Spain's Bankinter is prepping a contactless mobile payments service that does not require a secure element within the handset.
Questions keep exploding in my head like those famous music fireworks held in Côte d'Azur every summer.
Tokenization is a cute concept. Especially if Bankinter can tell me how I can use their service in places with no online connectivity. Like London Undeground...
When banks cannot (or cannot be bothered) to strike a deal with mobile operators or owners of operator-agnostic secure elements, they start re-inventing the wheel. That leads to security breaches.
And then things start getting "interesting": 84% of financial organizations were notified of security breach by external entities. Attackers had an average of
174 days (!!) within the victim's environment before detection occured.
The comment about lack of connectivity in the London Underground is a good one, but couldn't you just download a token in advance? Not ideal, but not a showstopper either. And most other places, it's not an issue.
As for the security point, I don't get that at all. How can a one-use token lead to any sort of bank breach? It's actually safer than passing a real card number through a terminal.
With regard to the inability of banks and carriers to come together on mobile payments, my hope is that ideas like this will persuade the carriers that they cannot control the handset, and therefore must negotiate with the banks if they don't want to be
Downloads to a smartphone require at least GPRS connection. There are many places, outside such "extreme" examples as London Underground, where GSM data connectivity cannot be guaranteed - some shopping malls, car parks, trains, airplanes, taxis, etc. Think
As for the security: lack of secure element means that the target phone cannot be identified with a 100% certainty. Hence, there is a scope for that one-time token to be downloaded (or diverted) to the attacker's phone - not hard to implement, in fact.
Who said BANKS are relevant to payments?.. Just ask Amazon, PayPal, Apple, etc. Tokenization, in fact, is one of the latest fabs via which banks hope to avoid being used as dumb pipes. However, they need to deliver
value, instead of control, to remain relevant.
Talking of Spain, innovation and "dare to challenge": http://gizmodo.com/5986820/this-atm-gives-you-money-for-free-expecting-you-to-help-people
There are other examples, where mobile payments are securely executed using an online device without a secure element. Wywallet is currently running with more than 600k users in Sweden and an eastern european bank will launch this week with 5 M users and
30k POS. By storing private keys on the phone, you achieve 2 factor PKI authentication, independent of device and network.
Kudos to Bankinter for showing that Banks Have Nothing To Fear From TELCOs.
© Finextra Research 2013