In 2006, Yeh and Tsai proposed a mobile commerce security mechanism. However, in 2008, Yum et al. pointed out that Yeh-Tsai security mechanism is not secure against malicious WAP gateways and then proposed a simple countermeasure against the attack is to use a cryptographic hash function instead of the addition operation. Nevertheless, this paper shows that both Yeh-Tsai's and Yum et al.'s security mechanisms still do not provide perfect forward secrecy and are susceptible to an off-line guessing attack and Denning-Sacco attack. In addition, we propose a new security mechanism to overcome the weaknesses of the previous related security mechanisms.

Yeh and Tsai recently proposed an enhanced mobile commerce security mechanism. They modified the lightweight security mechanism due to Lam, Chung, Gu, and Sun to relieve the burden of mobile clients. However, this article shows that a malicious WAP gateway can successfully obtain the mobile client's PIN by sending a fake public key of a mobile commerce server and exploiting information leakage caused by addition operation. We also present a countermeasure against the proposed attack.

Lam, Chung, Gu and Sun (2003) proposed a lightweight security mechanism for mobile commerce transactions to meet the security needs in the face of the resource constraints of mobile devices. End-to-end security between the mobile device and the mobile commerce provider is established. However, its security builds on the assumption that customers can confirm every mobile commerce provider's public key by themselves before each transaction. Moreover, the mechanism still produces high overhead on the mobile device. This paper elucidates the causes of these drawbacks, and an enhanced mechanism is also proposed to protect mobile commerce transactions more effectively and efficiently.