The idea for the technology came out of the U.K. Payments Council's plans to eliminate check payments by 2018. The goal of the Oxford project is to provide a secure channel for making peer-to-peer and person-to-person payments, says Bill Roscoe, a professor at Oxford who headed up the project. The protocol lets the payer conduct transactions via Bluetooth, WiFi, the Internet, SMS messaging, or on a landline phone.
It could be used for shopping or dining out, as well, offering an alternative to writing a check, for instance. "The person who wants to be paid can send details to me via my mobile over this channel, with details of how he wants to be paid, the amount, and an ID for the transaction," for example, Roscoe says. The technology also gives the payer control over how much he pays and to whom, he says.
A consumer could use the technology to order merchandise online via his PC and then pay for it via his mobile phone, for example, or a parent could send his college student money via a permanent key between their phones that lets the parent transfer credit to the student.
Roscoe, a cryptography and security expert, says the payment can be made via electronic cash or credit stored in a mobile phone, via credit card authorization by the mobile user, or by ordering your bank to pay a merchant -- or your mother -- a certain amount of money from your account.
The technology uses strong cryptographic keys and generates random codes on the mobile phone that would have to match that of the payer and the payee.
"The first thing we try to do is authorize the merchant who you'll be paying the money to ... and the person paying," Roscoe says.
Unlike PKI, this is a technology you can "bootstrap" onto a connection between two parties, he says. "The crucial thing is we make sure both parties are committed to the information they want [in the transaction] and are authenticated before anyone knows what the hash function is supposed to be," Roscoe says.
He says the technology will provide the ability to detect man-in-the-middle attacks. "Our protocol can do a check ... to [determine] whether the [session] had been interfered with by anyone," he says.
And it's not just for mobile phones: It could work with lightweight computers, medical sensors, and other devices, he says. "It's a bootstrapping technology we envision being used especially in applications in lightweight [devices] that haven't got the resources of traditional computer security," Roscoe says.
Oxford to date has Java-based prototype applications running, and its technology transfer company, Isis Innovation, is helping get the technology commercialized. Still needed are standards for how the protocol would be used and how to prevent abuse of the payment features on phones. Isis is looking for commercial partners to further develop the project.
"The largest barrier here is not the technology: That's easy. It's getting acceptance from people in the mobile payment industry," Roscoe says. "They have to support this software."
Roscoe says while there has been a lot of interest in the technology, there hasn't been any uptake just yet. But it's still early in the process of technology transfer, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.