[Dave Birch] There's been considerable interest in our post last week drawing attention to the first public announcement of using NFC in a mobile handset for EMV transactions that do not need a Secure Element (SE) and, naturally, some people have been asking us how it works. Before I return to the specific case of Bankinter, let me just make a general point about what is going on here.
As I mentioned to a couple of the people who e-mailed me, we have been working on non-SE EMV over NFC for more than two years now, so we know rather a lot about this at Consult Hyperion. In fact, we know everything about it, so I thought I'd follow up with a slightly more detailed description of the general class of solution. To understand how this class works, you have to understand how EMV works (not what it does, but how it works). In particular, you need to understand something about the keys and certificates that EMV uses to implement the cryptography required for secure transactions. If you are interested in understanding how EMV uses cryptographic keys and certificates to deliver secure transactions, the good people at Cryptomathic have a nice PDF that you can download.
Entitled “EMV Key Management – Explained,” the Cryptomathic white paper provides an overview of the cryptographic processes involved when issuing and managing payment card and mobile applications based on EMV chip card technology.
[From ContactlessNews | Cryptomathic publishes white paper, 'EMV Key Management – Explained']
To greatly simplify, your EMV card contains a cryptographic key that is valid until the expiry date of the card. If the bad guys could get hold of this key (they can't, because it is in the tamper-resistant chip on the card and is never given up) then they could make a clone of your card and go off on a spending spree. So how can an app use EMV without using a key stored in a tamper-resistant chip without risking card cloning? Well, what an app could do is go online to the bank and get a temporary key that it can use but that will not compromise security if it is somehow obtained by criminals. This temporary key could then be used to secure valid EMV transactions through the NFC interface. If the bad guys steal your phone and guess your password and figure out how to decrypt the temporary key from the app, then they are left with a key that is valid for, let's say, one transaction or a couple of transactions or whatever the banks decide to set it (so long as you haven't noticed the phone is missing and reported it stolen). Such an app doesn't use the handset manufacturer's SE or the mobile operator's SE or indeed an attached SE. It's just an app that uses NFC, but that uses NFC to make secure transactions that are interoperable with the installed terminal estate. This ail radically reduces the cost of development, deployment and use, as it's goodbye to the Trusted Service Manager (TSM) and the operator's "apartment model" of renting SIM space.
I should be clear that I am not describing in the paragraph above any specific implementation that any of our clients may or not be exploring. Here I will merely say that there are a variety of different possible implementations of this general schema, depending on how the "card" issuer wants the system to work. So, for example, there is a big difference between online EMV and offline EMV and you may choose different strategies depending on whether you want the app to go online at POS or not, that sort of thing.
So, with that background established, back to the story that I called an "NFC Earthquake".
Spanish banking group Bankinter has developed an NFC payments solution that works without a secure element, potentially cutting out both mobile network operators and over-the-top players like Google from the NFC payments business.
[From Bankinter develops NFC payments service that eliminates need for secure elements • NFC World]
Mr. Alberto Perez Lafuente from Bankinter was kind enough to give me some of his time this week so that I could ask him a few questions on behalf of blog readers. To summarise: they have chosen an online-only payment solution able to handle EMV mobile payments performed with one-time-use payment cards. Each single-use card (valid for one minute) is generated at the mobile app when the user inserts personal / transaction data, and the user then has up to 60 seconds to tap the mobile to the merchant contactless POS for payment.. This makes complete sense in the Spanish market where all POS terminals go online (as they do in, for example, the US). Alberto also told me that they are looking at a solution for transit by implementing DESFire using a similar strategy.
One thing that I thought also worth noting was that Bankinter owns an MVNO, so even in the case where the bank controls its own SIM-based SE it is transparently clear that the costs and complexity of the implementation are excessive. This strikes me as a definite signal to the industry to rethink current models and look for simpler solutions. Alberto told me that he thinks Bankinter's accouncement
will reshape the negotiations between banks, MNOs and handset manufacturers.
I have to say, he's absolutely right, which is why I think it was reasonable to describe the announcement as an earthquake in my post last week. I've no more idea than anyone else how this will all pan out, but I do think it's already clear that the future mass market use of NFC for payments will not be confined to GSMA SIM-based SE model even for EMV.
Finally: before I get any more e-mails telling me that you can't access the NFC interface on, say, a Samsung S3 without going through the SE: yes, I know. If you want to do this now you need a mod, but it's worth playing around with because I agree with Cherian Abraham's excellent analysis that Google will open up the interface in the future. The time to begin experimenting with the non-SE future is now…
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Great analysis. I continue to believe that there will be massive consumer enthusiasm over NFC as a better-than-QR code technology. It’s the whole payments/SE thing that is overly complex and arguably impossible to solve, from a business point of view. But don’t write off what I think of as “NFC Lite” (authentication only)!
Having read this I revise my thinking about NFC adoption prospects, Now it is now longer a business model question, but a marketing question. Can awareness of Bankinter solutions spread quickly and widely before too many players decided to pursue non-NFC contactless solutions?
Dave, I got into a back’n’forth with Cherian Abraham when I tweeted this blog post. See exchange at this link :http://www.linkedin.com/nhome/updates?topic=5714353362850283520
Can you comment?
[Dave Birch] Yes
In practice if Paypass is ever rolled out. What’s to stop you requesting a new credit card, in your spouses name and then cut it up small and stick the module to you mobile with gaffer tape?
What kind of payment is that, in case of Bankinter? I didn’t see the word “EMV” there.
The company (Seglan) that helped them to develop the solution claims it is “EMV compatible”. Is that like “almost pregnant”? How can someone do a contactless EMV “cardholder present” transaction without… EMV (i.e. chip, i.e. SE)?
Am I am missing something big here?..
Yes it is an EMV transaction. WIll blog.
Thanks for the additional information. What I’d be interested to know is how the app authenticates to the bank in order to download the information (a temporary key?) to generate the ARQC and TC. This aspect, along with PIN verification (if used) feel like the weak points of the system. Maybe it will be possible to reduce the risk to an acceptable level though.
I wonder why the schemes permit that? I.e. they are crying “Wolf!” to the whole idea of PIN entry on a mobile (for mobile-linked mPOS solution), even where TEE is involved. Yet they are allow some (unsecure!) mobile app to control a very sensitive task – grant payment permission. There is no consistency there, at all, IMO… Either mobile apps ARE secure for EMV-related processes, or they are not.
Hi Dave, I understand that EMV via NFC is really cool, but as I understood it, PayPass allows a low threshold. But EMV is basically your chip and PIN situation we are used to in the UK.
My experience of US culture is that EMV via NFC in the retail environment would go down like a Led Zeppelin. Great for the customers getting out of the door quicker but zeroing the up-sell opportunity/time, or effectively removing it? It totally removes KYC in a small retail environment and leaves everything to Loyalty system profiling. What an awful dehumanising world?
Am I missing something here please? Cheers Mark
Very interesting … in terms of marketing
I understand that they are planning to replace the SE for two purposes: one being the EMV card PAN, which becomes a one-time PAN fetched by the App after authentication, why not. The other one being the authentication, and here, as an expert, I’m quite worried, because serious (i.e. secure J) authentication requires either an SE or at least a reverse-engineering resistant technology (check http://bit.ly/Z9v3Fi), which does not seem to be the case here … Or did I miss something ?
I know it’s odious how MNOs gate access to the Secure Element, but that problem relates to their business model, which could change. We must make it change.
The idea of the Trusted Service Manager closely parallels the way GSM SIMs are managed. High grade hardware based security was standardised for the GSM network from the outset because it was seen that criminal attacks on the telephone system were inevitable. SIMs hold keys just as Dave describes EMV chips holding keys, and those keys and other codes can only get on to the SIMs over-the-air via stringent personalisation services. Now, the potential rewards from attacking the mobile payments system are vastly greater … and yet here we are, countenancing a security-convenience tradeoff because we’re annoyed by the telcos’ TSM behaviour. The idea of using software based key rollover techniques in a handset is especially worrying given the state of application security today. Time and time again, mobile banking and payments apps are shown to be extraordinarily shoddy, thanks largely to the unseemly rush to market. Security and quality are sacrificed for product cycle time and convenience. I would have little confidence in any application level key tricks.
If mobile really is the major platform of the future — and not just for payments but for digital identity too — then we must treat it seriously, and leverage the mission critical security infrastructure that is already in place. Secure Elements and TSMs are terrific infrastructure, fit for the very serious purpose of securing mobile transactions. At some level, it’s proper that SEs cannot be modified too easily; after all, the ease of access by application software to executive functions in the PC platform is what enables most cyber crime today. Telcos are rather too avaricious in their TSM policies and business models but I don’t think renting SIM space is inherently evil. In fact I think if banks thought to rent out space and cryptographic functions in their EMV chips then we could see more innovation in e-commerce, e-government and eID.
So let’s not abandon SEs and TSM, but instead work out more equitable ways of sharing the security infrastructure so vital to the long term success of the mobile platform.