Content uploaded by Abdul Rehman Javed
Author content
All content in this area was uploaded by Abdul Rehman Javed on Aug 18, 2021
Content may be subject to copyright.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
Security in Next Generation Mobile
Payment Systems: A Comprehensive
Survey
WAQAS AHMED1, AAMIR RASOOL2, ABDUL REHMAN JAVED1*, NEERAJ KUMAR3, THIPPA
REDDY GADEKALLU4, ZUNERA JALIL1, NATALIA KRYVINSKA5*
1Department of Cyber Security, Air University, Islamabad, Pakistan
2Institute of Avionics and Aeronautics, PAF Complex, E-9, Air University, Islamabad, Pakistan
3Department of Computer Science and Engineering, Thapar Institute of Engineering & Technology, Patiala (Pb.),India
4School of Information Technology and Engineering, Vellore Institute of Technology, Tamil Nadu, India
5Faculty of Management, Comenius University in Bratislava Odbojárov 10, 82005 Bratislava 25, Slovakia
Corresponding author: abdulrehman.cs@au.edu.pk, natalia.kryvinska@uniba.sk
ABSTRACT Cash payment is still king in several markets, accounting for more than 90% of the payments
in almost all the developing countries. The usage of mobile phones is pretty ordinary in this present
era. Mobile phones have become an inseparable friend for many users, serving much more than just
communication tools. Every subsequent person is heavily relying on them due to multifaceted usage and
affordability. Every person wants to manage his/her daily transactions and related issues by using his/her
mobile phone. With the rise and advancements of mobile-specific security, threats are evolving as well. In
this paper, we provide a survey of various security models for mobile phones. We explore multiple proposed
models of the mobile payment system (MPS), their technologies and comparisons, payment methods,
different security mechanisms involved in MPS, and provide analysis of the encryption technologies,
authentication methods, and firewall in MPS. We also present current challenges and future directions of
mobile phone security.
INDEX TERMS Mobile Phone, Mobile Payment Method, Online System, Transaction, Mobile Commerce,
Cyberattacks
I. INTRODUCTION
Cash payment is still monarch in several markets, accounting
for more than 90% of the payments in all almost all the devel-
oping countries [1]. Nowadays, the use of mobile devices by
people has increased tremendously. A considerable number
of people use mobile phones to perform day-to-day tasks [2].
These devices can be used for many tasks, such as making
phone calls, web surfing, emailing, gaming, and many other
tasks.
The current research in the area is focused on the usage of
mobile phone to perform payment securely. However, mobile
systems face different limitations [3], [4], [5] such as low
storage and computation power, due to which they cannot
perform heavy encryption operations. Different attacks are
reported on mobile devices due to lack of security patches
such as spoofing, phishing, malware, and sniffing attacks [6],
[7], [8], [9]. In order to effectively design the MPS, these
attack scenarios must be considered for safety and security.
Information and communication technology (ICT) is being
extensively used all around the world [10]. The traditional
face-to-face interaction requirement for payment transactions
is avoided, and remote communication is adopted. There is
no need for direct contact between a payer and the payee that
changes the business environment and leads toward using the
internet to do different transactions. This situation requires
electronic money or digital bits; the system resembles like
traditional payment but with the usage of internet infras-
tructure and digital data for money transfer. There are many
advantages of using e-money, like the client’s anonymity or
the client’s presence is not required during transactions. At
the same time, it also has some disadvantages, like com-
promising of confidentiality, integrity, and availability (CIA)
[11].
The vast development of mobile phone technology enables
the growth of internet services. Internet brings the electronic
transaction systems [12] to the mobile phones and also m-
VOLUME 4, 2016 1
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
CONSUMER / CUSTOMER
FIN TECH / BANKS
SERVICE PROVIDER
MERCHANT / SELLER
Customers plays a key role in mobile
payment system and are the nucleus
of the whole mobile payment world.
They initiate the business transaction
that results in mobile payment
system’s event to trigger.
They are the money regulators of the
system and are custodian of the
monetary transactions. They acts as
a bridge between consumer and
seller for movement of money within
mobile payment system.
Merchants / businesses are the
cornerstone of the whole system.
They interact with the customers
with business offerings in the form of
products and services and gain their
monetary benefits in return through
mobile payment system.
Service providers are the backbone
of the whole system. The whole
system runs on the communication
services offered by these providers.
They are the main custodian of CIA
Triad of data in movement as well as
the mobile payment service
availability to end users.
FIGURE 1: Major Components Of MPS
commerce [13] becomes an alternative for e-commerce. As
m-commerce is growing at a tremendous pace, it is get-
ting much more attention than e-commerce nowadays. M-
commerce has the same characteristics [14] as e-commerce
with some extra advantages like Mobile Payment System
(MPS), that allows clients to perform transactions in real-
time by using mobile phones anywhere; all it needs is internet
connectivity. Another advantage is that, unlike a PC, one can
carry his/her mobile phone anywhere. Some other benefits
are interoperability, speed, cost, and cross-border payments.
Figure 2 shows a Mobile Management system.
A MPS should include authentication, access control, con-
fidentiality, integrity, non-repudiation, and availability [15].
Authentication process included two steps: verification of
the user and verification of the origin. In authentication, two
processes include verifying the user and the origin of the
source of data. Access control can grant access to an autho-
rized person to the payment system and block unauthorized
personnel from accessing the payment system. The informa-
tion must also remain hidden to avoid passive attacks against
transaction data. Availability ensures that the payment system
is accessible. Integrity avoids the modification of data and
non-repudiation ensures that a specific user has transmitted
the message.
Security is essential for MPS, and many security standards
such as PCI DSS (Payment Card Industry Data Security
Standard) [16], which was first released in 2004, is used
to maintain the CIA triad. The people or merchants who
use payment cards follow PCI DSS standards but security
violations can still occur [6], [17]. When security violations
occur, personal information, payment card information such
as expiration date, ATM card number, security code, and
transaction ID are at risk, and it can lead to fraud or illegal
usage of service. There are two methods of Mobile Payment
Systems: account based payment system and token based
payment system [18].
1) Account Based Payment System
In the account-based transaction, we need cards or informa-
tion cards like ATM or credit card. Using this process, the
amount is charged from the user’s bank account after getting
the required details or getting confirmation of the transaction
from the user.
Risk Factor: If any misuse of card or details is done or
any forgery or identity theft is done, then it will affect this
system.
2) Token Based Payment System
It is a new electronic payment method based on tokens
instead of cash or credit cards. These tokens are generated by
any bank, service provider, or telecom company. Moreover,
it is used in the same way as cash is used. By using such
tokens, users can pay to any company through mobile, and
those tokens will be sent to that company which they can
encash, or the provider will pay them for each token.
Risk Factor: These tokens will have no worth if the user
has tokens in their account and the merchant does not accept
those tokens.
2VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
FIGURE 2: Mobile Management System
A. MOTIVATION
Mobile phones’ usage is highly elevated in the current era
compared to their usage a decade before. The number of
mobile phones is higher than the number of bank accounts
that exist. Due to its high usage level, most business organiza-
tions, the entertainment industry, banks, the education sector,
and almost all fields turn towards mobile phone adaptability.
To benefit from this device, they launch their applications
for the comfort of people. Almost all banks facilitate con-
sumers with mobile phone applications. People use mobile
phones for shopping, transferring money, and getting various
services. The maximum use of mobile devices and versatility
motivates us to focus on mobile payment systems (MPSs).
Different models of payment systems have been proposed,
but many limitations exist; security and privacy concerns.
Figure 3 shows the increased usage of MPS in the United
States from 2016 to onwards and sheds light on the adoption
rate and numbers of users (in millions) in a single glance.
MP USERS (IN MILLIONS) MP ADOPTION %AGE
2016
18.8 5.8
2017
22.4 6.9
2018
25.9 7.9
2019
29.1 8.8
2020
31.9 9.6
2021
34.3 10.3
2022
36.3 10.8
MOBILE PAYMENT (MP) ADOPTION IN US
YEAR
FIGURE 3: Proximity mobile payment adoption in the
United States from 2016 onwards
B. CONTRIBUTION
This research paper aims to present an in-depth analysis and
survey of MPS. This paper makes the following contribu-
VOLUME 4, 2016 3
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
tions:
1) We present an overview and discussed different compo-
nents of MPS. We present a review of the existing MPS
structure and its limitations.
2) We discuss and analyze the two main methods of MPS
included: account-based payment system and token-
based payment system.
3) We provide detailed history, development, and deploy-
ment of MPS and discussed aspects of MPS included
socioeconomic conditions, cost efficiency, diffusion of
mobile phones, convenience, new initiatives, heavy re-
strictions and regulations, limited collaboration, under-
developed ecosystem, and security problems.
4) We discuss key attributes of MPS, and stakeholder and
communication entities’ roles in MPS form different
aspects.
5) We demonstrate the security mechanisms involved in
MPS. Provide analysis of the encryption technologies,
authentication methods, and firewall in MPS.
6) We present authentication techniques (one way, two
way, and multiple way authentication) in MPS. Dis-
cussed the pros and cons of the mentioned techniques.
7) Provide analysis of the various possible attacks on MPS
included attacks against user privacy, attacks on authen-
tication techniques, attacks on user confidentiality data,
attacks on the data integrity, and attacks against MPS
services availability.
8) Next, we provide key challenges developers and re-
searchers face in implementing and deploying MPS.
At the end of the research paper, we present different
research directions related to MPS.
The rest of the paper is organized as follows: section II-A
discusses the history, development, and deployment of the
mobile payment system; section II-D discusses the generic
architecture of the M-Payment system; section VI presents
technologies used in the M-Payment system and their com-
parison; section VII provides security aspects comparison of
different mobile payment models; and at the end section IX
provides the current challenges, future direction followed by
Section VIII which concludes the works.
II. RELATED WORK
Cash payment is still monarch in several markets, accounting
for more than 90% of the payments in all almost all the
developing countries [1]. Therefore, it is essential to realize
the importance of MP acceptance. Different researchers have
completed several research studies on MP after the first PM
transaction performed in 1997 [19], [20]. Several studies
on MP implementation have the focus to work on the user
side. Considering the user’s behavior on MP is significant to
advance MP services to improve users acceptance intention
[21].
[22] tried to respond to certain questions related to the
security of online payment systems and presents several
ways to overwhelmed different security threats associated
with online payment systems. [23] presents different types of
TABLE 1: List of Abbreviations
Abbreviation Description
MPS Mobile Payment System
ICT Information and Communication Technology
CIA Confidentiality, Integrity and Availability
MMS Mobile Management System
PCI Payment Card Industry
DSS Data Security Standard
PTC Pakistan Telecommunication
TAM Technology Acceptance Model
EPS Electronic Payment System
TE Technology Evolution
CPT Cart Present Transactions
SEM Structural Equation Model
NFC Near Field Communication
QR Quick Response
SMS Short Message Service
MB Mobile Banking
MP Mobile Payments
MW Mobile Wallets
MC Mobile Currency
MFS Mobile Financial System
MNO Mobile Network Operators
DS Digital Signature
CA Certificate Authority
RA Register Authorities
SKE Symmetric Key Encryption
PKE Public-Key Encryption
PIN Personal Identification Number
MFA Multifactor Authentication
SFA Single-Factor Authentication
2FA Two-Factor Authentication
DDOS Distributed Denial-of-Service Attack
DOS Denial-of-Service Attack
OTP One Time Password
USSD Unstructured Supplementary Service Data
GSM Global System for Mobile
RFID Radio Frequency Identification
QRC Quick Response Code
WAP Wireless Application Protocol
U2F Universal 2nd Factor
MAC Message Authentication Code
SAP Secure Authentication Protocol
online payments such as credit card, e-wallet, debit card, net
banking, smart card, mobile payment, and amazon pay. The
authors also present some requirements for online payments
such as integrity and authorization, out-band authorization,
password authorization, signature authorization, confiden-
tiality, and availability and reliability. [24] proposed a new se-
cure authentication protocol (SAP) for mobile payment. The
author used cryptography techniques for the authentication
between server and client. The proposed technique provides
security to user data account and provides privacy during the
payment transaction.
This research work reviews the literature work of MP
in the following significant areas: mobile payment system
(MPS): history, development, and deployment; factors lim-
iting MP development; MPS key attributes; and MP stake-
holders and entities. Table 2 presents the comparison of the
existing survey papers on MP.
4VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
A. MOBILE PAYMENT SYSTEM (MPS): HISTORY,
DEVELOPMENT, AND DEPLOYMENT
MPS provide several payment facilities for different kind of
services, products, and bills through mobile phone by using
wireless characteristics and other features and benefits of
a communication system [35]. Mobile devices like smart-
phones, smart tablets are utilized in different payment sce-
narios such as purchasing online tickets, electronic materials,
online electronic transactions, and transport fares such as
paying bills and other invoices. It is also possible to purchase
products physically through MPS, either from the point-of-
sale (PoS), ticketing machines, and vending machine sta-
tions. Besides that, most electronic payment systems and
payment instruments nowadays have also been mobilized
[36].
The field of MPS is relatively new, and little is known about
it. Mobile phones are more than just a payment method. In-
stead, it is a method of initiating, processing, and confirming
financial transactions. Mobile payments are not only about
using mobile devices to access online payment services.
While the mobile version of the service may have similar
functionality, the design and implementation of mobile pay-
ments are also different due to different methods and struc-
tures. Numerous factors boost MPS evolution in developing
countries. Following are some of the factors.
1) Socioeconomic Conditions
The lack of cash alternatives is the most critical factor
fostering MPS growth in emerging developing economics
countries [35]. Maximum people in developing economies
countries have not checked accounts and have not to debut
or credit card. Well-developed mobile payment applications
with the advantage of low fees for money transfer services
from one application to other make MPS attractive [36]. In
almost all countries, people move toward the mobile banking
system to save their valuable time and avoid getting robbed.
2) Cost Efficiency
In developing countries, most online conducted transactions
are very low in terms of value, but they are very high in
volume [37]. Introducing a new bank branch is infeasible be-
cause of massive initial equipment, investment requirement,
infrastructure, and well-trained HR included security staff.
Bank without different branches looks appealing because it
utilizes local infrastructure and leverages local resources and
human resources and equipment and resources, including
agent shops and mobile phones. Mobile Payment Systems
(MPS) are reflected as valuable because of their bottom-of-
the-pyramid, lower-class families and unbanked population.
The fee for a usual payment transfer is almost 1% in all
mobile payment systems. E.g., the fee for sending money
through Wizzit and MTN in South Africa (SA) is almost
US$0.05. But earlier than the Wizzit and MTN payment
system, the average fee is almost US$30 to US$50 for the
delivery of cash.
3) Diffusion of Mobile Phones
As cell phones become cheaper, financial systems are still
relatively limited, and Mobile Payments (MP) are more con-
venient [38]. In most countries, individuals may have one
or more cell phones. Sub-Saharan Africa has more families
with more cell phones than sustainable electricity or drinking
water resources.
4) Convenience
In advanced countries, MP is more suitable. People can pay
or withdraw money without leaving their homes, which will
significantly save their time and cost of the expensive fees.
However, this is not an issue in advanced countries, as ATMs
and banks are opposite [39].
5) New Initiatives
Non-governmental organizations and international organiza-
tions (e.g., IFC, the World Bank, GSMA, Gates Foundation)
have proposed new initiatives to promote and facilitate MPS
implementation. For example, M-PESA Kenya was launched
and developed by Safaricom and Vodafone with help from
UK’s Department for International Development. Pakistan
telecommunication (PTC) (Easypaisa) received a $ 6.5M
grant from Gates Foundation in 2012. On the other side,
many factors limit the growth of MP.
On the other side, several factors are limiting further MP
development.
B. FACTORS LIMITING MP DEVELOPMENT
1) Heavy Restrictions and Regulations
This is the most destructive factor in the development of
mobile payments. Pressure on banks plays a key part in the
ecosystem also decreases the development of MP. Unfor-
tunately, compared to technological advances, most mobile
payment methods are changing slowly [36].
2) Limited Collaboration
In most situations, non-cooperation is an obstacle to the
ecosystem. For example, M-PESA has worked with com-
mercial banks for five years to ensure that their valuable
customers withdraw their money from ATMs and banks.
Collaboration is very significant as most customary banks do
not implement to handle MP.
3) Underdeveloped Ecosystem
Lack of standards, undeveloped infrastructure of systems,
limited mobile resources, and saturated telecommunications
networks (including disruptions) prevent developing coun-
tries from launching Mobile Payment Systems (MPS) [40]. In
some situations, interoperability concerns and a specific type
of broker are needed to solve the trust problem and reduce
the chicken and egg problem.
VOLUME 4, 2016 5
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 2: Research Literature Comparison
Ref. Proposed Outcomes
[25] To integrate Choice-Based Conjoint (CBC) and System Dynamics (SD),
the author develops an empirical data-driven simulation methodology
to analyze several competing diffusion dynamics Mobile Payment plat-
form.
To collect multi-attribute preference data, a choice-based conjoint analysis methodology is used on a
different platform. To evaluate the effect of platform design strategies, an empirical user preference SD
simulation model is developed with the help of an empirical user preference data model.
[26] The author in this study aims to compare different factors that define
consumers’ acceptance for near field communication (NFC) and short
message service (SMS) as examples of means for mobile payment of
future payment systems.
From the most relevant literature review, a model is driven and used in this research that applies the
perceived security (PS) and technology acceptance model (TAM). The results succeeded in this research
work in determining the differences between the different factors that define the acceptance of the Mobile
Payment Systems and the intention to use level of the users.
[22] The author discussed the data security which the application user has
shared during online payments.
In this research paper, the author answers specific questions related to online payments security and
discussed different ways to reduce the security threats associated with online payments.
[27] The paper investigates and increases awareness associated with differ-
ent electronic payment systems (EPS), including security considera-
tions, challenges, and advantages.
The author conducted a detailed survey regarding all aspects of EPS after analyzing the existing research
studies related to online payment systems.
[21] The author discussed distributed systems and their regulatory compli-
ance related to this approach which is not decentralized yet.
For instant payment systems, the author reviewed some distributed protocols to find the possibility to
syndicate distributed systems with centralized services effectively in the mobile payment system.
[28] With the case of Mobile Payment Technology, the author focus on
identifying different technological trajectories in the ecosystem (tech-
nological).
The novelty in this research is finding the technological evolution with the help of patent citation and social
network analysis. The case of the Mobile Payment Technology ecosystem is analyzed quantitatively. This
research aims to provide a path to develop and integrate the primary services to categorize Technology
Evolution (TE) with the help of the Mobile Payment landscape.
[29] The author focused on innovations and new attempts or dominant
systems to improve the electronic Mobile Payment System (MPS).
This survey consists of a review of its dominant system and present cart transactions (CPT). At Cambridge
University, several types of research are conducted to designate different attacks against authentication
methods in MPS.
[30] The research study aims to analyze and examine the effects of con-
sumers’ and consumer preferences for MPS and features of the marginal
usefulness of biometric and mobile payments.
Based on the study results, theoretical effects for mobile payment consumer preference and proposed
different market strategies for the dispersal of main next-generation MPS from different aspects are
analyzed.
[31] The objective of the author is to analyze the factors that affect users’
intention in the Mobile Payment System and the status of Near Field
Communication in the transportation system.
To achieve the objectives of the research, a survey was completed with 180 mobile payment users. A
widespread review of scientific collected works validates the progress of interactive model that clarifies the
intention of near field communication MPS with the help of structural equation model (SEM). The study
results show that perceived risk, effort expectancy, service quality, and satisfaction define the persistence
aim to use MPS.
[32] The research study compares the different factors that determine
consumer acceptance quick response(QR), near field communication
(NFC), and short message service (SMS) in MPS.
To achieve the objectives, the intention to use mobile payments, a comprehensive review of literature has
necessary for the improvement of the behavioral model. The novelty and results of the study lie in the
preparation of different behavior rendering to use given by MPS users to each planned payment application.
[33] The research study focused on the urban consumer’s perception and
attitude towards digital MPS.
A convenient survey was conducted to achieve the research objective among 100 urban respondents with
an interview schedule. The ranking method, independent sample t-test, one-way Enova, and percentage
analysis are used in this study.
[34] The author Review the E-MPS in E-Commerce. This study aims to analyze the available literature related to e-payment and e-commerce to underline the
possibility of e-payment and identify the research gaps, and for future studies, the methodology of previous
researchers is recommended.
4) Security Problems
Cybercriminals’ activities are more in advanced countries
concerning others countries. First, advanced countries of-
ten lack an adequate legal framework and implementation
tools to fight cybercrime. Secondly, occasionally customers
have not knowledge and attention is very little to security
problems. This means that high technology is unlikely to be
suitable for developing countries.
Given the various influences that drive and delay the
development of MP, all critical factors in the ecosystem must
be focused on the longstanding goals of the MPS. Of course,
the utmost important objective of any MS is to improve com-
petence, conducive to financial development. In MP, it is an
alternative to financial transactions and specializes in small
payments that cannot be made in cash. However, it remains
to be seen whether the key players in the development and
implementation of the technology are willing to make large-
scale commitments [41].
Given the various influences that drive and delay the
development of MP, all critical factors in the ecosystem must
be focused on the longstanding goals of the MPS. Of course,
the utmost important objective of any MS is to improve
competence, conducive to financial development. In MP,
it is an alternative to financial transactions and specializes
in small payments that cannot be made in cash. However,
whether the key players in developing and implementing the
technology are willing to make large-scale commitments re-
mains to be seen. MPS lead to the growth of new marketplace
ecosystems, containing mobile operators, card operators,
retailers, service providers, banks, hardware vendors, trusted
service managers, and technology vendors. Several critical
regulatory issues emerged, such as electronic money and pay-
ment systems, consumer data protection, MPS, principles,
and confidentiality. MPS are used in developed countries
and Asia, and Africa. Mobile payment systems are used
for interpersonal transfers (P2PT), handling small purchases,
paying bills and expenses, and purchasing specific goods or
services. Almost all mobile network operators that provide
mobile payment systems operate in the few countries/regions
they are located in, thus facilitating international transactions
and remittances [41].
There are no separate laws for MPS in several cases,
especially in undeveloped countries. On the other hand,
depending on the types of mobile, payment, retail and con-
vergent value chain technologies described and classified
above, the program is multifaceted and extensive [41]. The
bond structure is unmoving in its beginning but applied in
all areas and at all system levels. With the development of
technological threats and economic and financial benefits,
mobile payment systems began to develop. The regulatory
issue of mobile payments is new for at least two reasons.
First, it summarizes the different areas of data privacy, e-
money, ICT, mobile services, e-payments, user protection,
and information and rules and regulation. Second, there are
some specific problems with innovation, namely the inter-
6VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
pretation of electronic money and the oversight of payment
systems.
C. MOBILE PAYMENT SYSTEM KEY ATTRIBUTES
All mobile payment systems provide greater convenience of
using mobile devices to process electronic payments [42].
However, it should be noted that because they perform many
functions in a universal payment system, mobile payment ser-
vices have different features that will affect the preferences
and decisions of the user. Therefore, mobile payment services
have complex features, including a combined process of
merchant visits, identity verification, and payments. Table 3
presents the mobile financial system (MFS) key attribute.
All mobile payment systems provide greater convenience of
using mobile devices to process electronic payments [42].
However, it should be noted that because they perform many
functions in a universal payment system, mobile payment ser-
vices have different features that will affect the preferences
and decisions of the user. Therefore, mobile payment services
have complex features, including a combined process of
merchant visits, identity verification, and payments. It is
still significant to explain the concept of MFS, containing
mobile banking (MB), mobile payments (MP), mobile wal-
lets (MW), and mobile currency (MC). Considerate these
facilities are the main research encounter in mobile money
transfers [43]. MB mentions providing banking services
through mobile communication devices, including financial
transactions (for example, money orders and bill payments)
and non-financial business transactions (for example, balance
surveys). Some researchers believe that the functions of MB
and MC intersection [44].
ACCESS MODE
SMS
IVR
USSD
WAP
K-JAVA
POS
APP
MOBILE PAYMENT SYSTEM
MOBILE PAYMENT
AGENT
MOBILE PAYMENT
PLATFORM
SERVICE
PROVIDER
BANKS /
FINANCIAL
INSTITUTIONS
BUSINESS
OPERATIONS
SUPPORT
SYSTEM
FIGURE 4: Structure Of MPS
While MB is primarily seen as a straight link between
consumers and banks [45], mobile payments are categorized
as a service technique that affiliated service suppliers can use
deprived of the involvement of banks. Mobile payments are
common and generally refer to any payment that uses a mo-
bile terminal to confirm and authorize a payment transaction
[46]. Alternatively, mobile wallets are defined as progressive
mobile applications that replace physical wallets and have
numerous functions like storing payment info and affiliation
card and executing transactions. Finally, the mobile currency
is a currency that can use and accessed via an MP. Especially
since it allows users to run a business (e.g., money orders)
without a bank account, it is extensively used among rural
inhabitants and cannot use traditional financial institutions
[47].
D. M-PAYMENT STAKEHOLDERS AND ENTITIES
1) Stakeholders in MPS
There are many diverse stakeholders in implementing M-
Payment, including consumers/clients, merchants/providers,
mobile network operators (MNO), mobile device manufac-
turers, financial institutions, banks, software, and technology
providers. The government is the stakeholder in the M-
Payment implementation process. Each stakeholder has dif-
ferent incentives, roles, and strategies. Sometimes these in-
terests and strategies between different stakeholders conflict,
e.g., the network provider would like to maximize revenues
through each m-payment transaction, whereas customers and
merchants would like to minimize costs for each M-Payment
transaction. In another study [48], the author highlights the
critical finding that mobile payment method depends on their
providers to connect the merchants and consumers to the
degree that satisfies the stakeholders.
2) Communication Entities in MPS
For the payment process, there are multiple entities (as shown
in Table 4) that perform their role. In Figure 6, [49] shows the
entities that communicate in mobile payment process. The
entities can be less or more according to the protocol.
Steps that involve in M-Payment process
1) Client request to a merchant for the payment.
2) Merchant requests to the payment gateway for the trans-
action amount to be a deposit.
3) Client request to the payment gateway for checking the
deduction amount from the account.
4) Payment clearance is held in the payment gateway.
5) Payment gateway response to the client request in the
form of rejection or approval.
6) Payment gateway response to the merchant request in
the form of acknowledgment receipt.
7) Merchant gives the payment receipt to the client and
confirms the transaction.
Figure 5 represents the model of primitive transactions in
which the client makes payment to the merchant. The value
of the payment is subtracted from the client’s account on
the issuer’s request by the payment system, and then on the
request of the acquirer, the merchant transfers/adds the value
from the payment gateway to its account.
III. MOBILE PAYMENT SYSTEM SECURITY MECHANISM
MPS security mechanism included: Encryption technology,
authentication, and a firewall [50].
VOLUME 4, 2016 7
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 3: Mobile Financial System
Mobile Financial System Description
Mobile Currency MC is a currency that can be opened and used by an MP deprived of a bank account [47].
Mobile Payment MP is a payment system used by an MP to authorize, initiate and confirm a transaction [46].
Mobile Wallets MW is a mobile application that can replace physical wallets and include the following features:
The ability to store information about payments, membership cards, and membership cards, and
other marketing plans [46].
Mobile Banking MB means providing banking services via mobile phones, including financial and non-financial
transactions. Wireless device [44].
TABLE 4: Entities that involve during mobile payment process
Entities Description
Client An entity who wants the transaction
Merchant An entity that has products or services to sell. It could be a computational one (like a standard web server)
or a physical one.
Payment Gateway another entity acts as an intermediary between the acquirer/issuer on the bank’s private network side and
the client/merchant on the Internet for payment clearing purposes.
Issuer The client’s financial institution manages the client’s account and affords the electronic payment instruments
to be used by the client.
Acquirer The merchant’s financial institution manages the merchant’s account and verifies the deposited payment
instrument.
FIGURE 5: Primitive transactions
CLIENT MERCHANT
MOBILE PAYMENT GATEWAY
ISSUER ACQUIRER
7
1
2
3
5
6
44
FIGURE 6: Entities involvement in M-Payment process
A. ENCRYPTION TECHNOLOGY
Encryption technology included: Symmetric encryption and
public-key encryption.
1) Symmetric Key Encryption (SKE)
SKE system uses a common key to encrypt messages, which
means both sender and receiver will hold a common key
for encryption and decryption. Before transmission of data
between both parties, the common key is shared on the
secure channel between both entities [51]. Exchanging keys
between both entities is important for encryption processes.
Short size and weak keys are easily attacked opposite to
longer keys. Symmetric encryption is still commonly used
in insecure data communication.
2) Public-Key Encryption (PKE)
PKE system is a type of asymmetric encryption because the
same key is not used to encrypt and decrypt the messages.
In the PKE system, two different keys are used, called public
and private key [51].
3) Comparison between SKE and PKE
There are numerous differences between the SKE system and
the PKE system. Table 5 presents the comparison of the SKE
and PKE.
B. AUTHENTICATION
Authentication included: Digital signature and certificate au-
thority.
1) Digital Signature
Digital signature (DS) is a string value calculated using text
value to a Hash value. DS is used to verify the origin of
the received text and prove whether the received text is
without any changes. To certify the availability of DS, PKI
is frequently used. It suggests a complete set of security
assurance and follows different public key encryption stan-
dards for different sectors like online banking, e-banking, e-
government, and e-commerce securities [52].
8VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 5: Comparison of Encryption Methods
Characteristics Symmetric Key Public Key
Several keys are used for encryp-
tion, and decryption
The same key is used for encryption-decryption Two different keys are used for encryption and decryption.
Speed of encryption and decryption Faster than public-key encryption Slower than symmetric key encryption
Size of ciphertext Usually less than or same as the plain text More than plain text
Key exchange A big problem No issue
Key usage Used for confidentiality but not for digital signa-
ture
Used of confidentiality and digital signature as well
2) Certificate Authority
The Certificate Authority (CA) is a trusted organization that
publishes and manages network security public keys infras-
tructure (PKI) and credentials for message encryption. As
part of the PKI, the CA will use the registry for verification.
Users have the right to verify the information in the digital
certificate provided by the applicant. Suppose RA (Register
Authorities) verifies the applicant’s data and issue a digital
certificate. Communicates users are responsible for distribut-
ing and revoking certificates. Depending on the PKI, Upon
request, the certificate may contain the holder’s public key,
the certificate, the name of the certificate holder, and other
information about the holder of the public key [53].
C. FIREWALL
The firewall can simultaneously protect the system /local
network against network-based threats. The firewall allows
access to the outside world to the local network. In most
scenarios, a firewall is necessary because it is difficult to
equip all devices with different security devices. Typically,
the firewall is inserted between two networks.
IV. AUTHENTICATION METHODS IN MPS
Authentication methods are widely used to test user iden-
tity in mobile transactions as the user identity is required
to execute transactions [54]. Below are some authentica-
tion methods: knowledge-based authentication verification,
object-based authentication verification, and biometric au-
thentication. With Knowledge-Based, users used personal
identification number (PIN) or password to validate their
identity [55]. This is based on well-known traditional au-
thentication methods, so they have fewer security issues. Use
physical tokens (such as smart cards) to perform object-based
authentication. While objective knowledge-based methods
can create inexpensive and straightforward authentication
systems for various computing applications, they can close
the security incident vulnerabilities. In addition, the above
two methods are likely to be lost or forgotten by the users,
which can be an intellectual burden for application users [56].
To overwhelmed the restrictions of the above traditional
methods, some advanced authentication systems have been
developed that provide consumers with helpful security [57].
Biometric methods based on user personal identity (i.e.,
Physical Characteristics) have been effectively applied to
protect and verify users’ identities. Identity verification based
on human-specific biometrics (such as fingerprints, voice, or
iris) is unlikely to be easily stolen or transferred. Previous
research has shown that the apparent advantages of biometric
authentication systems improved account security and the
perceived pleasure and reduced cognitive load and time,
which provides more excellent value to consumers [58].
Biometric technology has its limitations. Because of the com-
plication of high-quality images, many factors in a biometric
system will reduce user identification accuracy [59]. Physical
issues like wet surfaces, dirty fingers, or scratches are famil-
iar illustrations that can delay biometric authentication. In
addition, the biometric system also has some privacy issues
related to users’ identity management. However, there is
also an advanced "Knowledge Based" authentication method.
In the meaning of some useful security features, graphical
prompts (such as design drawings) have also been proposed
as a substitute to the above authentication methods [60]. A
recent study found that using different e-payment authenti-
cation methods will affect users’ perception of security and
availability of these three authentication types. Therefore, in
this study, the method of identity verification was selected
as one of the primary resources for creating the preference
structure of mobile payment users [54].
A. TYPES OF AUTHENTICATION FACTORS
Three types of authentication factors named single-factor
authentication (SFA), two-factor authentication (2FA), and
multi-factor authentication (MFA) can be understood through
the definitions proposed by the research of [61] and [62].
They proposed that a process allowing individual users to
seek access from authenticating parties for attestation of their
personalities with the utilization of single attribute associates
with their identifies is termed as Single-Factor Authentication
(SFA). An example of such an attribute would be the use
of a PIN for unlocking cell phones. The user-friendly and
straightforward nature [63] of this authentication type made it
a preferable choice for many companies; however, its vulner-
ability to various forms of attacks [62] made it unsuitable for
application in financial institutes. [62] Defined Two-Factor
Authentication (2FA), mentioning that users seeking requests
for access from authentication party through attestation of
their personality with two attributes are a process that comes
under the concept of Two-Factor Authentication. These at-
tributes include knowing something personal or possessing
something personal that can be associated with one’s per-
sonality. Hence, attackers are bound to be aware of two
identifiers to get the same authentication as the original users
VOLUME 4, 2016 9
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
in 2FA. This particular feature of 2FA makes it acceptable
and applicable by financial institutions. However, this type
remains loopholes, leaving it vulnerable to a MITM attack,
eavesdropping, and Trojan horse attack. Furthermore, it has
its limitations when considered for its effectiveness against
phishing [63].
For defining the third type of authentication factor named
Multifactor Authentication (MFA), [62] describes that it in-
volves users seeking requests for access from authentication
parties through attestation of their personality with multiple
attributes make up. Biometrics are used along with ownership
and knowledge as an attribute by MFA. MFA’s higher level of
security makes it a better choice for various critical services
and computing devices. Physical separation of authentication
factors from the user device can allow MFA to be more
successful. The addition of biometric factors makes MFA
achieve improved identity proof resulting in more secure
systems [63], [64].
V. CYBERATTACKS ON MOBILE PAYMENT SYSTEM
Different level attacks on MPS can come from unauthorized
malicious users. Following are some identified attack points
susceptible to comprise in this regard.
The first attack is targeted at the users of mobile money.
It includes accessing the PIN of users via shoulder-surfing
when it is unmasked PIN of four to five digits [65]. Access to
this PIN can enable attackers to make fraudulent transactions.
Brute force attacks can also be performed by attackers con-
sidering the straightforwardness of the PIN [66], [67], [68]
The second type of attack involves comprising of money
communication channels. The hacking and controlling of
MMS traffic and manipulation of accounts for making trans-
actions can be made possible using these points [66], [67],
[68].
The third type of attack is at the server of the mobile money
app. Availability of server to both mobile money agents and
users is suspended when such attack is carried out at server.
As per the findings of Castle et al. [66], attackers divert fake
traffic to mobile money servers resulting in it being over-
whelmed, which eventually leads to blocked requests from
mobile money agents and users. It can also include installing
malware on the mobile money app server for deducting some
amount from wallets of mobile money agents and users for
deposition into the attacker’s account without letting these
users or agents discover the transaction [69].
The fourth point of attachment is the IT administrator. The
administrator’s computer can be hacked by an unauthorized
person making it inaccessible to the administrator by chang-
ing its credentials. Mobile money agents can be considered as
another attack point. The PIN of the commission agent can
be stolen by an attacker using shoulder surfing techniques.
Attackers can also practice giving the wrong PIN repeatedly
while making transactions to access agents’ PINs. [70] and
[71] Identified adversaries gave that wrong phone numbers
repeatedly to obtain the PIN of agents and use it for gaining
unauthorized access to the float accounts of agents.
Bank’s server provides another attack point for adver-
saries. A distributed denial-of-service attack (DDoS) is made
in such cases to create the unavailability of a bank server to
the mobile money user trying to make a transaction.
Notification message channels where messages can be
modified creates another attack point for malicious users.
Adversaries may hack the communications channels of the
notification message and make changes in the message as
per their requirements while sending the modified versions
of these messages to the intended users [72], [73].
A. ATTACKS AGAINST PRIVACY
[74] Defined privacy as the right of users to have freedom
from intrusions and infringements by other users. In mobile
money, privacy attacks include the compromised PINs of the
users for illegal access to their financial assets and informa-
tion details utilized in unauthorized transactions. Stealing of
user information can result in a problematic situation for not
only the user but also for the economy as well [74]. Illegal
access to the mobile money database containing the financial
information of users can allow attackers to update or delete
records using the stolen PINs.
Moreover, a variety of user-related information can be stolen
when an attacker gets access to mobile money database
[74]. Personal information such as email addresses, mobile
telephone numbers, NIN, and even names of users and agents
can be compromised, failing privacy safeguards [74]. Un-
scrupulous insiders may end up abusing highly sensitive data
after gaining control and access in this way. Attackers can
do so with the generation of a databank to give control and
access to personal information. There are situations in which
some users request the agents for assistance in performing
transactions, and they end up sharing their PINs with the
agents [75]. It raises the bar for the required level of protec-
tion to agents and mobile money users against unauthorized
access.
B. ATTACKS AGAINST AUTHENTICATION
The identity of a user is forged by an attacker impersonating
an authorized user in this form of attack. According to [76]
authentication attack is a crime in which the mobile money
authentication process is subjected to exploitation when a
brute force attack is being carried out against the PIN.
Various attacks are included in this form of attacks, such
as Trojan horse attack, phishing attack, social engineering
attack, spoofing attacks, masquerade attack, replay attacks,
and impersonation attack. An attacker assumes the identity
of a legitimate user in an impersonation attack [76], [77],
[70], [71], whereas entire communication is subjected to
eavesdropping in replay attack before intercepting [78]. In
a masquerade attack, the PIN and SIM card are acquired by
the users.
Moreover, an attacker pretends to be a mobile system ad-
ministrator in a spoofing attack. When users are manipulated
for them to give up their personal information, a social
engineering attack is said to be launched [79]. Similarly, a
10 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
phishing attack involves deceitful attempts by adversaries
for accessing personal information needed to impersonate a
legitimate user in the system [76]. Another method of com-
promising an authentication system involves using Trojan
software as a virus to access users’ personal information.
C. ATTACKS AGAINST CONFIDENTIALITY
Attacks on confidentiality involve eavesdropping on the com-
munication channels between the application server and mo-
bile money users for tapping information like PIN of users
that can be used for impersonation or in making unauthorized
transactions. The four types of such attacks include guess-
ing attacks, brute force attacks, eavesdropping, and should
surfing attacks. Attackers secretly hear the communication
channels in the eavesdropping attacks by taking advantage of
the lack of security of the network communication. The plain
text form of transmitted data is commonly vulnerable to such
attacks [80], [81].
For brute force attacks against confidentiality, the adversary
can guess the mobile money agent or user’s PIN needed
to access the mobile money account. Despite being very
simple, such types of attacks have shown a high rate of
success [76], [77], [70], [71]. When an adversary sees mobile
money PIN during authentication, a guessing attack is being
launched. Shoulder surfing attack also comes under the type
of attacks against confidentiality in which the adversaries
acquire confidential data and PINs simply by looking over
the shoulder of the victim as they make transactions [77].
[82] discussed one of the approaches that can be utilized
to extract useful network information to identify the details
of the endpoint of the communication parties on the local
network.
D. ATTACKS AGAINST INTEGRITY
When information of the user is accessed and modified in
the MMS, the integrity of user information is compromised.
They can be categorized into insider attacks, salami attacks,
and MITM attacks. An intruder intercepting the communica-
tion between various agents (including users) in the mobile
money application network performs Man a middle attack.
Sitting between the mobile money user and MMS, the at-
tacker makes them believe they communicate in the MITM
attack. [81] and [68] Showed that an attacker could gain
control over the entire conversations when a MITM attack is
being launched as the content of the conversation is modified
by the attacker at both ends.
Employees of financial institutions can conduct salami at-
tacks and insider attacks against the financial institutions.
Like a Trojan horse, a salami attack involves installing ma-
licious software to a financial institution system, allowing
adversaries to withdraw money from users’ accounts, de-
positing it in their accounts. Both external and internal ad-
versaries can launch salami attacks in which small deductions
are made to user wallets as the software allows modification
of some details in the system [83], [84], [85]. [86] and [87]
Highlighted the fact that a high degree of risk of money
fraud comes from the employees of the financial institutions
who are aware of the security protocols and MMS in the
system. MMSP employees with sufficient knowledge about
the organization’s security practices can be involved in the
insider attacks identified by [75], and [86].
E. ATTACKS AGAINST AVAILABILITY
When the bank server or application server is suspended for
agents and mobile money users by an adversary on purpose,
an attack is assumed against availability. Services are ren-
dered unavailable by adversaries in this type of attack using
various techniques. Mobile theft, DOS, and distributed denial
of service (DDoS) attacks come under this category. DDoS
and DoS are launched when adversaries send fake traffic to
overwhelm servers to block legitimate traffic or requests of
users [76]. Such attacks aim to flood mobile money servers
with so many fake requests that the server fails to receive
and respond to legitimate users’ actual requests, making the
service unavailable.
[76], [67] Described mobile phone theft attacks as the type
of availability attack in which the mobile phone of users or
agents is stolen, and the wallet account of SIM card is made
unavailable that can be swapped by the attacker. Service and
data access can be lost due to phone theft attacks, as the
attacker can take charge of the victim’s e-wallet account,
resulting in its unavailability to the actual user.
VI. TECHNOLOGIES USED IN M-PAYMENT PROCESS
We have also seen an M-Payment system based on the
technology used; it is classified in Figure 7. M-Payment
system uses mobile technology for communication between
the entities involved in the payment process.
Near field communication (NFC) [88] is a communica-
tion protocol that enables the communication between two
devices. Global system for mobile (GSM) [89] is a standard
system for mobile communication. Radiofrequency identifi-
cation (RFID) [90] uses an electromagnetic field to identify
or track tags attached to an object. Short messaging service
(SMS) [91] is a text messaging service that is used for com-
munication over the mobile phone. Quick Response Code
(QR-Code) [92] is a two-dimensional matrix barcode, which
has a label in which information is stored. Bluetooth [93]
is a standard for wireless technology; by using this, we can
communicate to fix devices over a short period of distance.
Identity-based signature (IB-Signature) [94] is a type of
public key infrastructure (PKI) in which a publicly known
string that represents an individual is used as a public key,
e.g., email address, the wireless application protocol (WAP)
[95] is a standard protocol used in the wireless network
to access information. Universal 2nd Factor (U2F): It is a
standard of open authentication which provides two-factor
secure authentication.
1) Reviewed Approaches
This study has reviewed multiple schemes or models of
mobile payment systems based on different technologies or
VOLUME 4, 2016 11
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
•U2F (Universal Second Factor)
•Bluetooth
•QR-Code
•NFC (Near Field Communication)
•GSM / SMS
•RFID (Radio Frequency Identification)
1
2
3
4
5
6
FIGURE 7: Technologies used in M payment system
architectures. Paper [96] uses RFID & SIM, which enables
users to use their mobile phone as ATM card/credit card.
By using RFID readers at ATM, users can withdraw money.
Paper [97] uses Bluetooth with Java technology by which
users can pay at POS (point of sale) by using a mobile phone.
Java components are used here to provide encryption. Paper
[98] works on existing models; it enhances SEMOPS (Secure
Mobile Payment Service) model by involving a trusted third
party. Papers [99], [100], [101] used GSM technology to
implement a secure m-payment system. It provides low-
cost architecture by using the existing GSM mechanism.
Papers [100], [101], [102], [103] used NFC communication,
which provides more speed for communication than other
technologies. In [101], the proposed scheme also provides
user anonymity and the un-linkable transaction to defend
against attacks. [102], [104], [105] use QR-Code, which is
fast and supports the buy-and-sale process easily and effi-
ciently. In [103] using SMS service; mostly SMS service in
mobile communication is used for authentication. In [106],
using the SMS based authentication system and proposed
the application based system in which authentication code
can only be accessed by an authorized user and using IB-
Signature, which is simple and less costly, the identity of
an entity is used in this technology for authentication or for
granting access. Authors in [106] also use the OTP code
for securing communication; it prevents the system from
replay attack and uses a password for only one time. WAP
or Bluetooth technology is used in [107] which provides fast
communication but over a small range of areas. It is for peer-
to-peer communication and less in cost. [108] uses SMS
for sending a notification, but for transactions purpose, it
uses unstructured supplementary service data (USSD), which
provides a more responsive service than SMS. In [109], the
author uses U2F technology, which is fast and much secure; it
performs cryptographic functions with a single touch & gen-
erates asymmetric keys. It authenticates both the client and
server in a reliable manner so transactions can be done se-
curely. Query processing over encrypted data is the solution
to tackle the extra overhead caused by the use of encryption,
and such techniques result in remarkable improvements in
the scenario where near real-time data processing is required
[110].
2) Analysis
The overall average of technological usage of M-Payment
systems is depicted in Table 3. We analyzed technologies and
found that SMS is used in primarily m-payment systems.
The use of NFC, GSM, and QR-Code is also every day in
payment schemes or models. They provide many advantages
like we know NFC provides faster speed, GSM provides
many already implemented services that make these models
implementation easy and straightforward, QR-Code is a less
costly and straightforward technology used in many mobile
payment systems. U2F is much secure and reliable than QR-
code, NFC, or Bluetooth.
VII. SECURITY ANALYSIS OF M-PAYMENT SYSTEMS
This section presents the security analysis of M-Payments
system. Security analysis comprise of various services:
Authentication, Mutual Authentication, Integrity, Customer
Anonymity and Non Repudiation. Figure 8 the overall ser-
vice hierarchy of m-payment system. Below we explain each
services in detail
12 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 6: Comparison of reviewed papers on the basis of payment system technology, architecture, communication entity
involvement, assumption, advantages and disadvantages of solutions (I)
Ref M-Payment
Based On
Architecture
Used
M-Payment Be-
tween
Provides Assumption Advantage Disadvantage
[105] RFID RFID & SIM User & POS
User & Service
provider User
can also deposit
money
Easy to pay service
and ATM/Credit card
functionality through
mobile
RFID readers are
installed at stations,
shopping malls, & at
ATM,
Flexibility, time,
workforce reduction,
safety & mobility
Some issues in security &
privacy in RFID Chances
of unauthorized use are
present in case of theft or
loss of mobile.
[107] J2EE and J2ME
capabilities
Java, Bluetooth Payment server &
mobile clients
Confidentiality and
Authentication
MIDP application is
uploaded to client’s
mobile
It overcomes the API and
technical limitations, as
well as security considera-
tion
As the number of clients
increases the delay (mil-
liseconds) will increase
over Bluetooth environ-
ment
[111] Existing
models
SEMOPS &
trusted third
elements
Customer & Mer-
chant
Privacy & Non-
Repudiation
All parties possess
certificates among
each other
It introduces trusted third
elements & follows new
Mechanism to achieve pri-
vacy & non-repudiation
Difficult to implement
[112] Multiple layers SMS, GSM Consumer & con-
tent provider
Security & High Scal-
ability
- It provides low cost and
technical requirement,
high scalability, and
security
The system required to be
more simplified, improve
the security & application
of digital signatures
[109] Scenario for m-
payment mod-
els
NFC, QR code Customer & Mer-
chant
Speed & Security - For speed, transaction is
initiated by merchant be-
cause he has more reliable
& continuous connection
with 3rd party
For every new
purchase, there will
be authentication by
merchant’s involvement
which can make him
busy and it can affect his
availability
TABLE 7: Comparison of reviewed papers based on payment system technology, architecture, communication entity involve-
ment, assumption, advantages and disadvantages of solutions (II)
Ref M-Payment
Based On
Architecture Used M-Payment Be-
tween
Provides Assumption Advantage Disadvantage
[106] Identity Based
Cryptography
(IBC)
IB Signatures and
One Time Key
Consumer and
Merchant
Privacy and Security of
transferred data
- IBC framework is simple
and less costly
Higher number of crypto-
graphic operations
[100] GSM NFC and GSM Point-of-Sale
(POS) and the
customer
Security for low value
payments, customer
anonymity and ubiquitous
implementation
Secure channel between
payment gateway and shop
POS
Re-using existing GSM se-
curity mechanisms Pay-
ment is same as paying by
debit or credit card.
-Short length of encryp-
tion key. -Merchants need
to register themselves with
mobile operator -protocol
is complex as compared
to m-payment via SMS or
WAP
[113] SMS SMS, WAP or Blue-
tooth and J2ME.
Payer’s or
Payee’s bank
Secure M-Payment for
macro transactions -less
encryption or decryption
operations
Trusted payment gateway
is involved between
payer’s and payee’s banks
This scheme shares
payee’s financial data with
banks only
If mobile got stolen and
PIN got also leaked then
there are chances of finan-
cial loss
[114] PKI QR-Code and PKI Client and mer-
chant
Additional layer of secu-
rity for m-payment sys-
tems
Trusted third party is in-
volved to secure encryp-
tion keys and to ensure le-
gitimate users
This scheme uses RSA
which is considered as
strongest asymmetric en-
cryption system
For stronger security
longer key pair is required
which leads to larger size
of QR code
[115] 3G 3G, SMS and IVR Client and server
(Mobile Payment
Platform)
Intelligent travel design by
using m-payment system
- By using this user can pay
fines, insurance amount or
can query traffic violations
rules etc
Initial connection in this
system takes longer time
[116] 2D Bar Code
QR 2D Bar
Code
Point-of-Sale (POS)
and the customer
Advantages to
support buy-and-
sale products and
services base on
2D Barcodes
Trusted third party authen-
tication server is used as
Certification authority
- Products can be traded
anywhere, anytime Easy to
use Reduce user input
Computations are little
complex
[117] SMS SMS P2PPeer-to-peer It provides features like se-
curity, privacy, speed and
less cost
- Money transfer can be
done by transmitting mo-
bile number only
Huge number of differ-
ent device OS and devel-
opment environment may
prevent Support for all de-
vices
1) Confidentiality
In [97], confidentiality is provided by using Java components.
In [98], [115] uses cryptography to provide confidentiality.
In [106] OTP and PKI infrastructure are used to provide
confidentiality. In [100] GSM security mechanism is used
which provide confidentiality via A5 and A8 algorithm. In
[103], [107] confidentiality is achieved by using Symmetric
key cryptography to provide confidentiality. Paper [104] uses
RSA encryption mechanism to provide confidentiality. In
[111] DES and ECC are used to achieve confidentiality. In
[105] confidentiality is achieved by using AES and RSA.
In [112] secured end-to-end encryption is used to provide
confidentiality. In [118] symmetric key encryption is used to
provide confidentiality. In [114] RSA encryption mechanism
is used to achieve the confidentiality. In [109] Asymmetric
cryptosystem is used to provide encryption. In [101] AES
is used to provide confidentiality which is a type of sym-
metric key cryptography. [116] provides confidentiality by
VOLUME 4, 2016 13
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 8: Comparison of reviewed papers on the basis of payment system technology, architecture, communication entity
involvement, assumption, advantages and disadvantages of solutions (III)
Ref M-Payment Based
On
Architecture Used M-Payment Be-
tween
Provides Assumption Advantage Disadvantage
[118] Cryptographic Pro-
tocol Shape Ana-
lyzer (CPSA)
CPSA Merchant and
payment gateway
Payment mechanism ensuring
accountability and un-linkable
anonymity less number of
cryptographic operations
Customer browses through the
merchant website
Customer has an option of
making payment using cards of
different banks
Limited to a maximum of two
gateways
[114] Traceable
signatures, identity-
based signatures,
anonymous
signatures
Signatures Ternminal and
Passenger
Provides mechanism to protect
passenger’s privacy
Off-board terminal trusts on-
board terminal
It can be applied to off-line mo-
bile payment systems
-
[108] Unstructured
Supplementary
Service Data
(USSD)
USSD and SMS User to Agent
and Agent to
User
Secured transaction by using
two layers of authentication
Mobile wallet number is same
as mobile number and there is
large no. of agent points across
the country
Mitigate human error and pre-
vent cyber-frauds
Doesn’t consider confidential-
ity and integrity aspect
[109] Universal 2nd Fac-
tor (U2F)
U2F, USIM User to Server Secure mutual authentication
protocol for m-payment sys-
tems
- Provides a reliable service and
protect user’s account informa-
tion and privacy
In registration process, it will
take time since it is using
asymmetric cryptosystem
[106] NFC Wi-Fi, 4G, GSM NFC Bank to bank
(POS)
Enhance the security of the
EMV(Europay, MasterCard,
and Visa) exchanged messages
Mobile network operator
(MNO) is trusted by NFC
enabled Mobile
Adds a security layer to EMV
and ensures confidentiality and
mutual authentication
It will be failed if POS entity is
dishonest
[118] NFC NFC User and TSM
(Trusted Service
Manager)
Secure protocol which is com-
patible with EMV
TSM and Bank own their key
pairs of a PKI cryptosystem
User can perform transaction
without disclosing his identity.
Requires a high computation
power for TSM and bank
[116] NFC enable phone NFC and trusted third
party
User and Mer-
chant
User anonymity - Un-linkable anonymity to user -
[119] SMS - User and bank,
bank and gateway
Secure transaction with formal
technique
- Less time take for key genera-
tion and encryption decryption,
and scheme security is verified
by tools
Only for Android and Java 2
Micro Edition device
[115] Application Based Mobile transaction
authentication
number system
User and Bank Application-based system that
is comparatively more secure
than SMS based system
Attacker can get access to web
and SMS at the same time
More security than SMS based
MTAN
Less efficient than MTAN
M Payment
Security
Confidentiality
Symmetric
A Symmetric
PIN &
Account No.
Mobile & QR
Code
Short Code
PKI / Digital
Signatures
GSM
Encryption /
A5
AES / DES
Key
Management
RSA
Authentication
Multi Factor
Single Factor
One Time
Password
ECC SMS &
Secret Key
CPSA RFID
FIGURE 8: M-Payment Security
encrypting the information using asymmetric keys and the
key pair stored in the secure storage [117] to protect from
unauthorized access. In [113] confidentiality is achieved by
using ECC which is a type of asymmetric key cryptography.
2) Authentication
In [96] authentication is performed by reading the RFID
tag, which is embedded in the SIM card. RFID reader au-
thenticates the user in this scheme. In [97] authentication is
provided by asking for a PIN and account number. In [99]
Control and communicating interface are used to provide
authentication. In [102] authentication is done by using NFC
enabled mobile phone and QR-code/PIN. In [100] triple
authentication mechanism is ensured by using the challenge-
response protocol. In [107] authentication is provided by
using SMS and secret key. Paper [111] ensures authentication
14 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
TABLE 9: MPS technology specific categorization
Technology Papers %
NFC [102], [103], [101], [100], [106], [116] 28.57
GSM [96], [99], [100], [101] 19.04
SMS [99], [100], [107], [111], [112], [108], [113], [115] 38.09
RFID [96] 4.76
QR-Code [102], [104], [105] 14.28
Bluetooth [97], [107] 9.52
U2F [109] 4.76
by using signature schemes (DES and ECC). Paper [112]
uses short-codes to provide authentication. In [118] Isomor-
phic shapes are used for authentication.
3) Mutual Authentication
In [98], [106], [113] Payment requests are signed by signing
key (Digital Signatures) of both client & merchant to achieve
mutual authentication. In [104] mutual authentication is en-
sured by using the RSA-PKI mechanism. In [105] RSA-
Digital Signature is used to provide mutual authentication.
In [114] identity-based signatures are used to achieve mutual
authentication. In [108] mutual authentication is achieved
by using Mobile Wallet number and PIN. In [109] mu-
tual authentication is provided by using Asymmetric keys,
valid username & password. For authentication [101] uses
Session-key and challenge-response authentication. To en-
sure mutual authentication [103] uses secret key and public
key infrastructure (PKI). In [116] authentication is provided
by using digital signatures. In this scheme, mutual authenti-
cation is only between the user and the bank.
4) Integrity
To ensure the data has not tampered during transaction [114],
[113], [106], [109], [100], [101] use hash packets and verify
the hash. Paper [107] uses a private banking network and
secure payer confirmation to ensure integrity. In [104] in-
tegrity is ensured by using QR-Code. In [105] RSA-Digital
signature algorithm is used to ensure integrity. [100] Achieve
the integrity by Message Authentication Code (MAC) that
is embedded in the ciphertext. In [116], the information
is encrypted with shared key among bank/user and signed
with user’s private key that protects the information from
unauthorized modification.
5) Customer Anonymity
In [98] there is no need to get registered to the merchant
or any 3rd party before or during the transaction, which
ensures the anonymity of the client. In [100] the client’s
long-term ID is not revealed to the merchant, which ensures
the client’s anonymity. In [112] anonymity of consumer
is ensured because it only requires the consumer’s mobile
number or short-code provided by them-payment application
service provider. In [118] customer’s identity is dynamic and
updated frequently to ensure the anonymity of a customer.
In [114] client’s anonymity is ensured by hiding session and
transit information. [116], [103] achieve anonymity by using
virtual accounts for clients whom the bank assigns. [120] pro-
poses a novel approach of ensuring privacy, confidentiality,
and authentication using a hybrid scheme for location and
payment authentication.
6) Non Repudiation
In [116] Non-repudiation is ensured by using the signing
key and timestamp. In [106] IBC-Signatures are used which
ensures non-repudiation in their scheme. In [107] three fac-
tors are used to prove non-repudiation of the client (by
checking the status response of the client, session key, and the
offline PIN). Paper [105] uses RSA-Digital Signature to sign
transaction information which ensures non-repudiation of
transactions. Papers [109], [113] use signatures to ensure the
legitimate user and non-repudiation. [101] ensures the non-
repudiation by hashing the transaction data with the shared
key. In [121], authors explore data sharing and privacy for
patient IoT devices using block-chain. In [116], the secure
storage of NFC generates the key pair (public, private) for a
virtual account, and a private key signs all messages during
the transaction process, which ensures non-repudiation in
their scheme.
TABLE 10: Security specific categorization of reviewed re-
search papers
Security feature Papers %
Confidentiality [97], [98], [100], [101], [111],
[112], [103], [104], [105], [107],
[106], [109], [118], [114], [116],
[113], [115]
80.09
Authentication [96], [97], [98], [99], [102], [100],
[101], [103], [104], [105], [107],
[111], [112], [108], [118], [106],
[109], [114], [116], [113], [115]
100
Integrity [100], [101], [103], [104], [105],
[107], [106], [109], [114], [116],
[113], [115]
57.14
Mutual Authentication [98], [101], [103], [104], [105],
[108], [106], [109], [114], [116],
[113], [115]
57.14
Customer Anonymity [98], [116], [114], [118], [112],
[100], [103]
33.33
Non-Repudiation [98], [101], [105], [107], [106],
[109], [116], [113]
38.09
The overall security features provided by each paper in our
study are described in Table 10. It tells us that all the systems
we have reviewed ensure authentication, and most of them
also provide encryption. The main aspects considered in each
payment system are encryption and authentication; without
these two aspects, no system can be said as secure enough.
Integrity and registration of clients or merchants have also
got much importance and value while designing any payment
system.
VIII. CHALLENGES AND FUTURE WORK
Due to the increase in technology used worldwide to ease
daily life activities, mobile payment systems also emerged
rapidly for the same reasons. Tasks that take hours to perform
by visiting the banks are now at the fingertips using smart-
VOLUME 4, 2016 15
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
phones and allied payment infrastructure in digital forms.
This ease also brought some related issues, the most danger-
ous of which is the threat of malicious actors hacking the
payment system to steal money. The recent hacking of block-
chain-based cryptocurrency exchanges, which were previ-
ously considered the most secure digital payment system,
rings the bells that the hackers circumvent ways to bypass the
securities in place. This new battleground between the good
and the bad for enhancing and ensuring the security of mobile
payment systems against emerging threats is an affluent area
to explore in the future.
In any field, there is always the possibility of enhance-
ments and improvement. In the future, we intend to focus on
understanding the preferences of consumers and the reasons
to utilize or not utilize a specific technology-enabled service
as it is vital to design viable services that generate value to
consumers and the other stakeholders of an ecosystem. The
usage of mobile phones is high, and it is in almost every
person’s approach. Most of the work or daily transactions or
communication is done through a mobile phone; that is why
many companies introduced their services for mobile phones.
Mobile payment methods are also available nowadays, but it
needs more security than other mobile phone services.
An increase in mobile payment solutions will increase
the user base, which is already sufficient compared to other
traditional methods. This increase will ultimately result in a
load on the network infrastructure, which is the backbone
of the success of such solutions. Advancement in next-
generation networks and their impact on mobile payment
solutions will be another research area to explore. Further to
this, research can be done on current bottlenecks resulting
in lesser mobile payment solutions and remedial measures
using network advancements.
This research has some practical and theoretical limita-
tions that may provide valuable findings for future research.
For example, we do not consider the potential impact of digi-
tization on mobile payment systems, making behaviors more
complex than those resulting from modular reorganization
alone. Our goal when choosing this project is to record dy-
namics that cannot be found in developed countries. We hope
our findings can be applied to other mobile payment systems
in emerging economies. However, future comparative studies
using larger samples or more extreme cases will confirm
the extent to which our results can be generalized. Since all
cases are based on mobile network operators (MNOs), future
research on banks or third-party models will help discuss
mobile payment systems in the literature.
IX. CONCLUSION
This paper has discussed various payment schemes and their
usage, technology, and provided security. Most payment
methods are account-based payment systems, and their main
focus is on security, privacy, confidentiality, and authen-
tication. We present an overview and discussed different
components of MPS. We present a detailed survey of the
existing MPS structure and its limitations; provide detailed
history, development, and deployment of MPS. Discussed
different aspects of MPS included socioeconomic conditions,
Cost Efficiency, diffusion of mobile phones, convenience,
new initiatives, heavy restrictions and regulations, limited
collaboration, underdeveloped ecosystem, and security prob-
lems; the key attributes of MPS, and stakeholder and com-
munication entities roles in MPS form different aspects. We
discussed different security mechanisms involved in MPS.
Provide analysis of the encryption technologies, authentica-
tion methods, and firewall in MPS. All the papers suggest
different techniques to provide different security aspects.
However, the main point is that keeping in check the CIA
triad, each payment should be made with authentication and
encryption because the future of MPS depends on its security
features.
REFERENCES
[1] S. F. Verkijika, “An affective response model for understanding the
acceptance of mobile payment systems,” Electronic Commerce Research
and Applications, vol. 39, p. 100905, 2020.
[2] A. R. Javed, M. O. Beg, M. Asim, T. Baker, and A. H. Al-Bayatti, “Al-
phalogger: Detecting motion-based side-channel attack using smartphone
keystrokes,” Journal of Ambient Intelligence and Humanized Computing,
pp. 1–14, 2020.
[3] S. Cimato, “Design of an authentication protocol for gsm javacards,”
in International Conference on Information Security and Cryptology,
pp. 355–368, Springer, 2001.
[4] S. Kungpisdan, B. Srinivasan, and P. D. Le, “A practical framework for
mobile set payment,” in Proceedings of International ESociety Confer-
ence, pp. 321–328, 2003.
[5] L. Marvel and C. Boncelet, “Authentication for low power systems,” in
2001 MILCOM Proceedings Communications for Network-Centric Op-
erations: Creating the Information Force (Cat. No. 01CH37277), vol. 1,
pp. 135–138, IEEE, 2001.
[6] Y. Wang, C. Hahn, and K. Sutrave, “Mobile payment security, threats,
and challenges,” in 2016 second international conference on mobile and
secure services (MobiSecServ), pp. 1–5, IEEE, 2016.
[7] S. Deep, X. Zheng, A. Jolfaei, D. Yu, P. Ostovari, and A. Kashif Bashir,
“A survey of security and privacy issues in the internet of things from
the layered context,” Transactions on Emerging Telecommunications
Technologies, p. e3935, 2020.
[8] C. Iwendi, Z. Jalil, A. R. Javed, T. Reddy, R. Kaluri, G. Srivastava, and
O. Jo, “Keysplitwatermark: Zero watermarking algorithm for software
protection against cyber-attacks,” IEEE Access, vol. 8, pp. 72650–72660,
2020.
[9] A. Rehman Javed, Z. Jalil, S. Atif Moqurrab, S. Abbas, and X. Liu, “En-
semble adaboost classifier for accurate and fast detection of botnet attacks
in connected vehicles,” Transactions on Emerging Telecommunications
Technologies, p. e4088, 2020.
[10] M. Baza, N. Lasla, M. Mahmoud, G. Srivastava, and M. Abdallah,
“B-ride: Ride sharing with privacy-preservation, trust and fair payment
atop public blockchain,” IEEE Transactions on Network Science and
Engineering, 2019.
[11] R. M. Mohammad and H. Y. AbuMansour, “An intelligent model for
trustworthiness evaluation in semantic web applications,” in 2017 8th
International Conference on Information and Communication Systems
(ICICS), pp. 362–367, IEEE, 2017.
[12] D. Preuveneers, T. Heyman, Y. Berbers, and W. Joosen, “Feature-based
variability management for scalable enterprise applications: Experiences
with an e-payment case,” in 2016 49th Hawaii International Conference
on System Sciences (HICSS), pp. 5793–5802, IEEE, 2016.
[13] E. Turban, J. Outland, D. King, J. K. Lee, T.-P. Liang, and D. C. Turban,
“Mobile commerce and the internet of things,” in Electronic Commerce
2018, pp. 205–248, Springer, 2018.
[14] M. Hubert, M. Blut, C. Brock, C. Backhaus, and T. Eberhardt, “Accep-
tance of smartphone-based mobile shopping: Mobile benefits, customer
characteristics, perceived risks, and the impact of application context,”
Psychology & Marketing, vol. 34, no. 2, pp. 175–194, 2017.
16 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
[15] S. EDITION, “Cryptography and network security.”
[16] “Securing the future of payments together.” Last accessed 14 May 2020.
[17] T. Depot, “The home depot reports findings in payment data breach
investigation,” 2014.
[18] J. Téllez and S. Zeadally, Mobile Payment Systems. Springer, 2017.
[19] T. Dahlberg, J. Guo, and J. Ondrus, “A critical review of mobile payment
research,” Electronic Commerce Research and Applications, vol. 14,
no. 5, pp. 265–284, 2015.
[20] T. Dahlberg, N. Mallat, J. Ondrus, and A. Zmijewska, “Past, present
and future of mobile payments research: A literature review,” Electronic
commerce research and applications, vol. 7, no. 2, pp. 165–181, 2008.
[21] J. Lee, M. H. Ryu, and D. Lee, “A study on the reciprocal relationship be-
tween user perception and retailer perception on platform-based mobile
payment service,” Journal of Retailing and Consumer Services, vol. 48,
pp. 7–15, 2019.
[22] S. Saxena, S. Vyas, B. S. Kumar, and S. Gupta, “Survey on online
electronic paymentss security,” in 2019 Amity International Conference
on Artificial Intelligence (AICAI), pp. 756–751, IEEE, 2019.
[23] A. Thangamuthu, “A survey on various online payment and billing
techniques,” Humanities, vol. 7, no. 3, pp. 86–91, 2020.
[24] A. Saranya and R. Naresh, “Efficient mobile security for e health care
application in cloud for secure payment using key distribution,” Neural
Processing Letters, pp. 1–12, 2021.
[25] J. Wang and J.-Y. Lai, “Exploring innovation diffusion of two-sided
mobile payment platforms: A system dynamics approach,” Technological
Forecasting and Social Change, vol. 157, p. 120088, 2020.
[26] F. Liébana-Cabanillas, I. Ramos de Luna, and F. Montoro-Ríos, “Inten-
tion to use new mobile payment systems: a comparative analysis of sms
and nfc payments,” Economic research-Ekonomska istraživanja, vol. 30,
no. 1, pp. 892–910, 2017.
[27] M. Masihuddin, B. U. I. Khan, M. Mattoo, and R. F. Olanrewaju, “A
survey on e-payment systems: elements, adoption, architecture, chal-
lenges and security concepts,” Indian Journal of Science and Technology,
vol. 10, no. 20, pp. 1–19, 2017.
[28] V. Kumar, K.-K. Lai, Y.-H. Chang, P. C. Bhatt, and F.-P. Su, “A structural
analysis approach to identify technology innovation and evolution path:
a case of m-payment technology ecosystem,” Journal of Knowledge
Management, 2020.
[29] S. Solat, “Security of electronic payment systems: A comprehensive
survey,” arXiv preprint arXiv:1701.04556, 2017.
[30] M. Kim, S. Kim, and J. Kim, “Can mobile and biometric payments re-
place cards in the korean offline payments market? consumer preference
analysis for payment systems using a discrete choice model,” Telematics
and Informatics, vol. 38, pp. 46–58, 2019.
[31] F. Liébana-Cabanillas, S. Molinillo, and M. Ruiz-Montañez, “To use or
not to use, that is the question: Analysis of the determining factors for us-
ing nfc mobile payment systems in public transportation,” Technological
Forecasting and Social Change, vol. 139, pp. 266–276, 2019.
[32] I. R. de Luna, F. Liébana-Cabanillas, J. Sánchez-Fernández, and
F. Muñoz-Leiva, “Mobile payment is not all the same: The adoption of
mobile payment systems depending on the technology applied,” Techno-
logical Forecasting and Social Change, vol. 146, pp. 931–944, 2019.
[33] M. Sumathy and K. Vipin, “Digital payment systems: Perception and
concerns among urban consumers,” IJAR, vol. 3, no. 6, pp. 1118–1122,
2017.
[34] S. Fatonah, A. Yulandari, and F. Wibowo, “A review of e-payment system
in e-commerce,” in Journal of Physics: Conference Series, vol. 1140,
p. 012033, IOP Publishing, 2018.
[35] S. Evans and A. Pirchio, “An empirical examination of why mobile
money schemes ignite in some developing countries but flounder in most.
university of chicago coase-sandor institute for law & economics research
paper no. 723,” 2015.
[36] P. Van der Boor, P. Oliveira, and F. Veloso, “Users as innovators in
developing countries: The global sources of innovation and diffusion in
mobile banking services,” Research Policy, vol. 43, no. 9, pp. 1594–1607,
2014.
[37] S. Dodini, A. A. Lopez-Fernandini, E. A. Merry, L. Thomas, et al.,
“Consumers and mobile financial services 2016,” tech. rep., Board of
Governors of the Federal Reserve System (US), 2016.
[38] R. Duncombe, “Researching impact of mobile phones for development:
concepts, methods and lessons for practice,” Information technology for
Development, vol. 17, no. 4, pp. 268–288, 2011.
[39] A. Dermish, C. Kneiding, P. Leishman, and I. Mas, “Branchless and
mobile banking solutions for the poor: a survey of the literature,” Inno-
vations: Technology, Governance, Globalization, vol. 6, no. 4, pp. 81–98,
2011.
[40] J. Liu, R. J. Kauffman, and D. Ma, “Competition, cooperation, and reg-
ulation: Understanding the evolution of the mobile payments technology
ecosystem,” Electronic Commerce Research and Applications, vol. 14,
no. 5, pp. 372–391, 2015.
[41] N. Iman, “Is mobile payment still relevant in the fintech era?,” Electronic
Commerce Research and Applications, vol. 30, pp. 72–82, 2018.
[42] A. A. Ozok and J. Wei, “An empirical comparison of consumer usability
preferences in online shopping using stationary and mobile devices: re-
sults from a college student population,” Electronic Commerce Research,
vol. 10, no. 2, pp. 111–137, 2010.
[43] A. A. Shaikh and H. Karjaluoto, “Mobile banking adoption: A literature
review,” Telematics and informatics, vol. 32, no. 1, pp. 129–142, 2015.
[44] E. L. Slade, M. D. Williams, and Y. Dwivedi, “Extending utaut2 to
explore consumer adoption of mobile payments.,” UKAIS, vol. 36, 2013.
[45] T. Oliveira, M. Thomas, G. Baptista, and F. Campos, “Mobile payment:
Understanding the determinants of customer adoption and intention to
recommend the technology,” Computers in Human Behavior, vol. 61,
pp. 404–414, 2016.
[46] V. Kumar, N. Nim, and A. Sharma, “Driving growth of mwallets in
emerging markets: a retailer’s perspective,” Journal of the Academy of
Marketing Science, vol. 47, no. 4, pp. 747–769, 2019.
[47] R. Glavee-Geo, A. A. Shaikh, H. Karjaluoto, and R. E. Hinson, “Drivers
and outcomes of consumer engagement,” International Journal of Bank
Marketing, 2019.
[48] M. G. Nejad, T. Apanasevic, J. Markendahl, and N. Arvidsson, “Stake-
holders’ expectations of mobile payment in retail: lessons from sweden,”
International Journal of Bank Marketing, 2016.
[49] J. T. Isaac and Z. Sherali, “Secure mobile payment systems,” IT Profes-
sional, vol. 16, no. 3, pp. 36–43, 2014.
[50] J. Sun and N. Zhang, “The mobile payment based on public-key secu-
rity technology,” in Journal of Physics: Conference Series, vol. 1187,
p. 052010, IOP Publishing, 2019.
[51] P. Chaudhury, S. Dhang, M. Roy, S. Deb, J. Saha, A. Mallik, S. Bal,
S. Roy, M. K. Sarkar, S. Kumar, et al., “Acafp: Asymmetric key based
cryptographic algorithm using four prime numbers to secure message
communication. a review on rsa algorithm,” in 2017 8th Annual Indus-
trial Automation and Electromechanical Engineering Conference (IEME-
CON), pp. 332–337, IEEE, 2017.
[52] J. Zhang, “A study on application of digital signature technology,” in
2010 International Conference on Networking and Digital Society, vol. 1,
pp. 498–501, IEEE, 2010.
[53] S. F. Al-Janabi and A. K. Obaid, “Development of certificate authority
services for web applications,” in 2012 International Conference on
Future Communication Networks, pp. 135–140, IEEE, 2012.
[54] O. Ogbanufe and D. J. Kim, “Comparing fingerprint-based biometrics
authentication versus traditional authentication methods for e-payment,”
Decision Support Systems, vol. 106, pp. 1–14, 2018.
[55] A. K. Jain, P. Flynn, and A. A. Ross, Handbook of biometrics. Springer
Science & Business Media, 2007.
[56] C. S. Weir, G. Douglas, T. Richardson, and M. Jack, “Usable security:
User preferences for authentication methods in ebanking and the effects
of experience,” Interacting with Computers, vol. 22, no. 3, pp. 153–164,
2010.
[57] H. Crawford, K. Renaud, and T. Storer, “A framework for continuous,
transparent mobile device authentication,”Computers & Security, vol. 39,
pp. 127–136, 2013.
[58] S. Byun and S.-E. Byun, “Exploring perceptions toward biometric tech-
nology in service encounters: a comparison of current users and potential
adopters,” Behaviour & Information Technology, vol. 32, no. 3, pp. 217–
230, 2013.
[59] I. M. Alsaadi, “Physiological biometric authentication systems, advan-
tages, disadvantages and future development: A review,” International
Journal of Scientific & Technology Research, vol. 4, no. 12, pp. 285–289,
2015.
[60] A. Alzubaidi and J. Kalita, “Authentication of smartphone users using
behavioral biometrics,” IEEE Communications Surveys & Tutorials,
vol. 18, no. 3, pp. 1998–2026, 2016.
[61] M. Rouse, “Single-factor authentication (sfa),”
https://searchsecurity.techtarget.com/, 2017.
[62] A. Rahav, “The secret security wiki,”
https://doubleoctopus.com/security-wiki/ authentication/single-factor-
authentication/, 2018.
VOLUME 4, 2016 17
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
[63] A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev, T. Mikkonen, and
Y. Koucheryavy, “Multi-factor authentication: A survey,” Cryptography,
vol. 2, no. 1, p. 1, 2018.
[64] C. Hamilton and A. Olmstead, “Database multi-factor authentication
via pluggable authentication modules,” in 2017 12th International Con-
ference for Internet Technology and Secured Transactions (ICITST),
pp. 367–368, IEEE, 2017.
[65] K. K. Lakshmi, H. Gupta, and J. Ranjan, “Ussd—architecture analysis,
security threats, issues and enhancements,” in 2017 International Con-
ference on Infocom Technologies and Unmanned Systems (Trends and
Future Directions)(ICTUS), pp. 798–802, IEEE, 2017.
[66] S. Castle, F. Pervaiz, G. Weld, F. Roesner, and R. Anderson, “Let’s
talk money: Evaluating the security challenges of mobile money in the
developing world,” in Proceedings of the 7th Annual Symposium on
Computing for Development, pp. 1–10, 2016.
[67] B. Reaves, J. Bowers, N. Scaife, A. Bates, A. Bhartiya, P. Traynor,
and K. R. Butler, “Mo (bile) money, mo (bile) problems: Analysis of
branchless banking applications,” ACM Transactions on Privacy and
Security (TOPS), vol. 20, no. 3, pp. 1–31, 2017.
[68] R. Mahajan, J. Saran, and A. Rajagopalan, “Mitigating emerging fraud
risks in the mobile money industry,” Deloitte: Mumbai, India, 2015.
[69] F. Salahdine and N. Kaabouch, “Social engineering attacks: a survey,”
Future Internet, vol. 11, no. 4, p. 89, 2019.
[70] M. W. Buku and R. Mazer, “Fraud in mobile financial services: protecting
consumers, providers, and the system,” tech. rep., The World Bank, 2017.
[71] S. Lonie, “Fraud risk management for mobile money: An overview.
2017,” 2017.
[72] P. Sharma, “A contemplate on multifactor authentication,” in 2019 6th
International Conference on Computing for Sustainable Global Develop-
ment (INDIACom), pp. 824–827, IEEE, 2019.
[73] A. Kumari, S. Jangirala, M. Y. Abbasi, V. Kumar, and M. Alam, “Eseap:
Ecc based secure and efficient mutual authentication protocol using
smart card,” Journal of Information Security and Applications, vol. 51,
p. 102443, 2020.
[74] L. Katusiime, “Mobile money use: The impact of macroeconomic policy
and regulation,” Economies, vol. 9, no. 2, p. 51, 2021.
[75] K. McKee, M. Kaffenberger, and J. M. Zimmerman, “Doing digital
finance right: The case for stronger mitigation of customer risks,” Focus
Note, vol. 103, 2015.
[76] G. Ali, M. Ally Dida, and A. Elikana Sam, “Evaluation of key security
issues associated with mobile money systems in uganda,” Information,
vol. 11, no. 6, p. 309, 2020.
[77] R. Gwahula, “Risks and barriers associated with mobile money transac-
tions in tanzania,” 2016.
[78] G. Ali, M. Ally Dida, and A. Elikana Sam, “Two-factor authentication
scheme for mobile money: A review of threat models and countermea-
sures,” Future Internet, vol. 12, no. 10, p. 160, 2020.
[79] D. Kunda and M. Chishimba, “A survey of android mobile phone authen-
tication schemes,” Mobile Networks and Applications, pp. 1–9, 2018.
[80] F. S. G. Talom, R. K. Tengeh, et al., “The impact of mobile money on the
financial performance of the smes in douala, cameroon,” Sustainability,
vol. 12, no. 1, pp. 1–1, 2019.
[81] B. W. Nyamtiga, A. Sam, and L. S. Laizer, “Enhanced security model for
mobile banking systems in tanzania,” Intl. Jour. Tech. Enhancements and
Emerging Engineering Research, vol. 1, no. 4, pp. 4–20, 2013.
[82] W. Ahmed, F. Shahzad, A. R. Javed, F. Iqbal, and L. Ali, “Whatsapp
network forensics: Discovering the ip addresses of suspects,” in 2021
11th IFIP International Conference on New Technologies, Mobility and
Security (NTMS), pp. 1–7, 2021.
[83] A. Chowdhury, “Recent cyber security attacks and their mitigation
approaches–an overview,” in International conference on applications and
techniques in information security, pp. 54–65, Springer, 2016.
[84] M. S. Sadekin and A. Shaikh, “Security of e-banking in bangladesh,” J.
Financ. Account, vol. 4, no. 1, 2016.
[85] A. F. Altwairqi, M. A. AlZain, B. Soh, M. Masud, and J. Al-Amri, “Four
most famous cyber attacks for financial gains,” Int. J. Eng. Adv. Technol.
IJEAT, vol. 9, pp. 2131–2139, 2019.
[86] N. Shaw, “The mediating influence of trust in the adoption of the mobile
wallet,” Journal of Retailing and Consumer Services, vol. 21, no. 4,
pp. 449–459, 2014.
[87] N. Kshetri, “Cybercrime and cybersecurity in africa,” 2019.
[88] L. Tamazirt, F. Alilat, and N. Agoulmine, “Nfc-based ubiquitous moni-
toring system for e-industry,” in 2017 Third International Conference on
Mobile and Secure Services (MobiSecServ), pp. 1–4, IEEE, 2017.
[89] A. Bhatta and A. K. Mishra, “Gsm-based commsense system to measure
and estimate environmental changes,” IEEE Aerospace and Electronic
Systems Magazine, vol. 32, no. 2, pp. 54–67, 2017.
[90] Y.-C. Tsao, Q. Zhang, and Q. Zeng, “Supply chain network design
considering rfid adoption,” IEEE Transactions on Automation Science
and Engineering, vol. 14, no. 2, pp. 977–983, 2016.
[91] S. Dix, I. Phau, K. Jamieson, and A. S. Shimul, “Investigating the drivers
of consumer acceptance and response of sms advertising,” Journal of
Promotion Management, vol. 23, no. 1, pp. 62–79, 2017.
[92] S. Mukherjee and S. Mondal, “A scheme for qr code based smart door
locks security system using an arm computer,” in Proceedings of the First
International Conference on Intelligent Computing and Communication,
pp. 613–621, Springer, 2017.
[93] S. S. Hassan, S. D. Bibon, M. S. Hossain, and M. Atiquzzaman, “Security
threats in bluetooth technology,” Computers & Security, vol. 74, pp. 308–
322, 2018.
[94] L. Deng, H. Huang, and Y. Qu, “Identity based proxy signature from rsa
without pairings.,” IJ Network Security, vol. 19, no. 2, pp. 229–235, 2017.
[95] J. M. Kizza, “Security in wireless networks and devices,” in Guide to
Computer Network Security, pp. 397–427, Springer, 2017.
[96] M. A. Qadeer, N. Akhtar, S. Govil, and A. Varshney, “A novel scheme for
mobile payment using rfid-enabled smart simcard,” in 2009 International
Conference on Future Computer and Communication, pp. 339–343,
IEEE, 2009.
[97] S. Manvi, L. Bhajantri, and M. Vijayakumar, “Secure mobile payment
system in wireless environment,” in 2009 International Conference on
Future Computer and Communication, pp. 31–35, IEEE, 2009.
[98] J. Liu, J. Liao, and X. Zhu, “A system model and protocol for mobile
payment,” in IEEE International Conference on e-Business Engineering
(ICEBE’05), pp. 638–641, IEEE, 2005.
[99] X. Zheng and D. Chen, “Study of mobile payments system,” in EEE
International Conference on E-Commerce, 2003. CEC 2003., pp. 24–27,
IEEE, 2003.
[100] W. Chen, G. Hancke, K. Mayes, Y. Lien, and J.-H. Chiu, “Nfc mobile
transactions and authentication based on gsm network,” in 2010 Second
International Workshop on Near Field Communication, pp. 83–89, IEEE,
2010.
[101] M. Al-Tamimi and A. Al-Haj, “Online security protocol for nfc mobile
payment applications,” in 2017 8th International Conference on Informa-
tion Technology (ICIT), pp. 827–832, IEEE, 2017.
[102] S. Nseir, N. Hirzallah, and M. Aqel, “A secure mobile payment system
using qr code,” in 2013 5th International Conference on Computer
Science and Information Technology, pp. 111–114, IEEE, 2013.
[103] S.-W. Chen and R. Tso, “Nfc-based mobile payment protocol with user
anonymity,” in 2016 11th Asia Joint Conference on Information Security
(AsiaJCIS), pp. 24–30, IEEE, 2016.
[104] A. T. Purnomo, Y. S. Gondokaryono, and C.-S. Kim, “Mutual authenti-
cation in securing mobile payment system using encrypted qr code based
on public key infrastructure,” in 2016 6th International Conference on
System Engineering and Technology (ICSET), pp. 194–198, IEEE, 2016.
[105] T. Ma, H. Zhang, J. Qian, X. Hu, and Y. Tian, “The design and implemen-
tation of an innovative mobile payment system based on qr bar code,” in
2015 International Conference on Network and Information Systems for
Computers, pp. 435–440, IEEE, 2015.
[106] Y. Rui-xia, “Design of secure mobile payment system based on ibc,” in
2015 10th International Conference on Broadband and Wireless Comput-
ing, Communication and Applications (BWCCA), pp. 422–425, IEEE,
2015.
[107] H. Harb, H. Farahat, and M. Ezz, “Securesmspay: secure sms mo-
bile payment model,” in 2008 2nd International Conference on Anti-
counterfeiting, Security and Identification, pp. 11–17, IEEE, 2008.
[108] M. H. Firoz and Z. Ahmed, “Defensive protocol to ensure safe mobile
financial transaction in current context,” in 2017 Third Asian Conference
on Defence Technology (ACDT), pp. 54–58, IEEE, 2017.
[109] K. Fan, H. Li, W. Jiang, C. Xiao, and Y. Yang, “U2f based secure mutual
authentication protocol for mobile payment,” in Proceedings of the ACM
Turing 50th Celebration Conference-China, pp. 1–6, 2017.
[110] F. Shahzad, W. Iqbal, and F. S. Bokhari, “On the use of cryptdb for
securing electronic health data in the cloud: A performance study,” in
2015 17th International Conference on E-health Networking, Application
Services (HealthCom), pp. 120–125, 2015.
[111] C. Ruan, F. Xiao, and J. Luo, “Desgn and implementation of mobile
payment system for intelligent travel,” in 2014 IEEE 3rd International
18 VOLUME 4, 2016
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2021.3105450, IEEE Access
Author et al.: Preparation of Papers for IEEE TRANSACTIONS and JOURNALS
Conference on Cloud Computing and Intelligence Systems, pp. 547–552,
IEEE, 2014.
[112] B. Singh and K. Jasmine, “Comparative study on various methods and
types of mobile payment system,” in 2012 International Conference on
Advances in Mobile Network, Communication and Its Applications,
pp. 143–148, IEEE, 2012.
[113] S. Bojjagani and V. Sastry, “A secure end-to-end sms-based mobile bank-
ing protocol,” International journal of communication systems, vol. 30,
no. 15, p. e3302, 2017.
[114] J. Kang and D. Nyang, “A privacy-preserving mobile payment system for
mass transit,” IEEE Transactions on Intelligent Transportation Systems,
vol. 18, no. 8, pp. 2192–2205, 2017.
[115] W. A. Khan, Y. Saleem, G. A. Shah, and A. Farooq, “Modified mobile
transaction authentication number system for 2-layer security,” in 2016
International Conference on Intelligent Systems Engineering (ICISE),
pp. 89–93, IEEE, 2016.
[116] J. N. Luo, M. H. Yang, and S.-Y. Huang, “An unlinkable anonymous
payment scheme based on near field communication,” Computers &
Electrical Engineering, vol. 49, pp. 198–206, 2016.
[117] G. Platform, “The trusted execution environment: Delivering enhanced
security at a lower cost to the mobile market,” White Paper February,
2011.
[118] V. Sureshkumar, R. Anitha, N. Rajamanickam, and R. Amin, “A
lightweight two-gateway based payment protocol ensuring accountability
and unlinkable anonymity with dynamic identity,” Computers & Electri-
cal Engineering, vol. 57, pp. 223–240, 2017.
[119] S. Bojjagani and V. Sastry, “Ssmbp: A secure sms-based mobile banking
protocol with formal verification,” in 2015 IEEE 11th International
Conference on Wireless and Mobile Computing, Networking and Com-
munications (WiMob), pp. 252–259, IEEE, 2015.
[120] D. Lavanya, R. Ramaprabha, B. Thangapandian, and K. Gunaseelan,
“Novel privacy preserving authentication scheme based on physical layer
signatures for mobile payments,” SN Computer Science, vol. 2, no. 2,
pp. 1–11, 2021.
[121] G. Srivastava, R. M. Parizi, A. Dehghantanha, and K.-K. R. Choo,
“Data sharing and privacy for patient iot devices using blockchain,” in
International Conference on Smart City and Informatization, pp. 334–
348, Springer, 2019.
VOLUME 4, 2016 19
