24 October 2014

Martin Cox - Bell ID

Martin cox - Bell ID

4 | posts 12,556 | views 22 | comments

HCE mobile payments - how secure is secure enough?

20 August 2014  |  2280 views  |  0

Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided. Many recognize the value and opportunity that this brings to banks and other service providers for the deployment of mobile services such as payments, transit and loyalty. Others have raised security concerns that they maintain limit the technology’s potential.

The balance of risk & reward

While some may consider HCE based systems less secure as there is no physical secure element (SE) involved, a risk assessment should take into account the risk and reward. In the HCE/cloud SE model, ‘tokens’ are downloaded to the device and used to complete transactions at the point of sale (POS) rather than storing the payment application on the device. Any breach of security would expose the token that was compromised but not the account itself. It is therefore questionable whether the risk - reward ratio would make this an attractive target for fraudsters.

Service providers also need to balance risk and reward and with the value of the token being so low they are questioning whether the highest level of security is required. Many are happy that the rewards offered by the HCE/cloud SE model, such as simplified ecosystem, lower cost and independence, outweigh the relatively limited risk.

Layered security options for HCE

Security is however important and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments. These include white box cryptography, obfuscation of key data, use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels.   

Overall, the benefits that HCE can bring – such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects – are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never support such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.

Security versus usability

Security is of course important but it should be balanced and proportionate. Adding multiple layers of defence may limit functionality and/or usability, which will in turn limit consumer uptake.  For example, requiring an additional Cardholder Verification Method (CVM) such as a PIN for each contactless payment transaction could be appropriate for high value transactions but may become a usability nightmare if implemented indiscriminately. Requiring a user to enter a PIN to unlock the phone, another PIN or Passcode to open their Banking/Payment App, and yet another to enable the transaction is probably several steps too far. For high value transactions a further PIN is likely to be required and making it far from the ‘tap and go’ experience the user may expect. This is likely to be a tiresome and unattractive proposition.

Issuers should therefore find a balance between security, acceptable risk and user friendliness that meets their needs without alienating their customers.

Many banks have concluded that the opportunity that HCE brings outweighs the risks that it presents despite the vocal efforts of detractors. This debate is certainly one to watch over the coming months as we see more service providers make their moves. 

 

TagsSecurityPayments

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Martin

iPhone, NFC and Apple Pay: How Should Banks React?

10 September 2014  |  2415 views  |  0  |  Recommends 0 TagsMobile & onlinePayments

Why are HCE Mobile Payments Perfect for Australia?

02 September 2014  |  2052 views  |  1  |  Recommends 1 TagsMobile & onlinePayments

Apple’s iPhone 6 with NFC. Is it a Game Changer?

26 August 2014  |  5810 views  |  2  |  Recommends 0 TagsPaymentsInnovation

HCE mobile payments - how secure is secure enough?

20 August 2014  |  2280 views  |  0  |  Recommends 0 TagsSecurityPayments
name

Martin cox

job title

Global Head of Sales

company name

Bell ID

member since

2013

location

Sydney

Summary profile See full profile »
Supporting issuers in taking advantage of the huge opportunities that mobile payments offer. Br...

Martin's expertise

What Martin reads
Martin writes about
Martin's blog archive
September 2014 (2)August 2014 (2)

Who is commenting on Martin's posts

Daniel Eckstein
Brett King
Matt Scott