have plagued the fixed-line Internet for the past few years.

Analysts warn that mobile phones and handheld combination devices handling payments are likely to become more vulnerable to hacking. As they become more sophisticated they will be able to automatically download more software. This push technology allows users to download anything from e-mail applications to a company's directory.

Hackers could create software viruses and use their PCs to randomly dial thousands of mobile phone numbers, some of which may download the rogue software, perhaps in the form of a Trojan - a program that appears legitimate, but performs some illicit activity when it is run. This could be used to identify password information or make the system more vulnerable to future entry, or simply destroy stored programs or data.

Graham Titterington, senior consultant at analyst firm Ovum, said that this kind of threat could become a problem for micro-payment services when the next generation (3G) phone services hit the market. "The more functionality you have the more vigilant you have to become," he warned.

Much will also depend on how users configure their preferences for their mobile phones, including security.

More sophisticated security measures that could be available for future micro-payment services include biometrics - either through fingerprint or voice recognition technology.

Vodafone regularly reviews its security measures and will update them to deal with new threats when necessary, said Wadsworth.

"If you have infinite security you will have no transactions. We monitor the situation," he said.

Read more on IT risk management