Host Card Emulation – key technologies to secure cloud-based mobile payments
By Christian Damour, Product and Services Manager - Security at FIME
The rise of ‘tap-to-pay’ payments made using smartphones is showing no signs of slowing down. It is estimated that mobile payments will amount to $14 trillion by 2022. To keep up with this trend, banks and issuers must be proactive in offering solutions that suit the evolving needs of their customers.
Rather than (or in addition to!) supporting the ‘Giant Pays’, it can be beneficial for players to go it alone so that they have full control of the solution. This means they can tailor it to their business needs and meet the nuanced needs of their cardholders. They also retain ownership of valuable customer data and can utilize it for future product and service development. One compelling option that allows issuers to launch their own solution is Host Card Emulation (HCE). HCE enables a smartcard to be mimicked on an Android device using software, meaning transaction data and card credentials are stored in a cloud server, rather than inside the mobile device.
Recognizing security concerns
HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’. When launching these solutions, it’s therefore imperative that players think carefully about application security. But with more than half of Android payment apps implementing fewer than three security features, they cannot rely solely on Android’s minimal security features.
Achieving total security is impossible, for any implementation, but integrating strong security measures make it harder for hackers to infiltrate applications and obtain sensitive data. Multiple security technologies should form part of a layered strategy to mitigate Android security concerns. So, which technologies can issuers apply to their HCE solutions to protect data, money and consumer loyalty?
Eight key technologies to protect HCE applications from hackers
The first line of defense is often code obfuscation, which modifies data to ensure it’s no longer readable or useful to hackers. This increases the effort required to hack the application and access sensitive information in an app through reverse engineering. Next, rooting detection helps detect rooting or locally installed rooting tools and prevents the application from running on a compromised device.
Anti-tamper and code integrity detect unauthorized modification of a program’s code and halts the app from further execution, making it harder for hackers to manipulate or tamper with. As security bugs become increasingly advanced, anti-debug / anti-instrumentation / hook detection is also an important layer of security. It detects debug and function ‘hooking’, which is used by attackers to observe runtime behavior and control the app during an attack.
Device binding prevents an application and its data from functioning properly after being cloned onto another device and eliminates repetitive authentications. Another security technology that can further minimize the security risks caused by the absence of hardware security is white-box cryptography. This obfuscates keys by not only storing them in the form of data and code, but also random data and in the composition of the code itself. This means that even though cryptographic algorithms are openly observable and modifiable, it is very difficult to determine which is the original key.
Payment tokenization converts sensitive payment information into a unique token, which has a limited number of predefined circumstances under which it can be unlocked, rendering the data useless to hackers. Finally, while the use of hardware protection is not required or standard for HCE deployments, some implementations are now utilizing GlobalPlatform-based Trusted Execution Environment (TEE) technologies to add additional security. They provide secure, isolated environments in which to store the “trusted application” itself, its sensitive code and cryptographic keys.
The road to success
Ultimately, banks and other issuers simply cannot afford to cut security corners, otherwise they will be susceptible to data breaches that can cause irreparable reputational and financial harm. But layering software- and hardware-based security technologies can be complex and requires expertise. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of issuer and customer data. Seeking support from the very start of projects is crucial, as it mitigates costly delays and unexpected challenges along the way.