Wave Systems Corp. (fka WAVXQ)

[barge]

Hi Wavedreamer---Bell ID concedes it needs hardware security on the device.

You write: "By the introduction of the HCE, no secure element (SE) is needed to emulate a card. As a result, there is no storage to keep the sensitive information of the app emulating the card such as balance, CVV2, PINs, etc. I just want to know how android fixes this issue? Where the sensitive information of apps should be stored? Does Google Wallet uses this technology? if yes, how the sensitive information are kept secure?"

This recent Aug 2014 Bell ID Blog article seems to concede the necessity of hardware security on the client side, where security is critical. This Bell ID piece came out about the time of the Wave/Bell PR. And I might also add that the Bell ID piece also, almost grudgingly, concedes that Trustzone mitigates risk over simply using HCE.

"Mobile payments user experience
Issuers should therefore find a balance between security, acceptable risk and user friendliness that works for them and their customers.
For issuers that still consider HCE as ‘too insecure’, there may ultimately be a role for what Bell ID has called the ‘hybrid solution’, combining the benefits of the cloud with a physical SE on the device. This is a route to market which we also supported, with an implementation for a large Canadian issuer last year, but the current trend is strongly for ‘pure’ cloud solutions based on HCE."


"Security is important however and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments such as white box cryptography, obfuscation of programming code (security through obscurity), use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels."

http://www.bellid.com/resources/blog/hce-mobile-payments-need-additional-security/


Do HCE Mobile Payments Need Additional Security?

Robert Wessels- Technical Sales Consultant
20 August 2014
mobile payments security


Since Google announced support for host card emulation (HCE) in Android KitKat 4.4 last year, the industry has been divided. Many recognize the value and opportunity that this brings to banks, mobile network operators (MNOs) and service providers for the deployment of mobile services – like payments, transit and loyalty – while others have sought to focus on security concerns that apparently limit the technology’s potential.

The balance of risk & reward

While some may consider the use of HCE less secure as there is no physical secure element (SE) involved, it is really a matter of perspective. Instead of storing the card data in the SE, ‘tokens’ are downloaded to the device and used to complete the transaction at the point of sale (POS). Any breach of security would expose only one or a limited amount of tokens (typically associated with a low transaction value), not the account itself. The limited gain available to hackers in return for the considerable investment of effort and time is more likely to make them put their focus on more attractive targets.

Mobile payment tokens
Many issuers and payment schemes therefore see this as an acceptable balance of risk and reward. With the value of the token being so low, it is questionable whether the highest level of security is required. As a comparison, your house is also less secure than a bank vault; the same level of protection is not required due to the value of the contents.
Layered security options for HCE

Security is important however and to mitigate the risk caused by the absence of hardware security there are a number of ways in which additional security layers can be added to HCE-based mobile payments such as white box cryptography, obfuscation of programming code (security through obscurity), use of a TrustZone and further securing the communication channels between the device and the server such as (layered) encryption, mutual authentication and use of dual channels.

Overall, the benefits that HCE can bring – such as the simplification of the business model, increased processing power and speed, greater storage capacity and further control over projects – are many and wide ranging. Some observers may consider that the strongest security concerns have come from those with the biggest vested interest in maintaining the SIM as an essential component. Many of these concerned parties followed the Google announcement last October by asserting that the card schemes would never certify such solutions. This fear proved groundless with the subsequent statements from Visa and MasterCard in February, detailing their plans to support cloud payments.

Security versus usability

I am not arguing that security is not needed or important, but simply that it should be balanced and proportionate. Focusing too much on security limits functionality, which will in turn limit consumer uptake. In general, the more security measures there are implemented, the less user friendly it becomes. An issuer should consider that something as simple as requiring an additional Cardholder Verification Method (CVM) such as a PIN for each contactless payment transaction could be a usability nightmare. This could mean that a user needs to enter a PIN to open the phone, enter a PIN/Passcode to open their Banking/Payment App, enter a PIN to allow the transaction and if the POS happens to be an old one, they may be asked to type a PIN on the POS. Far from the ‘tap and go’ experience the user is expecting and this is not even considering the fact that all these PIN codes may be different values!

Mobile payments user experience
Issuers should therefore find a balance between security, acceptable risk and user friendliness that works for them and their customers.
For issuers that still consider HCE as ‘too insecure’, there may ultimately be a role for what Bell ID has called the ‘hybrid solution’, combining the benefits of the cloud with a physical SE on the device. This is a route to market which we also supported, with an implementation for a large Canadian issuer last year, but the current trend is strongly for ‘pure’ cloud solutions based on HCE.

Overall, many banks have already recognized that the opportunity that HCE offers more than outweighs the risks that it presents, especially seeing as so many of the banks are already happy with the limited risk associated with contactless payments. This debate is certainly one to watch over the coming months as we see more service providers make their moves.

Learn more about HCE in this short explanatory video, read this article about why Australia is a perfect market for HCE mobile payments here or check out this infographic on market readiness for HCE mobile payments.