Poles are increasingly convinced to payment cards – in the last quarter of last year conducted their operations close to 740 million. Their growing popularity of the Vistula River can be justified by the increasing ubiquity and convenience of contactless payments that they offer.
At the end of 2014 years three-quarters of all non-cash transactions made using proximity cards. However, this is not the end of innovation in banking. According to the forecasts of mobile payment market in the coming years will begin to grow exponentially. Perhaps it contributes to the running this year by several leading banks in Poland BLIK mobile payment system, and the fact that by the end of 2016 to all terminals in the country to support contactless transactions.
With the launch of Apple’s pay in the United States, and recently also in the UK, the world in which we do not have to look in our wallets and bags payment card becomes reality. Standing in line and so usually hold the phone in your hand (as long as it does not have to talk to other customers), hence, we can get closer to the reader phone and we can leave without taking his eyes from favorite application! However, before mobile payments become fully universal, the solution remains some safety issues.
In contrast to mobile phones, proximity cards have many built-in security. Encryption, secure communication between the card and terminal, as well as many other functionalities ensures that your data will not be transferred. One of the key security is Secure Cryptographic Element (SE) which is integrated in the chip on the card. It guarantees data security during the transaction the card owner.
Apple Vs. Android
With this in mind, Apple has integrated the Secure Element to the iPhone 6 and 6+ and Apple Watch, which supports Apple Pay service. According to Apple in the Secure Element your token and its cryptogram are “isolated from iOS, never stored on the servers of Apple Pay and never sent to iCloud. Since this token is unique and different from the typical credit card number or debit card, your bank may attempt to block its use in magnetic stripe of payment over the phone or internet. ”
But what happens in the world of Android and Windows, where the phones are manufactured by many different companies? These phones usually have no SE, because each manufacturer would have to use their own solutions, and this would require joining the relevant libraries in the software for all models, which would be extremely difficult.
Initially it presented the idea to use the SIM cards for payment verification. In theory it was a very good solution. They all have a SIM card that can store cryptographic keys, which could use the application during the payment. First of all, the keys could be isolated from the operating system, and also by malware. Unfortunately, the owners are SIM cards and mobile operators that they control their distribution and decide which software can be installed on them. In times when their incomes fall and must deal with industry consolidation, they wanted to get a piece of the pie for themselves mobile payments. As a result, the idea of mobile payments using SIM cards never caught on, as evidenced by example. Blanking the project last year Barclays – Barclays Quick Tap.
The solution? Google IT
Let’s look at Google, the owner of the most popular mobile operating system in the world – Android. They proposed a solution to the problem. They developed a system based on emulation Secure Element, on a device that physically it does not have. This is called HCE (Host Card Emulation) and makes the mobile phone behaves like a smart card. This allows you to use a mobile phone, eg. For payment in a shop instead of a proximity card.
On this basis, one might think that the solution Android is a turning point that will make mobile payments will be available to everyone, not just Apple phone owners. However, if you delve into the details it turns out that it need not be so. Android is widely regarded as mobile system with the largest number of viruses – in a recent study by Symantec found that 1 in 5 app for Android contains malware. HCE solution is software-based and can be accessed from the operating system through many different APIs. If you have learned any lessons from the recent cyber-attacks, it is primarily this that everything that works on the basis of the software is vulnerable.
Bank of innovation
So what can you do? Currently, responsibility for unauthorized transactions rests with the entity issuing the card, most often it is the bank. As a result, banks are trying to make users enjoy with their applications and pay directly from your account, bypassing intermediary.
For such tactics were successful designers of these applications must take into account both user behavior and technological capabilities – for reasons described in detail above. Equally important is the identification of-band spurious (out-of-band) and the use of additional indicators automatically informing about carrying out suspicious transactions, while not lowering the quality of use of the device. For example, a mobile payment application must be able to monitor the status of the device and scan it for malware or other suspicious behavior that can manipulate the process HCE to steal data. The application should then transmit that information over the Internet from the process of payment to the publisher application. Here, the validity of transactions can be determined based on historical usage patterns, methods “device fingerprinting” and so on.
Regardless of the chosen method or solutions, advanced mobile payments is an innovation, which should put considerable weight to achieve certain that its use is safe.
Ireneusz Wisniewski, Country Manager for Poland, F5 Networks
No comments:
Post a Comment