“Contactless” HCE Payments Promise Simplicity But Is It Secure?

Host Card Emulation is a powerful and flexible technology, but like most software-dependent solutions, it can be hacked and exploited.

I’ve long written about the accelerating revolution in payments, whereby the mobile device is our wallet, our doorway to mobile commerce. Today, millions of us use our mobile phones for everyday purchases, paying our bills and trading stocks. Over the next few years that number is predicted to swell into the billions, according to a report from Juniper Research.

One of the key enabling technologies driving this adoption is “contactless” payments, or NFC (Near Field Communications), because it offers the ultimate in user convenience -- it’s fast and there are no pesky passwords to remember. Recently, we have witnessed the deployment of a NFC technology called Host Card Emulation (HCE) at select banks in the UK and elsewhere. HCE is an NFC software technology that promises simplicity and low deployment costs, in part due to its reliance on software-based security.

But, like all payment technologies, we must ask, is the technology truly ready? Will relentless cybercrime exploit this new payment technology just as it has managed to compromise other payment technologies?

NFC payments allow for quick and convenient mobile payments. Simply wave your NFC-enabled mobile device within a few centimeters of a payment terminal and your transaction ‘works.’ Behind the scenes, a number of authentication steps and security checks are performed with “traditional” NFC enabled by specialized hardware on the device called a Secure Element (“SE”), a chip which performs cryptography and stores sensitive data in a secure and trusted environment.

With the introduction of Google’s Android 4.4 (“KitKat”) mobile operating system, Google enabled HCE, allowing developers to perform NFC card emulation without using that “chip” found in all NFC-enabled mobile handsets. Many in the payment industry see this as a way to quickly deploy NFC while conveniently bypassing the Mobile Network Operators (MNOs), traditionally seen as the gatekeepers of mobile commerce. In my opinion however, this is yet another example of disintermediation caused by the power of innovative technology, friendly or not. When it comes to securing payments, I fear that there are those in the industry willing to make the trade-off between speed and convenience at the expense of strong security and authentication. It doesn’t have to be that way.

The trouble with HCE
HCE is indeed a powerful and flexible technology, but like most software-dependent solutions, it can be hacked and exploited. In fact, one of the greatest security risks associated with HCE is the ability to exploit a “rooted” device. Rooting allows users of handsets, tablets, and other devices to attain privileged control. Whether done by the legitimate user or even malware that can root the device itself, once full access to all application data stored on the device is accessible, it is ripe for exploitation (see Android Fake ID Vulnerability).

Given the momentum building with HCE, questions remains about what we can do to secure this promising new payment technology? What do the security layers look like, and how do we authentic users and transactions in a world where mobile payments and commerce are in the cloud?

There is no single answer or solution to securing transactions in a mobile world. However, I believe we must first recognize that the notion of a user ID and password equating to “good security” is fundamentally wrong. We need real-time, multi-factor, multi-layer, low or no friction authentication security. Contactless NFC payment technology, irrespective of whether it is SE or HCE enabled, can be combined with technology such as real-time, privacy-sensitive, proximity/geo-location technologies to determine that the genuine customer is at the place of the transaction.

If further user/transaction verification is required, an automated conversation utilizing voice biometrics can be conducted through the mobile phone (without even the need for a call) providing the highest level of transaction authentication/verification, but in a totally low friction format. The audit trail resulting from such an approach provides the greatest assurance in the event that there is repudiation of the transaction, the bane of the payments industry today for both the consumer and the service provider.

Invisible security
This approach recognizes that authentication is not just for the initiation of a transaction, but must persist through to completion via true transaction verification. Underpinning such an implementation lies the trusted device, established during the low-friction enrollment/registration process, and a strong contributor to the “invisible” security process.

With significant market forces generating momentum behind both SE-based NFC and HCE-based NFC, it’s clear that both methods will be pervasive, and competition will be intense. For consumers there is little apparent difference. But behind the scenes there are serious security issues to be addressed. Finding the right level of security commensurate with the risk of loss ultimately is the critical factor facing the payments industry, and the approach I’ve outlined provides a high-level blueprint for achieving such a goal.

It would be wrong to step in the way of innovation, but as consumers we should expect that any new form of payment security has been well thought through, and with it should come the highest levels of assurance that our payments are secure and our credentials are protected. Given the vulnerabilities and breaches affecting the traditional payment ecosystem that generate daily headlines, it would be an indictment that new payment technologies are allowed to generate market share once again at the consumer’s expense. Time for the relevant authorities to stand up and be counted.

Recommended Reading: