Smart Card & Identity News A New Flavour for eCash

More documents

Recommendations

Info

Making Money on the Move More Secure Ian Hermon Introduction While different mobile payment methods jostle for top position, a similar contest is underway concerning the security of these new cashless services. Ian Hermon, Product Marketing Manager, Thales e-Security, takes a look at the challenges in establishing a solid foundation for secure payments on the move. With mobile phones set to become as indispensable as a wallet for buying goods and services, mobile payment developments are rapidly gathering pace and different service providers are competing for their slice of the pie. Last year, for example, saw the arrival of MasterCard’s PayPass scheme in the US while Google launched its Android-based eWallet scheme and Starbucks trialled its Quick Tap PayPass service. A recent study from Juniper Research forecasts that mobile contactless payment transactions are expected to reach nearly $50 billion worldwide in 2014 and NFC solutions will be launched in 20 countries within the next 18 months. But before adoption begins to accelerate towards these levels, not only is there much debate to be had around which type of scheme works best in practice but also about which mobile payments security method is the most robust. Standardisation As with traditional payments, standardisation is essential to bring about the time and resource benefits to the industry. Several successful standards are already gathering momentum in providing a secure mobile payments ecosystem: • Managing Mobile NFC Services – The Trusted Service Manager (TSM) acts as an intermediary between Mobile Network Operators (MNOs) and any third party service provider that wishes to add a service to a mobile phone. GlobalPlatform’s ‘System Messaging Specification for Management of Mobile-NFC Services’, defines the messaging between each of the three parties to ensure secure ‘provisioning’ of services to the phone. • The SIM Alliance Open Mobile API – Apps which use the Secure Element (the cryptographically protected piece of hardware on newer mobile phones) to secure their critical operations such as banking, payments or transport tickets, can have a component running in the phone’s operating system so that the user can securely interact with the keyboard/touch screen and enjoy a rich graphical user experience. The SIM Alliance Open Mobile API enables apps developers to use the additional security of the Secure Element more easily, be this in a UICC SIM, a dedicated Secure Element built into the phone, or a secure SD card, by providing a common means of interfacing with it. • Trusted Execution Environment (TEE) – The Secure Element looks after critical data on the mobile handset but it cannot easily host apps with a highly developed or cutting edge user interface. Apps that require complex user interactions must run on the phone’s main processor. The Trusted Execution Environment is designed to secure these apps and GlobalPlatform is leading the standardisation and interoperability in this area to ensure that data and apps are adequately protected. For example, payment apps that run their user interface in TEE and their transaction security in the Secure Element would have an extremely high level of security. Smart Card & Identity News • March 2012 10
Such standards help the industry work together and benchmark best practices but they remain just one fundamental element of contributing to successful mobile payment security. Technology that makes the security of provisioning mobile payment applications as secure as issuing cards is also required, to build that much needed consumer confidence. Consumer fear around fledgling mobile payments techniques often centre on security issues. Much of this reticence to adopt mobile payments comes from the perceived risk of data being intercepted during a transaction. But threats exist at every stage of the mobile payment lifecycle, including how to get a payment app onto a phone securely and efficiently in the first place. Building the data needed to issue a payment application and create the secure messages to personalise a handset can be a lengthy and inefficient process, the numerous cryptographic functions posing a risk of exposing sensitive data. This initial set-up process or ‘provisioning’ normally happens over-the-air (OTA). It is a process that increases security risks due to the number of parties involved - typically the payment application provider (usually a bank), a Trusted Service Manager, the Mobile Network Operator, and the end user. A critical success factor is keeping this process highly secure to ensure that no data is compromised. Successful provisioning uses unique personalisation keys, to not only protect the loading of information onto a device but also the subsequent transactions made by the application. As secure as traditional cards By applying the latest cryptography methods, users can ensure that ‘provisioning’ happens as securely as possible and at the same level as issuing traditional payment cards. Providers of physical cards tend to prefer Hardware Security Modules (HSMs), which generate and protect the encryption keys that are essential to managing issuance risk. This approach is also relevant for provisioning services to a mobile phone and can greatly simplify the process while simultaneously avoiding the vulnerability of keys stored in software. Overall, the main benefit of an HSM is to secure encryption keys and sensitive data in a way which ensures that such data is never exposed. In this way, the risk for the service provider is significantly reduced. However, while encryption is essential to the security of mobile payments, it isn’t the sole answer. For maximum security in this new payments channel, encryption must be teamed with authentication technologies that provide protection for data exchange and authorisation. Minimise the risk As the mobile payment world continues to evolve at lightning speed, industry best practices are far from being agreed, with operators and related parties still undecided about who should control the mobile wallet. But one thing that lies firmly beyond discussion is that security remains the primary barrier to adoption for most consumers. Overcoming this concern is no easy task, requiring a combination of robust standards and best practice, coupled with the right technical path to guarantee the experience is safe from the second that a user decides to download a payment app. If any business wants to take advantage of the impending explosion in mobile payments, security needs to be at the foundation of their approach to minimise risk and encourage widespread consumer adoption. Smart Card & Identity News • March 2012 11
Page 1 and 2: dentity News • Smart Card & Ident
Page 3 and 4: What I’m hinting at here is that
Page 5 and 6: The second approach to handling low
Page 7 and 8: Overall Growth in CEE Cards Market
Page 9: World News In Brief Cryptomathic In
Page 13 and 14: Cajasiete intends to extend this ty
Page 15 and 16: Created to recognise the developmen
Page 17 and 18: World News In Brief OTI Files Paten
Page 19 and 20: iCAM7000 series for applications ra

Smart Card & Identity News A New Flavour for eCash

Create successful ePaper yourself

Delete template?

Save as template?