Getting RID of SAM

Simon Laker and I recently published an article about open-loop transit payments in the US and how they are catching up with the UK with significant US launches planned for 2019 and beyond. It was very interesting to look back, draw the timeline and, with the benefit of hindsight, see why the major US cities tried to be first but ended up being seven years or so behind the 2012 London launch on buses.

Whilst it is fun to look back, we spend most of our time making the future. Over the last year we have been back working with TfL to help determine the best revenue inspection solutions for open-loop transit operators. While the majority of bus operators might not care much about revenue inspection (the potential fare dodger has to board the bus and this usually requires walking past the vigilant gaze of the bus driver), revenue protection through inspection is a significant requirement for city-based smart ticketing schemes.

Back in 2011 we helped TfL choose their current revenue inspection device (RID) hardware which is now no longer manufactured. At that time, there was no single off-the-shelf device hardware which could meet TfL’s need and therefore, hardware customisation was needed.  Now is the time to look for opportunities for replacing these bespoke devices with more cost-effective solutions.

One of our specialisms is adapting devices without secure hardware to become secure enough to handle transactions involving payments and identity, such as ticketing. There are approaches known as host card emulation (HCE) and host terminal emulation (HTE) that we have been working on since 2007 before they were named in 2012 as part of the open-source Android OS. The idea is that ‘software-only’ approaches can be used, without any secure hardware, to secure cryptographic secrets (e.g. keys) used to secure transactions. Traditionally, tamper-resistant smart card chip hardware is used to store the keys, and similar chips, known as secure hardware modules (SAMs) are used in terminals needing to communicate securely with smart cards.

In 2015 we worked with ITSO to design how ITSO can work securely enough on mobile devices without secure hardware. Android Pay launched in the same year. This approach is now being exploited by the ITSO on Mobile solutions from the likes of Rambus.

We helped Barclaycard be the first UK bank to launch a software-only banking payment app that works on mobile devices without using SAMs in 2016. This was all card emulation. When we want a mobile device to act as a RID without a SAM, then it is terminal emulation and it is harder. The card merely has an antenna in which a current is induced when the antenna is placed in the reader electromagnetic field. The reader has to produce that field. The hardware in most mobile devices on the market is not certified to act as a reader for accepting payment cards. You may have noticed that when small merchants use their phones to accept contactless cards, they use an additional device from organisation such as PayPal, Square or iZettle. 

In 2018, we produced a software-only app for an Android phone that can be downloaded and installed on any phone and securely accept contactless payment cards. No secure hardware, no SAMs. It works, but the payment industry is playing catch up and it was not possible to certify such a merchant payment terminal to the satisfaction of the payment card industry. In January, PCI released new documentation aimed at this purpose. Exciting times are ahead. We are currently helping TfL engage with the market to see whether RID solutions based on off-the-shelf Android devices might be used as the next generation RID.

We have a wealth of experience over the last two decades, designing and building software-only solutions. Let us know if you’d like a chat about how this might work for you, be it payment, identity or ticketing.

Can the automotive industry learn from the retail payments sector?

Trying to balance security and convenience provided by technological advancements isn’t new news. Nor is the latest hubbub around keyless vehicle entry and the obvious security risk. A recent video issued by West Midland Police, shows two criminals using information gathered from the electronic key to enter, start and drive away a car. Research reveals that this is a simple “Ghost and Leech” attack, where the boxes held by the thieves extend the read range of the key.  When the keyless entry system on the car was initially designed, the cost and size of these boxes confined the fraud to laboratory conditions.  Now however, the boxes are readily available on the internet, are smaller and require less power thus making them portable and a convenient tool for organized criminals.

Are the automotive OEMs or their suppliers recognizing these risks and developing countermeasures?

As any information security expert will tell you, you need to understand the threat landscape in which your vehicle will operate and ensure that all cost-effective countermeasures are included in its design prior to commercial launch. It is likely that that countermeasures will have to change over the lifetime of the vehicle, as new functionality is added, e.g. in-car payments, or, as highlighted above, the criminals find new ways of attacking of the car. And so, future proofing becomes front of mind.

The long development and product lifecycles associated with the automotive industry, compared with say smartphones, combined with high certification requirements surrounding any change to the vehicle, makes this difficult. The reputational and financial costs of recalling vehicles to insert a new piece of hardware or load new software, for examples, make the business case for such interventions difficult. Many owners are reluctant to upgrade their vehicles fearing that it will impede its performance. Others are prone to litigation on the grounds that the vehicle is not performing as advertised.

Even in the advent of software advances, there is still the problem of ensuring that the software upgrade is correctly implemented across all vehicles. The mobile network operators (MNOs) are working closely with the automotive OEMs to ensure that software upgrades can be remotely downloaded over the air to connected cars; this is still in its nascent stages. We know of electric car owners that have had to wait for 30 minutes in the morning whilst their cars rebooted and others that have had the functionality of their vehicle changed when the vehicle showed signs of being imported into a different country.  Does this process introduce new information security risks as criminals take advantage of inconsistencies in the version of the software loaded into different vehicles?

At Consult Hyperion we use the return on the criminal’s investment in the fraud to determine the probability that it will be committed; always low when the keyless entry system was initially designed and now, many years later, high.  The reputational or financial gains from such attacks allow us to evaluate the cost of a countermeasure against the potential losses if it is not implemented. Our clients’ risk appetite determines whether or not they make the investment.  We use our understanding about how technology is likely to evolve to assess how and when the current level of risk is likely to change and therefore when the investment in a countermeasure becomes crucial.

Consult Hyperion has around 20 years experience of managing information security risks within distributed systems deployed primarily within the global financial services industry. Whist the context in which the criminals deploy them is different, the techniques the criminals use are the same. The Ghost and Leech attack posed a potential threat to the use of contactless payment cards following the introduction of NFC technology in smartphones. The UK press ran multiple stories about how the phones could be used to collect account information from contactless cards in peoples’ wallets. Consult Hyperion was commissioned to analyze the data that could be collected by devices snooping on the contactless card transaction at the Point of Sale and the opportunity to use that data to buy other goods in another store. As a result of this analysis the UK banks agreed to add additional countermeasures into their systems, all of which had been recommended by the international card schemes. Their introduction was coordinated by APACS, now part of the UK Payments Administration, who had commissioned some of the earlier analysis.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.