NeoMedia Technologies, Inc (NEOM)

[craydon]

I totally agree simulator7. It is important to realise that GSMA sees indirect mode as key to achieve satisfactory security levels for the mobile code ecosystem ahead. Now, here is what they’re saying (Selected points from their 2d Barcodes White Paper):


On page 8:

(Among key findings:)
“While the direct mode provides an easily deployable solution, there are potential
security risks, and an indirect mode solution would provide a safe, secure and trusted
environment”

On page 15:

Although not yet in the mass market, the sensitivity of barcodes e.g. 2D Barcodes against
phishing or other attacks is already in the public domain.

In order to avoid malevolent usage of the service and to increase the difficulty that intruders face in hacking 2D Barcodes, it is necessary to establish some kind of inherent security within the 2D Barcode Data Structure. Therefore, only 2D Barcodes created by a known server can guarantee the end user a secure environment.

2D Barcodes can also store a reference and always contact a trusted server to resolve the reference. In this scenario the policing mechanisms and the content control can reside on the trusted server side. The server would check the validity of the 2D Barcode as well as the nature of the 2D Barcode and even possibly provide feedback to the end user prior to the final content discovery.

Security plays a crucial role in the 2D Barcode ecosystem. The end user must feel safe when scanning a 2D Barcode, having the guarantee of a trusted service behind the 2D barcode. The end user will, in some cases incur a charge when invoking a 2D Barcode. Therefore a trusted environment is needed in order to create this element of end user trust.

The above gains even more importance if any m-commerce / payment scenario is used, since the user expects a secure service.

On page 16:

The phishing / fraud problem is mainly expected in the case of direct mode utilization,
therefore a security mechanism integrated in the code framework is proposed. This security mechanism needs to be identified by the 2D Barcode reader application and allow successful content provisioning, or if requested, stops the resolving process. Such a process is especially needed for the unsecured direct mode, e.g. to block restricted content.

In order to prevent one time hacking, an automatic update release cycle is recommended, which needs to provide a history function. In principle, the mechanism follows an alliance and certificate logic, where all members of the alliance only provide certified 2D Barcode clients either ex factory or via the download platform.
All codes created within this standardized alliance domain would have the digital watermark, thus providing some security to the end user.


On Page 18:

Usage for the direct mode is seen in the mass market nowadays, since the service is already publicly available. End users can create codes, download the code reader application and use the service. The direct mode is based on traditional business models and provides primarily new data traffic. The indirect mode enables new business models as it relies on a network server to resolve the identifier and can therefore secure the service and enrich the information associated to the end user.

In contrast to the direct mode, the usage of the secure indirect mode and the resolver
function, coupled with additional data tracking (managing capabilities) creates opportunities for new services (e.g. location, presence and authentication based services) and business opportunities.

On Page 19:

The following list depicts the distinct attributes of the indirect mode where by a new business model can flourish:
- Since there is a correlation between the size of the bar code and the amount of data
encoded, 2D Bar codes using aliases/identifiers (which are small in nature) enable
user scenarios where space is at a premium
- Enhanced security preventing misdirection to inappropriate or malicious contents
- Location: user / handset location – location based services e.g. in conjunction with
future GPS services
- The indirect mode provides a controlled end to end service scenario. Using these
control points CMP (code management platform) gives rise to the ability to cost defray
to the end user. Cost defraying may be performed at a granular level or using other
secure interactive scenarios
- Linkage to mobile user subscription profile (demographics , M-Commerce,
Authentication)
- User data information collection / marketing
- Ease of combining the above information, tailored to advertising campaign / usage
scenario
- Support of language translation (international scenario).

The aforementioned points above highlight the ability for the indirect mode to:
- Support existing direct mode business
- Enable new 2D Barcode service scenarios
- Enhance current business models and therefore provide additional revenue
opportunities for all parties value chain.



On page 37:

11 KEY REQUIREMENT GUIDELINES:
11.3 SECURITY
- Ability to guaranteed security in the sense that a customer is sure to get to the genuine service or information and can avoid phishing fraud or inappropriate content
- Ability to guarantee a trusted environment for the end user, code publisher and code sales agencies.

http://www.gsmworld.com/documents/2D_barcodes_B01_0_2.pdf