Proceedings of the International Conference on Computer and Communication Engineering 2008 May 13-15, 2008 Kuala Lumpur, Malaysia 978-1-4244-1692-9/08/$25.00 ©2008 IEEE A Lightweight and Private Mobile Payment Protocol by Using Mobile Network Operator Tan Soo Fun, Leau Yu Beng, Jonathan Likoh, Rozaini Roslan School of Informatics Science, Universiti Malaysia Sabah, Malaysia soofun4818@yahoo.com Abstract Mobile commerce is undoubtedly become an omnipresent and active area in electronic payments. It allows mobile user to purchase things, pay bills or make a bet via mobile phone when on the move, anywhere and at any time. Unfortunately, several challenges in accountability and privacy properties have emerged with the widespread of m-commerce in recent years. Consequently, many public-key cryptography based mobile payment protocol have been proposed. However, limited capabilities of mobile devices and wireless networks make these protocols are not suitable for mobile network. In this paper, we propose a secure mobile payment protocol which involves mobile network operators (MNO) by employing symmetric key operations. The symmetric cryptographic technique applied to our proposed protocol not only minimizes the computational operations and communication passes between the involved parties, but also has achieves a completely privacy protection for the payer and satisfies all the criteria of end-to-end security property and party’s requirement including non-repudiation. The future work will concentrate on improving the verification solution to support mobile user authentication and authorization for mobile payment transactions. I. INTRODUCTION Mobile payment is defined as any transaction that is carried out via mobile device, involves either direct or indirect exchange of monetary values between parties [5,13,6]. An interesting aspect about mobile payments is that mobile phone can be used as payment device for all types of payment situations. Optimists are of the opinion that the new world economy will witness the transition of mobile devices from a simple communication device to a payments mechanism [10]. Currently, several mobile payment protocols were proposed, however, most of them are based on public key infrastructure (PKI) which is not efficiently applied to wireless networks [14,7,8,2]. Some of them are keep information about the engaging parties’ credit card is either stored on their mobile devices or used in the transaction without protection, which makes it vulnerable to attack [9,7,8]. Furthermore, some mobile payment protocol design schemes are not concerned about the customer privacy issues [14,9,7,8]. The customer privacy such as customer identity and transaction details is revealed not only to merchant, but also to the payment gateway and the banks [3]. By addressing these problems, the research aim is to create a secure lightweight mobile payment protocol by using mobile network operator which employs symmetric key operations that enables protect payer’s privacy, ensures end-to-end security properties, provides accountability and satisfies engaging parties’ security requirements. The rest of this paper is organized as follows. Some existing mobile payment protocols are briefly explained in section II. Section III detail our new protocol for mobile payment and followed by its preliminary result in section IV. Finally, section V concludes this work and presents future work. II. RELATEDWORK In this section, several existing payment protocols will be delved. In general, these payment protocols composed of four engaging parties, which including protocols composed of four engaging parties, which are including client (C), merchant (M), issuer (client’s financial institution) and acquire (merchant’s financial institution. Both issuer and acquire are presented by payment gateway (PG) which acts as medium between them and both client and merchant for clearing purpose. There are three primitive payment transactions occurred within these payment protocol, payment (which made by client about payment to merchant), value subtraction (which made by client in order to request issuers or payment gateway to deduct requested money amount from client’s account) and value claim (which made by merchant in order to request acquirer or payment gateway to transfer request money amount 162