The keys to fighting fraud?

September 8, 2016
/   Insights

We're constantly being warned that fraud is one of the biggest threats facing the banking industry, but the true scale of this was revealed by a recent survey that suggests it could make up...

Cause and Effect: If you build it, will they come?

July 23, 2014
/   Spotlight

Many financial institutions assume that digital banking is lucrative because the most valuable customers happen to bank online. While there is certainly a correlation between online bankers and higher profitability, quantitative evidence suggests that...

Intuit 2020 Report: The Future of Financial Services

April 11, 2011
/   Insights

Today, Intuit released the latest edition of the Intuit 2020 report, Intuit 2020 Report: The Future of Financial Services, which identifies and examines four key trend areas that will  transform the financial services industry...

Fast Facts: Student Loans

January 22, 2013
/   Insights

The Financial Services Roundtable recently released another iteration of its Fast Facts, reliable, bullet-point research about issues facing the financial services industry. Topics span TARP, Dodd-Frank, insurance, lending, retirement savings and more.  Below are some updated Fast...

The Top 10 Trends in the Digital Banking Industry

December 18, 2013
/   Spotlight

2014 is rapidly approaching and as the year wraps, the Digital Insight team has pulled together the top 10 trends in the digital banking industry based on data and trends from studying financial institutions....

Making Banking Fun: Gamification in Financial Services

August 5, 2013
/   Insights

Recently, the team sat in on American Banker’s webinar, “Gamification in Financial Services: Five Proven Ways to Get an Edge,” which shared how leading brands in financial services have applied gamification to reach...

Technology M&As: The Beats Go On

May 29, 2014
/   Insights

The ongoing fascination with Apple’s $3 billion purchase of Beats Electronics is entirely understandable, because it’s a cool story. However, it also says a lot about what’s going on between finance and tech.

What We’re Reading

May 5, 2011
/   Spotlight

Below are interesting stories the staff has been reading over the past week. What have you been reading? Let us know in the comments section below. Virtual Banking Worlds Provide Tangible Lessons American...

Small Business: Perception vs. Reality

November 21, 2012
/   Insights

In the most recent election cycle, like most others before it, the one sector of the economy that got the most attention was small business.  This is the future, we were told by every...

What We’re Reading: Thanksgiving Edition

November 22, 2012
/   Spotlight

Below are interesting stories the staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom. Mobile Thursday? Plans for Thanksgiving...

Are contactless payments safe? What is HCE? How does tokenisation work?

These are just some of the questions around NFC – the technology that enables the bulk of today’s contactless payments – addressed in a new whitepaper that seeks to address the key issues around payment security.

What are the risks to NFC services?

The short answer is a lot, but perhaps the greatest risk is that a security breach could discourage adoption by end users. Apple Pay and Android Pay are perhaps the two most important mobile wallets that use NFC and neither one is completely safe. Apple recently disclosed a major hack on its app store, while malware attacks on Android are too common to even mention.

Key risks are around the data stored on the handset, such as card details, and access to mobile banking logins. However – in the case of Apple Pay, Android Pay and others like them, tokenisation is used so credit and debit card numbers are not stored on any device, shared with a merchant or held on the servers of the payment system operator.

What security does a mobile device offer?

There are three areas within a mobile device that deliver different levels of security. A rich operating system – such as Android or Windows – is an open environment that boasts little in the way of in-built security.

Next is the trusted execution environment (TEE), which comprises software and hardware and offers “protection, confidentiality, integrity, isolation and data access control to applications known as ‘trusted applications’ “.

Thirdly, there is the secure element (SE). For payments, this controls the interactions between the issuing bank, mobile payment app and the merchant. It emulates the secure chip on the payment card and is found in the SIM or in a chip embedded in the phone handset.

According to the whitepaper, the TEE and the SE can work “in tandem” to improve security. “For example, entering a PIN that will authorise a transaction. This user-interaction becomes a weakness in the security chain, since the Rich OS is prone to be infected by keyloggers. By combining the capabilities of the SE and TEE, a more robust and user-friendly level of security can be achieved.”

What about HCE and tokenisation?

HCE – Host Card Emulation – means it’s possible to make a payment without accessing the SE. So transaction requests are sent to a mobile application, not to the SE. In the case of Android phones, payment apps are protected by Android system permission controls that prevent anything but the operating system from binding to, and communicating with, the app.

Google says in its note to developers: “The core remaining piece is where you get your data that your app sends to the NFC reader. This is intentionally decoupled in the HCE design: it does not care where the data comes from, it just makes sure that it is safely transported to the NFC controller and out to the NFC reader.”

Tokenisation is crucial for HCE as it removes the static PAN from the transaction and replaces it with a dynamic one, or token, that is useless if compromised.

“These security measures will drastically limit the impact of any hacking attempt so, from a risk management perspective, HCE can be trusted as a payment method,” says the report.

Who’s responsible for security?

For an SE-based model (ie, not HCE), then it is the SE issuer. “It has ultimate responsibility for the security of the applications residing on the platform,” the whitepaper says, adding that it can “therefore stipulate security requirements and authorise any applications to be loaded onto the SE”.

In HCE models, the paper suggests there is no clearly defined “chain of trust”, but notes that there is one for provisioning tokens and keys to the application.

“For sensitive application providers, such as mobile payments, there are many procedures and requirements that must be adhered to,” it says. “For basic application developers, a risk assessment will reveal limited dangers to their businesses or the end-user if the application is corrupted. As such, there are no formal security certifications.”

The whitepaper, The NFC Security Quiz v2.0, goes on to list three more questions around certification requirements, security evaluations and the future role of NFC security certification.


Insights’s perspective on industry news and trends



Must-read news and insights from financial industry leaders



Compelling voices and contributed content from around the web

James W. Gabberty

Gabberty is a professor of information systems at Pace University in New York City. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels and holds numerous certifications from SANS & ISACA.

Zachary Ehrlich

25-year-old writer, and as a native San Franciscan, I am unreasonably loyal to Bank of America, if only for their superhero-like origin story, involving the 1906 earthquake and Italian fruit vendors.

Marisa Mann

Marisa Mann brings over 15 years of experience in consulting and financial services industries to the Solstice team, working on large scale enterprise initiatives across many technologies, including specializing in the digital space – Internet and mobile. Mann is passionate about mobile and the endless possibilities for the enterprise, delivering business value through strong brand recognition and driving to excellence in the consumer experience. Prior to Solstice, Mann worked at JP Morgan Chase, Diamond Management and Technology Consultants, Washington Mutual, Inc, and Accenture.

Brad Strothkamp