Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.
With mobile phones set to become as indispensable as a wallet for buying goods and services, mobile payment developments are rapidly gathering pace and different service providers are competing for their slice of the pie. For example, last year we witnessed the arrival of MasterCard’s PayPass scheme, Google launched its Android-based EWallet scheme and Starbucks trialled its Quick Tap PayPass service.
A recent study from Juniper Research forecasts that mobile contactless payment transactions are expected to reach nearly $50 billion worldwide in 2014 and NFC solutions will be launched in 20 countries within the next 18 months.
But before adoption begins to accelerate towards these levels, not only is there much debate to be had around which type of scheme works best in practice, but also about which mobile payments security method is the most robust.
Standardization
As with traditional payments, standardization is essential to bring about the time and resource benefits to the industry. Several successful standards are already gathering momentum in providing a secure mobile payments ecosystem:
–Managing mobile NFC services: The Trusted Service Manager acts as an intermediary between mobile network operators and third-party service providers that wish to add a service to a mobile phone. GlobalPlatform’s “System Messaging Specification for Management of Mobile-NFC Services,” defines the messaging between each of the three parties to ensure secure “provisioning” of services to the phone.
–The SIM Alliance Open Mobile API: Applications that use the secure element (the cryptographically protected piece of hardware on newer mobile phones) to secure their critical operations, such as banking, payments or transport tickets, can have a component running in the phone’s operating system so that the user can securely interact with the keyboard/touch screen and enjoy a rich graphical user experience. The SIM Alliance Open Mobile API enables apps developers to use the additional security of the secure element more easily, be this in a UICC SIM, a dedicated secure element built into the phone or a secure SD card, by providing a common means of interfacing with it.
–Trusted Execution Environment: The secure element looks after critical data on the mobile handset but it cannot easily host apps with a highly developed or cutting edge user interface. Apps that require complex user interactions must run on the phone’s main processor. The Trusted Execution Environment is designed to secure these apps and GlobalPlatform is leading the standardization and interoperability in this area to ensure that data and apps are adequately protected. For example, payment apps that run their user interface in TEE and their transaction security in the secure element would have an extremely high level of security.
Such standards help the industry work together and benchmark best practices, but they remain as one fundamental element of contributing for successful mobile payment security. Technology that makes the security of provisioning mobile payment applications as secure as issuing cards is also required, to build that much needed consumer confidence.
Safe from the word go
Consumer fear around fledgling mobile payments techniques often circle around security issues. Much of this reservation of adopting mobile payments originates from the perceived risk of data being intercepted during a transaction. But threats exist at every stage of the mobile payment lifecycle, including how to get a payment app onto a phone securely and efficiently in the first place. Building the data needed to issue a payment application and create the secure messages to personalize a handset can be a lengthy and inefficient process, the numerous cryptographic functions pose a risk of exposing sensitive data.
This initial set-up process or provisioning, normally happens over-the-air. It is a process that increases security risks due to the number of parties involved – typically the payment application provider (usually a bank), a Trusted Service Manager, the mobile network operator and the end-user. A critical success factor is keeping this process highly secure to ensure that no data is compromised. Successful provisioning uses unique personalization keys to not only protect the loading of information onto a device, but also the subsequent transactions made by the application.
As secure as traditional cards
By applying the latest cryptography methods, users can ensure that provisioning happens as securely as possible and at the same level as issuing traditional payment cards. Providers of physical cards tend to prefer Hardware Security Modules, which generate and protect the encryption keys essential to managing issuance risk. This approach is also relevant for provisioning services to a mobile phone and can greatly simplify the process while simultaneously avoiding the vulnerability of keys stored in software. Overall, the main benefit of an HSM is to secure encryption keys and sensitive data in a way which ensures that such data is never exposed. In this way, the risk for the service provider is significantly reduced.
However, while encryption is essential to the security of mobile payments, it isn’t the sole answer. For maximum security in this new payments channel, encryption must be teamed with authentication technologies that provide protection for data exchange and authorisation.
Minimizing risk
As the mobile payment world continues to evolve at lightning speed, industry best practices are far from being agreed, with operators and related parties still undecided about who should control the mobile wallet. But one thing that lies firmly beyond discussion is that security remains the primary barrier to adoption for most consumers.
Overcoming this concern is no easy task, requiring a combination of robust standards and best practice, coupled with the right technical path to guarantee the experience is safe from the second that a user decides to download a payment app. If any business wants to take advantage of the impending explosion in mobile payments, security needs to be at the foundation of their approach to minimise risk and encourage widespread consumer adoption.