Finextra ran an article today about the UK banking sector "gearing up for the introduction of an industry-wide mobile payments". Which industry? There is no "payment"
industry as such. Are we talking about banks? Or mobile operators? Or card schemes?
The article stated that "the new service will enable secure payments to be made [...] by simply using a mobile phone number as a proxy."
Wait a second. If my sort code and account number is a sensitive information, why do we hide it behind something known to hundreds of people? Perhaps because a malicious attacker cannot "simply" use my phone number to make a "secure" payment. He would need
something else to do so. Something "secure".
The mystery was finally revealed: "the group can also take heart from the success of Pingit". Hm, that's where things are getting really interesting.
Pingit is an app. There is nothing secure about an app (unless it runs inside "trusted execution environment" which is not the case with Pingit). Now, the banks have been educating us for decades about the wonders of "chip" cards. The industry has been educating
us about EMV standards and certifications. The industry is pointing its accusing finger at the US where hard-to-die magnetic stripe is wide open to fraud.
Why, then, all of a sudden you can stick an app onto a phone and magically have a "secure payments solution"?..
When it comes to mobile phones, "secure" means some form of a Secure Element (SE), typically a protected memory or "trusted execution environment" (TEEs) inside a (secure) microcontroller - in layman's terms, a "chip". Currently, such "chips" inside the phones
are controlled either my handset OEMs or, mainly, by mobile operators. Hence, any "industry-wide" solution would need to bed every single operator in the UK (including virtual ones). Was the word "operator" mentioned in that article at all? Take a wild guess.
"With security the main concern for potential users, the Payments Council says it will make sure that, at minimum, a passcode or similar feature will be required to authorize payments." A passcode. Is that the same passcode which can be easily read by a simple
virus sitting undetected on my phone (and controlling my "secure" app too)? I now understand why security is the "main concern" only for the "potential users". The industry doesn't give a damn.
Banks couldn't make a deal with the operators and decided to cut corners by introducing dual standards: "chip" for card payments vs a piece of software code on a phone for mobile payments; secure PIN encryption and secure PIN delivery channels in
case of ATM and POS vs a "passcode" entered on a (non-EMV compliant) phone. Genius!
What's next? Let's wait and see...