Host Card Emulation – key technologies to secure cloud-based mobile payments

Host Card Emulation – key technologies to secure cloud-based mobile payments

Christian Damour

Security at FIME

Views 689

Host Card Emulation – key technologies to secure cloud-based mobile payments

27.11.2019 11:30 am

The rise of ‘tap-to-pay’ payments made using smartphones is showing no signs of slowing down. It is estimated that mobile payments will amount to $14 trillion by 2022. To keep up with this trend, banks and issuers must be proactive in offering solutions that suit the evolving needs of their customers.

Rather than (or in addition to!) supporting the ‘Giant Pays’, it can be beneficial for players to go it alone so that they have full control of the solution. This means they can tailor it to their business needs and meet the nuanced needs of their cardholders. They also retain ownership of valuable customer data and can utilize it for future product and service development. One compelling option that allows issuers to launch their own solution is Host Card Emulation (HCE). HCE enables a smartcard to be mimicked on an Android device using software, meaning transaction data and card credentials are stored in a cloud server, rather than inside the mobile device.

Recognizing security concerns

HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’. When launching these solutions, it’s therefore imperative that players think carefully about application security. But with more than half of Android payment apps implementing fewer than three security features, they cannot rely solely on Android’s minimal security features.

Achieving total security is impossible, for any implementation, but integrating strong security measures make it harder for hackers to infiltrate applications and obtain sensitive data. Multiple security technologies should form part of a layered strategy to mitigate Android security concerns. So, which technologies can issuers apply to their HCE solutions to protect data, money and consumer loyalty?

Eight key technologies to protect HCE applications from hackers

The first line of defense is often code obfuscation, which modifies data to ensure it’s no longer readable or useful to hackers. This increases the effort required to hack the application and access sensitive information in an app through reverse engineering. Next, rooting detection helps detect rooting or locally installed rooting tools and prevents the application from running on a compromised device.

Anti-tamper and code integrity detect unauthorized modification of a program’s code and halts the app from further execution, making it harder for hackers to manipulate or tamper with. As security bugs become increasingly advanced, anti-debug / anti-instrumentation / hook detection is also an important layer of security. It detects debug and function ‘hooking’, which is used by attackers to observe runtime behavior and control the app during an attack.

Device binding prevents an application and its data from functioning properly after being cloned onto another device and eliminates repetitive authentications. Another security technology that can further minimize the security risks caused by the absence of hardware security is white-box cryptographyThis obfuscates keys by not only storing them in the form of data and code, but also random data and in the composition of the code itself. This means that even though cryptographic algorithms are openly observable and modifiable, it is very difficult to determine which is the original key.

Payment tokenization converts sensitive payment information into a unique token, which has a limited number of predefined circumstances under which it can be unlocked, rendering the data useless to hackers. Finally, while the use of hardware protection is not required or standard for HCE deployments, some implementations are now utilizing Trusted Execution Environment (TEE) technologies to add additional security. They provide secure, isolated environments in which to store the “trusted application” itself, its sensitive code and cryptographic keys.

The road to success

Ultimately, banks and other issuers simply cannot afford to cut security corners, otherwise they will be susceptible to data breaches that can cause irreparable reputational and financial harm. But layering software- and hardware-based security technologies can be complex and requires expertise. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of issuer and customer data. Seeking support from the very start of projects is crucial, as it mitigates costly delays and unexpected challenges along the way.

Latest blogs

n/a n/a

How COVID-19 Is Ushering In a New Era of Cashless Technology

  Image source:   Cashless technology isn't a completely fresh concept. People have been using credit cards for decades, and the market for fintech services has been Read more »

Jean Shin tyntec

Using WhatsApp for 2FA is the Future of Banking

From user authentication and password resets to transaction verification, two-factor authentication (2FA) offers basic but useful protection for consumers. The 2FA process typically sends an SMS sent to the customer with a one-time password (OTP). Read more »

Amir Ghodrati App Annie

The Role of Fintech Apps in Navigating This Period of Financial Insecurity

Economic instability has been ricocheting throughout the stock market in the wake of the global coronavirus pandemic. Its effects have been felt across all industries, with winners and losers’ across different sectors. So, how has fintech Read more »

n/a n/a

How to Choose a VPN for Digital Privacy & Security

In a world where almost everything is connected, and where hackers and other malicious people are roaming the internet, it is always advisable that you take every precaution that you can to enhance your data security and privacy protections. Using a Read more »

Ben Slater Instaclustr

The Case for Adopting Open Source – Own Rather Than Rent the Foundations of Your Business

For some time open source was seen as something that only the biggest companies could use and play with. But with the modern, increasingly fast business environment, the use cases for open source are in everything and the technology is increasingly Read more »

Related Blogs

John Cragg MYHSM

The Cloud – what's stopping financial institutions?

The majority of financial institutions have or are developing a cloud strategy, and most are already making some use of the cloud. There are a number of reasons why the cloud is an attractive alternative to running your IT in the traditional manner Read more »

Francis Leclerc Horizon Software

Just about managing: How cloud can help boost trading profits

It’s a tough environment for trading at the moment. Margins are being squeezed across the board to the extent that some major investment banks are completely withdrawing from certain asset classes upon discovering they are not making a profit. This Read more »

Jeff Axelrad Amazon Web Services (AWS)

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

Financial institutions across the globe use AWS to transform the way they do business. It’s exciting to watch our customers in the financial services industry, such as Allianz, Barclays, Goldman Sachs Monzo, Tandem, and Starling Bank, innovate in Read more »

Yeming WANG Alibaba Cloud

Innovative cloud developments for the financial services industry

The financial services industry has been energised by the power of digital technologies as it looks for new ways to deliver products and services. Exciting fintech innovations are helping the sector to reinvent itself, transforming its processes and Read more »

Gareth Williams YellowDog

Reach for the Skies with Your Multi-Cloud Transformation

The huge proliferation of sensitive data, increasing technological complexities and a continually evolving regulatory landscape mean data handling is more difficult than ever in the financial world. Cloud-computing has, to some extent, provided Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel