Host Card Emulation – Key Technologies to Secure Cloud-Based Mobile Payments

Man holding mobile phone. Secure payment notification in the screen.

The rise of ‘tap-to-pay’ payments
made using smartphones is showing no signs of slowing down. It is estimated
that mobile payments will amount to $14 trillion by 2022. To
keep up with this trend, banks and issuers must be proactive in offering
solutions that suit the evolving needs of their customers.

Rather than (or in addition to!)
supporting the ‘Giant Pays’, it can be beneficial for players to do it alone so
that they have full control of the solution. This means they can tailor it to
their business needs and meet the nuanced needs of their cardholders. They also
retain ownership of valuable customer data and can utilize it for future
product and service development. One compelling option that allows issuers to
launch their own solution is Host Card Emulation (HCE). HCE enables a smartcard
to be mimicked on an Android device using software, meaning transaction data
and card credentials are stored in a cloud server, rather than inside the
mobile device.

Recognizing Security Concerns

HCE solutions can be a great option for issuers to get to market cost-effectively for their
Android customers. However, they aren’t without their complexities. Rooted in
the NFC device OS, HCE apps can be more vulnerable than the ‘Giant Pays’. When
launching these solutions, it’s therefore imperative that players think
carefully about application security. But with more than half of Android
payment apps implementing fewer than three security features, they cannot rely solely on Android’s
minimal security features.

Achieving total security is
impossible for any implementation, but integrating strong security measures
make it harder for hackers to infiltrate applications and obtain sensitive
data. Multiple security technologies should form part of a layered strategy to mitigate Android security
concerns. So, which technologies can issuers apply to their HCE
solutions to protect data, money and consumer loyalty?

Eight Key Technologies to
Protect HCE Applications from Hackers

  • The first line of defense is often code obfuscation, which modifies data to ensure it’s no longer readable or useful to hackers. This increases the effort required to hack the application and access sensitive information in an app through reverse engineering.
  • Next, rooting detection helps detect rooting or locally installed rooting tools and prevents the application from running on a compromised device.
  • Anti-tamper and code integrity detect unauthorized modification of a program’s code and halts the app from further execution, making it harder for hackers to manipulate or tamper with.
  • As security bugs become increasingly advanced, anti-debug / anti-instrumentation / hook detection is also an important layer of security. It detects debug and function ‘hooking’, which is used by attackers to observe runtime behavior and control the app during an attack.
  • Device binding prevents an application and its data from functioning properly after being cloned onto another device and eliminates repetitive authentications.
  • Another security technology that can further minimize the security risks caused by the absence of hardware security is white-box cryptography. This obfuscates keys by not only storing them in the form of data and code, but also random data and in the composition of the code itself. This means that even though cryptographic algorithms are openly observable and modifiable, it is very difficult to determine which is the original key.
  • Payment tokenization converts sensitive payment information into a unique token, which has a limited number of predefined circumstances under which it can be unlocked, rendering the data useless to hackers.
  • Finally, while the use of hardware protection is not required or standard for HCE deployments, some implementations are now utilizing Trusted Execution Environment (TEE) technologies to add additional security. They provide secure, isolated environments in which to store the “trusted application” itself, its sensitive code and cryptographic keys.
  • The Road to Success

Ultimately, banks and other issuers simply cannot afford to cut security corners, otherwise they will be susceptible to data breaches that can cause irreparable reputational and financial harm. But layering software- and hardware-based security technologies can be complex and requires expertise. Working with a strategic partner can help banks adhere to best practice when defining, designing and deploying HCE solutions, ensuring the protection of issuer and customer data. Seeking support from the very start of projects is crucial, as it mitigates costly delays and unexpected challenges along the way.

To find out more about why HCE is a compelling option, the challenges of implementation, and how to defend against attacks with security tools, read our eBook.

The post Host Card Emulation – Key Technologies to Secure Cloud-Based Mobile Payments appeared first on PaymentsJournal.

Comments are closed.