Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Payments

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

A condom with a hole

Google made waves last week with their announcement about Host Card Emulation (HCE) solution that allows, inter alia, to "emulate" EMV without requiring any secure element (SE). Oh my...

Google's own source claims that "Android HCE emulates ISO/IEC 7816 based smart cards". Well, ISO 7816 is a standard for contact (!) cards that describes... physical characteristics of... SE - nothing to do with contactless payments interface or protocol, let alone SE-less payments. Also, Google says that HCE allows to implement transit application; however, HCE does not support such popular low-level transit protocols as Mifare. Does Google truly understand what it is talking about?..

Let's take a step back and re-visit Socrates who said: "The beginning of wisdom is a definition of terms." What does "emulate" mean?.. "To try to be like something you admire". Even if we discount the "admire" bit, if one (legitimate) Android app can pretend to be an EMV card, so can another (malicious) app...

Take a look at Google's "security" pedigree as far as its Wallet is concerned. Problemproblemproblem. Sure, those issues were eventually fixed, but why does anyone need a condom with a hole in the first place, even if that hole can be - disaster post factum (!) - patched up?.. 

HCE is not a new feature - BlackBerry had it for over a year. It takes it roots from SimplyTapp's solution that did entail secure element - that SE was cloud-based. When adopting HCE, Google decided to drop SE altogether (as far as one can tell) not because it made perfect technological sense, but because it made some business sense. For Google.

What about banks? Compromised HCE can result in £100+ loss. The cost of SE is £2 or less. If that level of risk really worth it?..

So, where does all that lead us to? To make things work properly, mobile payments market need agnostic (and free) secure element which can be used by any legitimate third party via "open API". Such a secure element should work with any smartphone out there - not just with Android (let alone just with Google's own phone).

Such a secure element should have a magic "press to pay" (mechanical) button that puts the user firmly in control and also prevents "man in the middle" attacks.

Such a secure element would support any transit and access control protocol out there. And be EMV-compliant. And allow to implement "card present" e-commerce. Now that's what I call a true game-changer.

 

3878

Channels

Payments

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (2)

A Finextra member
A Finextra member 06 November, 2013, 14:22Be the first to give this comment the thumbs up 0 likes

When I read the marketing blurb on HCE I made the assumption it was just another term for CloudSE - however in reading the Android Developer Website I find it is an internal API for providing "SE-like" services in Software.  My main concern: how can the device securely emulate a SE in Software?  Thinking back to 2003 - there was a reason Visa and MasterCard mandated the use of Cryptographic Hardware Security Modules instead of doing Crypto in-software (it is inherently insecure!).

Google really should know better...

Report abuse
A Finextra member
A Finextra member 08 November, 2013, 16:54Be the first to give this comment the thumbs up 0 likes

I agree with pretty much everything in this blog. The only thing I would want to correct is that not all mobile payments require the use of debit/credit cards or the use of NFC. So those solutions don't require SE and as such your game-changer comments only fit well with card backed based transactions....

The whole thing though smells of Google and others changing the rules of their own game to stop others trying to get involved. I would like to see what carriers do re Android 4.4, will they stop stocking so many Android devices and favour those that don't threaten their own investment in ISIS or WEAVE?

Report abuse
Join the discussion

Member since

0

Location

0

More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all
Community
See all blogs »
 

3 Strategies to Improve B2B Customer Loyalty Through Payments

Brandon Spear

Brandon Spear

Artificial Intelligence and Financial Services 

Overcoming Cultural and Technical Challenges in Automating Currency Risk Management

Benjamin Avraham

Benjamin Avraham

The Payments Business 

Why are more buyers and suppliers turning to commercial (and virtual) cards for B2B payments?

Benjamin Thurlow

Benjamin Thurlow

Banking 

The Rise of Digital Payments Banks in India influencing the Market and Revenue

Harshita Soni

Harshita Soni

Now hiring

See more