Do HCE mobile payments need additional security?
Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided.
Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided, writes Robert Wessels. Many recognize the value and opportunity that this brings to banks, mobile network operators (MNOs) and service providers for the deployment of mobile services – like payments, transit and loyalty – while others have sought to focus on security concerns that apparently limit the technology’s potential.
The balance of risk & reward
While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, ‘tokens’ are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets.
Many issuers therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.
Layered security options for HCE
Security is important however and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments such as white box cryptography, obfuscation of key data, use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels.
Overall, the benefits that HCE can bring – such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects – are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.
Security versus usability
I am not arguing that security is not needed or important, but simply that it should be balanced and proportionate. Focusing too much on security limits functionality, which will in turn limit consumer uptake. In general, the more security measures there are implemented, the less user friendly it becomes. An issuer should consider that something as simple as requiring an additional Cardholder Verification Method (CVM) such as a PIN for each contactless payment transaction could be a usability nightmare. This could mean that a user needs to enter a PIN to open the phone, enter a PIN/Passcode to open their Banking/Payment App, enter a PIN to allow the transaction and if the POS happens to be an old one, they may be asked to type a PIN on the POS. Far from the ‘tap and go’ experience the user is expecting and this is not even considering the fact that all these PIN codes may be different values!
Issuers should therefore find a balance between security, acceptable risk and user friendliness that works for them and their customers.
For issuers that still consider HCE as ‘too insecure’, there may ultimately be a role for what Bell ID has called the ‘hybrid solution’, combining the benefits of the cloud with a physical SE on the device. This is a route to market which we also supported, with an implementation for a large Canadian issuer last year, but the current trend is strongly for ‘pure’ cloud solutions based on HCE.
Overall, many banks have already recognized that the opportunity that HCE offers more than outweighs the risks that it presents, especially seeing as so many of the banks are already happy with the limited risk associated with contactless payments. This debate is certainly one to watch over the coming months as we see more service providers make their moves.