By Simon Keates, Mobile Payment Security Expert, Thales e-Security
Consumers remain concerned and confused about mobile payments, creating a barrier to large-scale adoption of the technology. They can hardly be blamed, as security breaches compromising financial, as well as other highly sensitive information, make headlines on a weekly basis. Without confidence in the technology’s ability to protect sensitive data, mobile payments will not experience widespread adoption.
When considering the security of customer payment credentials, host card emulation (HCE) has caused waves in the industry. Before the advent of HCE, storage models came in two versions; either storing credentials in a specialist security chip [secure element (SE)] in the phone, or using card-on-file credentials in the cloud. The first model effectively turns the phone into a mobile wallet, with the SE performing the same function as the chip on an EMV card. The “cloud” option, however, was simply a case of storing basic payment information, such as card number and expiry date or sort code and account number on the Internet.
An exact software representation of the card no longer needs to reside on a physical chip since HCE has come along. This eliminates the need for the previously all-important SE and puts an end to the battle for ownership of it, lowering barriers to market entry for new players.
Moving the storage of card data from the chip to a secure environment in the cloud is not without its drawbacks. Completing a transaction requires that your phone be connected to the Internet, and then you must wait for the encryption to be carried out and to receive a response. Even at the best of times, this will be difficult to complete in the time required by card schemes. Of course, with no signal, it would be impossible. The solution that is being proposed to combat this utilizes a concept called “tokenization.” Instead of having to connect to the Internet every time you spend, limited use virtual cards would be stored on your phone.
Thieves appreciate this solution, as it makes their line of work easier. There is the potential for criminals to clone the phone and request the card information, or even write malware to reside on the phone that will send the virtual card to the thief in the blink of an eye.
Protecting The Data
The authentication mechanism, whether physical or virtual, is the determining factor in how strong payment security will be. We must be able to bind the identity of the user to the authorization of the transaction. While banks are extremely familiar with data protection requirements, challengers with less data handling experience will need to be extremely mindful of authentication and risk assessment.
Smartphones, the very means of mobile transactions, can be put to greater use for authentication and risk assessment purposes. Features such as GPS data, 3G location, proximity to Wi-Fi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not bullet proof, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers if it’s very likely that it’s the approved user, and introducing barriers to disrupt the payment journey if in doubt.
Nothing these days, however, is without its own security challenges. All this analysis depends on data — reams of personal data that represents an attractive target for malicious hackers, and must be protected against attack. Protecting all this stored personal data goes well beyond the usual password database problem in terms of both volume and sensitivity — authentication is moving from being a “password problem” to a “Big Data problem.” Information must be carefully encrypted, to neutralize it and minimize the impact of its loss or theft.
The mobile payment world will never be the same since HCE has come along; its advent will continue to disrupt the industry. Ease of use, simplicity, and security are critical to the widespread adoption of mobile payment technology. Once consumers place their trust in the technology, the sky is the limit.