1. Field of the Invention
The present invention is directed to wireless computing device authenticable transactions, for example, authenticable cashless monetary transactions. For example, a mobile phone wireless wallet.
2. Description of the Related Art
The future ubiquitous computing environment will consist of mobile users with information computing appliances (mobile devices), such as cellular phones or Personal Digital Assistants (PDA's), that will be wirelessly communicating and interacting with the varied services and devices encountered at any particular moment and place. Many applications that operate in such environments have been proposed from the research and business community, but there has not yet been a strong market pull for any particular one. It is apparent that a crucial enabler for ubiquitous computing to emerge into the marketplace is the ability to safely conduct financial transactions using mobile devices in this form of environment.
However, mobile devices, and, in particular, mobile phones, can present certain characteristics, such as limited capabilities (computation power, communication bandwidth, battery capacity, small display, limited keyboard, etc), a typical user who is not technically savvy and cannot be overly burdened with a complex application for executing transactions with other parties, and a wireless transport network that is deemed insecure at the network layer.
There have been many approaches and solutions proposed for the mobile commerce (m-commerce) problem. A few small manufacturers have offered Wireless Local-Area Network (WLAN)-enabled mobile phones and both MOTOROLA and NOKIA have made announcements of plans to offer such phones in 2004.
The current m-commerce practice involves Web Store-Front Payment, in which a consumer pays for goods or services offered by a retailer that has Internet presence. For web pages that are specially prepared for mobile devices, such as those that are WAP-enabled, one could use the mobile device to make a purchase as it is normally done in e-commerce transactions using a web browser on a personal computer. But, since payment typically requires logging in and typing a username and password, this approach is impractical and inefficient on a mobile device, even if the transaction uses Wireless Application Protocol (WAP) and has occurred through a secured network link such as through https or Secure Socket Layer (SSL). In many current web browsing applications, the consumer can pre-register one or more financial accounts with a merchant to save time and avoid repeatedly entering ones financial information, but this approach requires a consumer to register multiple user account information with multiple merchants. Further, in case of a physical point-of-sale (POS) case it is too complex to deploy from a business point of view because it frequently involves integration with the back-end store systems and some form of binding between the payer and the physical goods purchased.
From a data security perspective, existing m-commerce data security solutions rely on Public Key Infrastructure (PKI) technologies. However, PKI solutions suffer from poor computational performance in mobile device environments and complexity of the user experience. There are many different ways PKI can be used for mobile payments. One proposed PKI-based solution for mobile payments is by MET LIMITED, which is discussed at [www.mobiletransaction.org, retrieved on Jan. 5, 2005]. Under existing m-commerce security solutions, a user signs a transaction (a purchase order) with a certificate that authenticates the identity of the user (it is unclear whether each user has a single such certificate or a variety of them, each for every eligible account). For example, handling of multiple security certificates from many vendors is confusing, at best, and can be dangerous if left up to the user. Since these certificates are stored on the mobile device, the certificate store needs to be protected and “unlocked” on a per use basis. If the certificate storage is implemented in software the key used to unlock the storage should be of sufficient length to protect this storage, or it can be instead implemented in hardware, which in case of a mobile phone would require the phone to be designed for this purpose. Such an approach requires an infrastructure for dissemination of certificates (including revocation), possibly specialized mobile phones and possibly some basic understanding by the user of certificates and their usage.