Blog article
See all stories »

A condom with a hole

Google made waves last week with their announcement about Host Card Emulation (HCE) solution that allows, inter alia, to "emulate" EMV without requiring any secure element (SE). Oh my...

Google's own source claims that "Android HCE emulates ISO/IEC 7816 based smart cards". Well, ISO 7816 is a standard for contact (!) cards that describes... physical characteristics of... SE - nothing to do with contactless payments interface or protocol, let alone SE-less payments. Also, Google says that HCE allows to implement transit application; however, HCE does not support such popular low-level transit protocols as Mifare. Does Google truly understand what it is talking about?..

Let's take a step back and re-visit Socrates who said: "The beginning of wisdom is a definition of terms." What does "emulate" mean?.. "To try to be like something you admire". Even if we discount the "admire" bit, if one (legitimate) Android app can pretend to be an EMV card, so can another (malicious) app...

Take a look at Google's "security" pedigree as far as its Wallet is concerned. Problemproblemproblem. Sure, those issues were eventually fixed, but why does anyone need a condom with a hole in the first place, even if that hole can be - disaster post factum (!) - patched up?.. 

HCE is not a new feature - BlackBerry had it for over a year. It takes it roots from SimplyTapp's solution that did entail secure element - that SE was cloud-based. When adopting HCE, Google decided to drop SE altogether (as far as one can tell) not because it made perfect technological sense, but because it made some business sense. For Google.

What about banks? Compromised HCE can result in £100+ loss. The cost of SE is £2 or less. If that level of risk really worth it?..

So, where does all that lead us to? To make things work properly, mobile payments market need agnostic (and free) secure element which can be used by any legitimate third party via "open API". Such a secure element should work with any smartphone out there - not just with Android (let alone just with Google's own phone).

Such a secure element should have a magic "press to pay" (mechanical) button that puts the user firmly in control and also prevents "man in the middle" attacks.

Such a secure element would support any transit and access control protocol out there. And be EMV-compliant. And allow to implement "card present" e-commerce. Now that's what I call a true game-changer.

 

3628

Comments: (2)

A Finextra member
A Finextra member 06 November, 2013, 14:22Be the first to give this comment the thumbs up 0 likes

When I read the marketing blurb on HCE I made the assumption it was just another term for CloudSE - however in reading the Android Developer Website I find it is an internal API for providing "SE-like" services in Software.  My main concern: how can the device securely emulate a SE in Software?  Thinking back to 2003 - there was a reason Visa and MasterCard mandated the use of Cryptographic Hardware Security Modules instead of doing Crypto in-software (it is inherently insecure!).

Google really should know better...

A Finextra member
A Finextra member 08 November, 2013, 16:54Be the first to give this comment the thumbs up 0 likes

I agree with pretty much everything in this blog. The only thing I would want to correct is that not all mobile payments require the use of debit/credit cards or the use of NFC. So those solutions don't require SE and as such your game-changer comments only fit well with card backed based transactions....

The whole thing though smells of Google and others changing the rules of their own game to stop others trying to get involved. I would like to see what carriers do re Android 4.4, will they stop stocking so many Android devices and favour those that don't threaten their own investment in ISIS or WEAVE?

Member since

0

Location

0

More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all