Various approaches have been proposed to provide point-of-sale services with some level of security, starting with plain credit and debit cards, then cards with embedded chips, and now even cell phones, PDAs, and similar devices. The security of these approaches are predicated on: (a) the level of security of the customer-held entity through which the transaction is made, (b) assumptions around the nature of the environment(s) in which the payment system is used, and (c) the nature of what attacks are believed to be feasible. However, these various approaches do not fully exploit the independent communication path (where this independence is logical or physical) that can be established between the consumer and the back-end financial institution that acts as the guarantor of the purchase transaction, (e.g., from the consumer's cell phone or PDA via a mobile phone network to the consumer's bank).
There is a significant body of work devoted to investigating the use of cell phones and other mobile devices for everyday commercial transactions. One oft-cited and widely-deployed system is NTT DoCoMo's Osaifu-Keitai, or wallet cell phone. These cell phones use Sony's FeliCa contactless integrated circuit (IC) chip to support various e-cash systems such as Edy, and credit card systems such as iD (provided by NTT DoCoMo). Edy can be recharged using either the i-mode protocol or checkout points at participating vendors. A personal identification number (PIN) is used to authenticate the user for recharging e-cash, as well as for authorizing credit card purchases over 10,000 yen. Similarly, the iD credit card system requires the users merely to wave their device in front of a reader to charge a purchase, as long as the amount stays below 10,000 yen. A disadvantage is that a lost or stolen phone can be used for smaller purchases until the device is either locked remotely or runs out of funds. Furthermore, should a flaw in the FeliCa card be discovered that is as exploitable as the one used against the Mifare card, it could prove to be a formidable problem due to the high market penetration of these cell phones. Also, the PIN protection may be rendered useless in the presence of malware such as keyloggers. To date, many of the mobile payment systems have assumed that the cell phone is a trusted platform. While this is generally true of traditional cell phones, recent development of smart phones is seeing cell phones turn into general mobile computing devices. Nokia's N95, for example, has capabilities rivaling those of previous-generation laptop computers. Finally, the system does not take advantage of the direct connection that the phone could make to the bank, leaving this part entirely in the hands of the merchant.
Therefore, there exists ample opportunity for improvement in technologies related to providing secure transaction services.