Mobile payment with customer controlled connection : Can it be constructed to be safe enough?

Abstract: The mobile commerce has given birth to many mobile payment systems and this thesis covers the security of a theoretical system where the communication is handled by the customer. There are many technologies that can be used when implementing such a system, each with different strengths and weaknesses. The system designed in this project was constructed for micropayments in vending machines that has no connection to the vendor except for the connection supplied by the customer. The design was then used for analyzing the threats against the designed system and comparing it to an identical system where the connection is supplied by the seller in order to find out the effects on security when changing the communication channel. The comparison shows that even though the designed system is more vulnerable, it is not a major difference and with low value payments, the mobile payment system can depend on the connection supplied by the user. The main advantages to security with this method is the protection against Denial of Service attacks and the protection against mass identity thefts as authentication is no longer done on the machine.