University of Southeastern Philippines

Bo. Obrero, Davao City

Assessment 5
ES 310 Elective 1

Submitted to:
Engr. Cristina Enriquez

Submitted by:
Ann Juvie S. Papas

September 23, 2010

 Mobile Commerce
Mobile Commerce Overview:
Why mobile is changing the way business happens?

Over a decade, mobile phones have changed the way we live and work. On the other hand, it is
the personal freedom that the mobile phones share it to us, where the people’s confidence emerge the
way they want to be and who want to be. Many people consider their phones as an extension of their
personal attributes, and through phone we can view what personality is she/ he inhibits.

Mobile phones are connecting people more than ever before and becoming a substance to glue
and hold the social interactions of one’s place. Like internet, mobile phones made our transactions
available 24 hours a day, 7 days a week. It gives us countless opportunities for the businesses to connect
to their costumers and build a meaningful relationship with businesses.

There are over 3 billion mobile phones worldwide. Almost 40 % of our total populations carry
mobile phones (Informa, Nov 2007). By now, since the adaption of mobile phones continue to grow, we
have 4 billion people are now currently using their mobile phones. On some other countries, mobile
phones are replaced within 18 months (2006, Semiconductor Industry Association). Companies who sell
mobile devices also do some technical improvement and attached some features like camera and
introduce in the market very well.

Mobile Phones: Revolutionary Devices

The evolution of the mobile phones is rapidly changing, from simple to complex where the
market has enormous choices to choose from. The combinations of more powerful devices forced the
mobile service operators to bring their infrastructure one step ahead especially the mobile network
connections (such as 3G networks able to carry large amounts of data at high speed as broadband
connections do for computers). In most markets, phones with the characteristics below are already
becoming available:

 A communicative device
Ever since mobile phones are intended to give a good communication whatever ways it
provide either through voice, email or short message services (SMS).
 A connective device
This could be through the availability of the Bluetooth or MMS. Mobile phones can
transfer or connect to other sources of data to other phones. This is also important in
mobile email transaction, however the limitations of transferring big size of file is still
the issue of materializing a good connections.
 A transactional device
Mobile devices could serve as a good arena to do transactions especially banking
transactions. That’s why we have electronic wallet that is available in our phones that
can be used as payment device.
 An intelligent device
Mobile phones fuse a lot of complex features like camera, internet connection and even
location finder (GPS). Internet connection is available if you have queries to allow you to
 browse and interacts depending on the request. As time passed, mobile phones serve us
as an agent of change, tools that facilitate connecting things in the physical world to
information about them in the digital world.

What is M-Commerce?

Advances in wireless technology increase the number of mobile device users and give pace to
the rapid development of e-commerce using these devices. The new type of electronic commerce
conducting business transaction via mobile terminals is called as mobile commerce or m-commerce. Due
to its flexibility, easy to disseminate information, personalization and even the unique physical
characteristic of mobile devices made this a type of commerce very famous and leave a big impact to
the world of conducting a business. The emerging of mobile commerce operates in an environment
where the connectivity becomes faster and furious in anytime, anywhere and anyone that become a
subject who conducted business and make used as a strategy and eventually generates a good revenue
packages into their business. For example, according to Guy Singh (2000), the global mobile commerce
market is expected to be worth a staggering US$200 billion by 2004. The marriage of mobile devices and
the Internet is, however, filled with challenges as well as opportunities.

Definition
"Mobile Commerce is the use of information technologies and communication technologies for the
purpose of mobile integration of different value chains an business processes, and for the purpose of
management of business relationships.“
(Webagency, 2001)

Mobile Enthusiasm
Due to its finite characteristics better than the other commerce, many companies became more
interested in mobile business that viewed it as unexplored market and attached to it is a huge potential
profit. Many countries up to date still competing and even established a large area to do their strategy.
Countries like Japan and in Europe are already witnessing the success of mobile commerce. In Japan, the
NTT DoCoMo's iMode phone has issued a great success highlighting the application of wireless
technology to a business world. In recent year, the iMode phone established a continuous connectivity
to the Internet that attracts almost 13 million Japanese citizens particularly the youth sector. Europe has
also accepted a simple transaction using Short Message Service (SMS) that made an e-mail transaction
very easy and reality, and even the Wireless Application Protocol (WAP) that manages the web browsing
and other industrial applications to communicate wirelessly.

A retail study from AT&T Inc.’s Sterling Commerce and ecommerce service provider
Demandware Inc. found that consumers are increasingly turning to mobile devices to add deepness and
convenience to their in-store shopping experience. The independent survey, which examined consumer
tastes and positions surrounding mobile shopping, found that 15 percent of consumers have used their
mobile devices to make purchases. However, the study also found that concerns around security and
ease-of-use threaten the progress of mobile shopping and payments.

“The key finding is that 15 percent of all mobile phone users—not just smartphone users—made
a purchase from their mobile phone,” said Adam Forrest, product marketing manager at DemandWare
Woburn, MA. The age demographic with the highest usage was 25-34 with 21 percent of them making a
purchase from their mobile phone.

This online survey was conducted by SmartRevenue in June/July 2010 and surveyed 3,611 male
and female consumers ages 18 and older living in the United States.

Mobile devices have become an integral part of society and, for some, an essential tool.
However, the complex design and enhanced functionality of these devices introduce additional
vulnerabilities. These vulnerabilities, coupled with the expanding market share, make mobile technology
an attractive, viable, and rewarding target for those interested in exploiting it.

Mobile Malwares
Since the world is categorized in two distinctive characteristics _the bad and good in developing
one thing, the bad side is also conducting or playing their roles in business transactions. So through also
the advancement of mobile commerce, this commerce becomes also a subject to their plans. Mobile
malware is one of the destructive elements that clogging the flow of success of the mobile commerce.

So it was proven that the security is one of the reasons that the company should focus too.
Mobile malware is also advancing and increasingly malicious and financially motivated and unwittingly
catching it off guard. According to Patrik Runald, Chief Security Advisor at F-Secure said that we have
400 mobile viruses are now recognized up to date, resulting in thousands of damage worldwide. "At
some point, the criminals now developing PC malware will start focusing on mobile devices. It's not a
question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point
that sets the mobile malware field afire."

Before we proceed on how to prevent mobile malware, let us first understand how and why
mobile malware developed and the way it propagates. The most common operating systems used by
mobile phones and personal digital assistants (PDAs) are Microsoft Windows Mobile and the Symbian
OS. Nokia's S60 user interface is based on Symbian OS, an operating system that is developed and
maintained by Symbian Ltd and adopted by many mobile companies like Samsung, Panasonic, Siemens,
and Lenovo. Most of the mobile malware below affected mainly on what platform is very mush used.
(Zhu Cheng, McAfee, Mobile Malware: Threats and Prevention)

Connectivity was not so powerful way back that became a big factor to the attackers to develop
a malware. Mobile market was still very small that it lacks an interest to supervise their plans, but still
there are developed and available mobile malware moving around in mobile commerce.

 Palm Liberty was the first mobile malware that can be proven through arguments back
in August 2000. This Trojan ruled over in the register of Nintendo Gameboy emulator
shareware as a patch but actually it deleted all the applications that were installed in
the Palm PDA. Liberty losses its popularity because it targeted just a small amount of
naïve users. In fact, Liberty was so unsuccessful that most antivirus companies begin
their mobile malware signature lists with Cabir.

 Symbian Cabir the forerunner of 15 variants was released in June 2004. This worm
infects the Symbian Series 60 smatphones by sending itself through the Bluetooth
connections. The operations were to click the user or open a message in inbox by
clicking yes when prompted by the installer. Cabir was propagating without a certain
noticed until it was discovered and reported rapidly to give an alarm to the users in
infected 20 countries who had a devices which somehow popular as the Cabir main
subject. However, Cabir faded because of it propagates too slow regardless to its
number of infected victim because of its capacity to spread one phone per reboot. For
most victims, Cabir's only adverse impact was battery drain.

 Sibling Mabir had somewhat better reach compare to the other mobile malware. It
propagates through MMS instead of Bluetooth connection, Mabir listens to incoming
MMS or SMS and respond by copying itself and sent to victim’s phone in MMS format.
We can see that Mabir overtaken the limitations of what Cabir’s ability but somehow
less in software architecture and depended on social engineering and even explicit user
acceptance for activation.

 In early 2005, Commwarrior (the predecessor of seven variants) improved on these

techniques by searching both for nearby Bluetooth devices and sending itself via MMS
to phone numbers in the victim's local address book. Commwarrior also sends randomly
named files to avoid immediate user recognition and tries to covers its tracks
afterwards. As a result, even though it still required user acceptance to install,
Commwarrior was far more successful in propagating. More importantly, it caused
financial damage by racking up MMS transmission fees. One operator reported that
malware was responsible for 5% of its MMS traffic.
  A pair of Pocket PC malware programs emerged around the same time as Cabir. Duts is
a small, innocuous virus that runs on an ARM-based WinCE PDA. The user must invoke
Duts and accept a threatening prompt ("Dear user, am I allowed to spread?") before the
virus can attempt to append itself to all .EXE files in the current directory. Brador is an
ARM-based WinCE trojan that copies itself to the Pocket PC's Startup folder, emails the
victim's IP address to the author, then listens for incoming remote control commands.
However, neither proof-of-concept propagated itself to other mobiles, nor were they
installed without active user participation. Mobile virus writers quickly returned their
attentions to the OS with the biggest market share: Symbian.

(Lisa Phifer, President Core Competence)

According to F-Secure's Runald, approximately 98% of mobile malware programs identified to

date are designed to run on Symbian. "Series 60 second edition is the primary target," Runald said. "The
third edition pretty much kills off malware because of code signing."

Based on the presented mobile malware above, most companies are practicing code signing in
their software from tampering and sensitive function invocation by unauthorized applications. However,
code signing is still ineffective to prevent unsigned application installation, due to the user that they’re
not so concern about the code signing and even willingly downloaded and installed the unsigned
application to their phones. As new mobile viruses and Trojans are continuing to improve themselves,
new malware stopped announcing itself as Cabir and Duts did.

 Symbian Skulls is part of the family of Trojans with 31 kinds. Skulls propagate
but overwriting all the applications with non-functional versions except those required
for communication. The non-functional version is very much like Cabir but much
improved.

 The later variants are mixed with FlexiSpy – a spyware program called "phones"
that locks itself to resist removal and records voice calls and SMS text, relaying that
private information to an Internet server. In addition, FlexiSpy is commercial spyware
sold for up to $349.00 per year. Versions are available that work on most of the major
smartphones, including Blackberry, Windows Mobile, iPhone, and Symbian-based
devices. The following are some of the capabilities provided by the software:

• Listen to actual phone calls as they happen;

• Secretly read Short Message Service (SMS) texts, call logs, and emails;
• Listen to the phone surroundings (use as remote bugging device);
• View phone GPS location;
• Forward all email events to another inbox;
• Remotely control all phone functions via SMS;
• Accept or reject communication based on predetermined lists; and
• Evade detection during operation.
 FlexiSpy claims to help protect children and catch cheating spouses, but the implications
of this type of software are far more serious. Imagine a stranger listening to every
conversation, viewing every email and text message sent and received, or tracking an
individual’s every movement without his or her knowledge. FlexiSpy requires physical
access to a target phone for installation; however, these same capabilities could be
maliciously exploited by malware unknowingly installed by a mobile user.
(US-CERT- United States Computer Emergency Readiness Team).

 Symbian Pbstealer is a trojan that builds upon Cabir's Bluetooth propagation

mechanism. To trick users into installing it, Pbstealer poses as a shareware address
book compaction utility. Instead, Pbstealer sends a copy of the victim's local address
book to the first nearby Bluetooth device that it can find.

 In February 2006, the first J2ME trojan emerged as Redbrowser, a Java applet that
disguised as a shareware WAP browser that could retrieve Web pages for free.
Instead, Redbrowser sent SMS messages to premium numbers in Russia at a cost of
$5 a piece.

 In December 2007, the Symbian Beselo worm started to spread itself via Bluetooth
and MMS. Beselo is similar to Commwarrior, except that installation files are not
identified by the usual .SIS extension. Instead, Beselo files are named with .MP3,
.JPG, or .RM extensions, fooling users into opening these phony multimedia files,
thereby installing Beselo.

 In February 2008, a new WinCE InfoJack trojan appeared, packed inside legitimate
application installer packages like Google Maps, posing as an optional add-on.
InfoJack disables Windows Mobile's installation security so that other unsigned
applications can be installed without warning. It then sends the victim's serial
number, operating system, and other information to a website in China.

 In March 2008, Symbian Series 60 second edition devices were targeted by

MultipleDropper, a malicious program that arrives via Bluetooth or MMS then
installs Commwarrior, Beselo, and a new trojan, Kiazha. After sending an SMS to the
malware's author, Kiazha attempts to extort $7 (RMB 50) as ransom, to be sent by
the user through the Chinese IM network QQ.
(Lisa Phifer, President Core Competence)

Symbian in general and the Symbian Series 60 second edition in particular, remain favorite
targets because the target population is large and those older devices harbor exploitable vulnerabilities
and mainly because Symbian OS is an open platform. Newer Symbian devices, including Series 60 third
edition, cannot actually run many of these trojan and worm installers thanks to Symbian OS 9 Platform
Security features like Capability Management and Data Caging. Runald expects the iPhone to draw
mobile malware because of its growing popularity and its relatively feature-rich operating system.
Mobile Malware Preventions

Mobile phones today especially those Windows Mobile API’s OS based they provided
automatically a signed application. Only the certified programs can call Mobile API’s. So, it’s up to the
user if she/he will add an unsigned application that can create damage to their phones. Since mobile
commerce primarily evolves from e-commerce with the use of the features from laptops or desktop
PC’s , the prevention that can be apply to mobile phones is the same on what you do to your PC’s.

Here are the basic steps that Zhu Cheng: McAfee research scientist and Lisa Phifer recommended:

 Install mobile anti-virus software

We have lots of mobile anti-virus available by the vendors that is in the market already. It is
good to have a PC based-mobile antivirus so that you wouldn’t have difficulties in removing
infected files.

 Do not save business data on your mobile

Save confidential files or photos on removable disks. Just to be sure.

 Back up frequently (files or data)

It is good to practice to make frequent back-ups data especially contact lists. You might
appreciate this way until your phone will be infected and force to do such action.

 Be careful with Wi-Fi and Bluetooth

Make sure your Bluetooth and Wi-Fi connection is off especially outdoor environment and if
also you don’t have any transactions involving this any connections. You wouldn’t know, your
phone might detect a malware without noticing it.

 Install process management software

Using process-management software, advanced users can search for suspicious processes on
our mobile phone and stop them. Due to the phone’s limitation, Window Mobile cannot run all
the applications. So, log all the running processes when you’re sure the mobile is not infected.
And it would be easy to detect if there is something wrong in your mobile phone.

We have other recommendations by the US-CERT in addition for preventing malware to be practiced:

 Maintain up-to-date software, including operating systems and applications;

 Install anti-virus software as it becomes available and maintain up-to-date signatures and
engines;
 Enable the personal identification number (PIN) or password to access the mobile device, if
available;
 Encrypt personal and sensitive data, when possible;
 Disable features not currently in use such as Bluetooth, infrared, or Wi-Fi;
  Set Bluetooth-enabled devices to non-discoverable to render them invisible to
unauthenticated devices;
 Use caution when opening email and text message attachments and clicking links;
 Avoid opening files, clicking links, or calling numbers contained in unsolicited email or text
messages;
 Avoid joining unknown Wi-Fi networks;
 Delete all information stored in a device prior to discarding it; and
 Maintain situational awareness of threats affecting mobile devices.

Mobile Malware and M-commerce

Mobile malware become a big threat to mobile commerce especially if it involves mobile
banking transactions. Like the ways of attackers do in E-commerce, attackers in mobile commerce
customized another version fit for mobile commerce like SMiShing for SMS, Vishing attacks in voice
communication and many more.

Mobile commerce and mobile payments provide a significant opportunity for security hackers.
As the number of mobile users conduct mobile commerce and become comfortable doing so, the
number of potential targets will outweigh the wireline side. This will likely entice security hackers to
focus attention on the mobile industry and target smart devices for financial gain. Knowing that hackers
tend to go where the money is, this is certainly an area about which mobile carriers need to be
concerned from a security perspective. If mobile users do not feel it is safe to purchase new
applications, this lack of trust will have a dramatic effect on the growth of the mobile carrier’s business.

Similar to the way the computer world has been attacked by DDoS, viruses, and botnets, mobile
carriers will also come increasingly under fire. Mobile attacks will be driven by the increase in open
networks, open devices, and financial transactions conducted over the mobile network. It is difficult for
mobile users to protect themselves, so it will be important for mobile carriers to move mobile security
to the forefront, protecting their users and their revenue streams from hackers and the coming
onslaught of security attacks.
Reference

Cheng, Z. (n.d.). Mobile Malware:. Threats and Prevention .

Das, M. (n.d.). Application of in Mobile.

GS1. (2008, February). Mobile Commerce. Opportuities and Challenges .

Networks, J. (2010). Mobile Security. Why the time is now , 6.

Phifer, L. (2008, September 30). Prevent mobile malware: Learn how to protect your enterprise
and devices. Retrieved from SearchMobileComputing.com .

Recklies, O. (n.d.). M-Commerce. The next Hype .

Schell, A. G. (n.d.). Future Trends in Mobile Commerce. Service Offerings, Technological

Advances and Security Challenges .

Shileds, T. (2010, February 17). Mobile Malware Counterpoints.

US-CERT. (n.d.). Technical Information Paper-TIP-10-105-01. Cyber Threats to Mobile Devices .

Victor A. Clincy and Garima Sogarwal. M-Commerce, Emergent Platform For Training &
Educating. Kennesaw , Georgia.