Host card emulation's a key tech, but it has security holes

Register now

The rise of smartphone-based ‘tap-to-pay’ payments shows no signs of slowing down. It is estimated that mobile payments will amount to $14 trillion by 2022. To keep up with this trend, banks and issuers must be proactive in offering solutions that suit the evolving needs of their customers.

Rather than, or in addition to, supporting "The Pays," it can be beneficial for players to go it alone so they have full control of the solution. This means they can tailor mobile payments to their business requirements and meet the nuanced needs of their cardholders. They also retain ownership of valuable customer data and can utilize it for future product and service development.

One compelling option that allows issuers to launch their own solution is Host Card Emulation (HCE). HCE enables a smartcard to be mimicked on an Android device using software, meaning transaction data and card credentials are stored in a cloud server, rather than inside the mobile device.

HCE solutions can be a great option for issuers to cost-effectively deliver mobile payments for their Android customers. However, HCE isn't without its complexity. Rooted in the NFC device OS, HCE apps can be more vulnerable than "The Pays."

When launching these solutions, it’s therefore imperative that players think carefully about application security. But with more than half of Android payment apps implementing fewer than three security features, they cannot rely solely on Android’s minimal security features.

Achieving total security is impossible, for any implementation, but integrating strong security measures make it harder for hackers to infiltrate applications and obtain sensitive data. Multiple security technologies should be part of a layered strategy to mitigate Android security concerns. So, which technologies can issuers apply to their HCE solutions to protect data, money and consumer loyalty?

There are several key technologies to protect HCE applications from hackers. The first line of defense is often code obfuscation, which modifies data to ensure it’s no longer readable or useful to hackers. This increases the effort required to hack the application and access sensitive information in an app through reverse engineering. Next, rooting detection helps detect rooting or locally installed rooting tools and prevents the application from running on a compromised device.

Anti-tamper and code integrity detect unauthorized modification of a program’s code and halts the app from further execution, making it harder for hackers to manipulate or tamper with. As security bugs become increasingly advanced, anti-debug / anti-instrumentation / hook detection is also an important layer of security. It detects debug and function "hooking," a technique attackers use to observe runtime behavior and control the app during an attack.

Device binding prevents an application and its data from functioning properly after being cloned onto another device and eliminates repetitive authentications. Another security technology that can further minimize the security risks caused by the absence of hardware security is white-box cryptography. This obfuscates keys by not only storing them in the form of data and code, but also random data and in the composition of the code itself. This means that even though cryptographic algorithms are openly observable and modifiable, it is very difficult to determine which is the original key.

Payment tokenization converts sensitive payment information into a unique token, which has a limited number of predefined circumstances under which it can be unlocked, rendering the data useless to hackers. Finally, while the use of hardware protection is not required or standard for HCE deployments, some implementations are now utilizing Trusted Execution Environment (TEE) technologies to add additional security. They provide secure, isolated environments in which to store the “trusted application” itself, its sensitive code and cryptographic keys.

Ultimately, banks and other issuers simply cannot afford to cut security corners, otherwise they will be susceptible to data breaches that can cause irreparable reputational and financial harm. But layering software- and hardware-based security technologies can be complex and requires expertise. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of issuer and customer data. Seeking support from the very start of projects is crucial, as it mitigates costly delays and unexpected challenges along the way.

For reprint and licensing requests for this article, click here.
Mobile banking Payment fraud Security risk Retailers ISO and agent