Host Card Emulation – key technologies to secure cloud-based mobile payments

Host Card Emulation – key technologies to secure cloud-based mobile payments

Christian Damour

Security at FIME

Views 493

Host Card Emulation – key technologies to secure cloud-based mobile payments

27.11.2019 11:30 am

The rise of ‘tap-to-pay’ payments made using smartphones is showing no signs of slowing down. It is estimated that mobile payments will amount to $14 trillion by 2022. To keep up with this trend, banks and issuers must be proactive in offering solutions that suit the evolving needs of their customers.

Rather than (or in addition to!) supporting the ‘Giant Pays’, it can be beneficial for players to go it alone so that they have full control of the solution. This means they can tailor it to their business needs and meet the nuanced needs of their cardholders. They also retain ownership of valuable customer data and can utilize it for future product and service development. One compelling option that allows issuers to launch their own solution is Host Card Emulation (HCE). HCE enables a smartcard to be mimicked on an Android device using software, meaning transaction data and card credentials are stored in a cloud server, rather than inside the mobile device.

Recognizing security concerns

HCE solutions can be a great option for issuers to get to market cost-effectively for their Android customers. However, they aren’t without their complexities. Rooted in the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’. When launching these solutions, it’s therefore imperative that players think carefully about application security. But with more than half of Android payment apps implementing fewer than three security features, they cannot rely solely on Android’s minimal security features.

Achieving total security is impossible, for any implementation, but integrating strong security measures make it harder for hackers to infiltrate applications and obtain sensitive data. Multiple security technologies should form part of a layered strategy to mitigate Android security concerns. So, which technologies can issuers apply to their HCE solutions to protect data, money and consumer loyalty?

Eight key technologies to protect HCE applications from hackers

The first line of defense is often code obfuscation, which modifies data to ensure it’s no longer readable or useful to hackers. This increases the effort required to hack the application and access sensitive information in an app through reverse engineering. Next, rooting detection helps detect rooting or locally installed rooting tools and prevents the application from running on a compromised device.

Anti-tamper and code integrity detect unauthorized modification of a program’s code and halts the app from further execution, making it harder for hackers to manipulate or tamper with. As security bugs become increasingly advanced, anti-debug / anti-instrumentation / hook detection is also an important layer of security. It detects debug and function ‘hooking’, which is used by attackers to observe runtime behavior and control the app during an attack.

Device binding prevents an application and its data from functioning properly after being cloned onto another device and eliminates repetitive authentications. Another security technology that can further minimize the security risks caused by the absence of hardware security is white-box cryptographyThis obfuscates keys by not only storing them in the form of data and code, but also random data and in the composition of the code itself. This means that even though cryptographic algorithms are openly observable and modifiable, it is very difficult to determine which is the original key.

Payment tokenization converts sensitive payment information into a unique token, which has a limited number of predefined circumstances under which it can be unlocked, rendering the data useless to hackers. Finally, while the use of hardware protection is not required or standard for HCE deployments, some implementations are now utilizing Trusted Execution Environment (TEE) technologies to add additional security. They provide secure, isolated environments in which to store the “trusted application” itself, its sensitive code and cryptographic keys.

The road to success

Ultimately, banks and other issuers simply cannot afford to cut security corners, otherwise they will be susceptible to data breaches that can cause irreparable reputational and financial harm. But layering software- and hardware-based security technologies can be complex and requires expertise. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of issuer and customer data. Seeking support from the very start of projects is crucial, as it mitigates costly delays and unexpected challenges along the way.

Latest blogs

Ian Bradbury Fujitsu UK

UK Finance's UK Payment Markets Report - Comment from Fujitsu

Over the past months, businesses have had to rapidly move away from physical cash in order to provide consumers with a safer service. However, this data shows us that a gradual movement away from cash in society started long before the Read more »

James Turner Turner Little

Protecting yourself against a recession

The coronavirus outbreak has spread to businesses, leaving many around the world counting costs. Notoriously, known as the Great Lockdown, it’s been affecting the world economy since early this year. The predicted recession is considered to be the Read more »

Alan Cole JHC Financial

Every Cloud: Covid-19 and the opportunity for digital transformation

Faced with tighter regulations and changing customer needs, over the last decade Wealth Managers have not had it easy – but with the development of new technologies, many have been able to create efficiencies, reduce costs and shrink operational Read more »

Nabeel Irshad Mastercard

Two sides of the same coin: Financial and digital inclusion

The issue of how to tackle financial inclusion has long been a part of the conversation in banking and financial services circles. Regulations have ledto the UK’s biggest banks having to provide ‘basic bank accounts’ to cater for those who do not Read more »

Alex Malyshev

The Biggest Danger to Branchless Banking

With a third of the global population on lockdown and scores of bank branches closed, many are convinced that branch banking is dead, and the future is branchless. Is this really true? Branchless alternatives like Revolut, N26, Monzo, and NuBank Read more »

Related Blogs

Francis Leclerc Horizon Software

Just about managing: How cloud can help boost trading profits

It’s a tough environment for trading at the moment. Margins are being squeezed across the board to the extent that some major investment banks are completely withdrawing from certain asset classes upon discovering they are not making a profit. This Read more »

Jeff Axelrad Amazon Web Services (AWS)

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

Financial institutions across the globe use AWS to transform the way they do business. It’s exciting to watch our customers in the financial services industry, such as Allianz, Barclays, Goldman Sachs Monzo, Tandem, and Starling Bank, innovate in Read more »

Yeming WANG Alibaba Cloud

Innovative cloud developments for the financial services industry

The financial services industry has been energised by the power of digital technologies as it looks for new ways to deliver products and services. Exciting fintech innovations are helping the sector to reinvent itself, transforming its processes and Read more »

Gareth Williams YellowDog

Reach for the Skies with Your Multi-Cloud Transformation

The huge proliferation of sensitive data, increasing technological complexities and a continually evolving regulatory landscape mean data handling is more difficult than ever in the financial world. Cloud-computing has, to some extent, provided Read more »

Ian Massingham Amazon Web Services

Three Keys to Compliance: Cloud in Financial Services

The global perception of “moving to the cloud” has undergone multiple shifts since its inception. What began as a leap of faith into the unknown has become a core enabler for businesses that want to experiment, innovate and grow. So much so that Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel