Securing mobile payment app provisioning: The forgotten side of the security coin

13 December 2011

By Steve Brunswick,
strategy manager,
Thales e-Security

With more people owning mobile phones than bank accounts, it is clear that mobile payments will become an increasingly important part of our daily lives. Juniper Research, a European based provider of business intelligence, released a study forecasting that mobile contactless payment transactions are expected to reach nearly $50 billion worldwide in 2014 and NFC solutions will be launched in 20 countries within the next 18 months (1).

Retailers are increasingly rolling out mobile payment solutions. For example, customers at Pizza Express can now settle their bill through PayPal on their iPhones, while Google is among the many companies that recently announced the launch of its mobile wallet - an app which stores virtual versions of your payment cards/payments applications as well as loyalty, coupons and other linked services.

However, before mass adoption can occur, it is essential that mobile payments services are secure. With security breaches from organisations Sony and Epsilon hitting the headlines throughout the past year, consumers are more aware of security than ever before.

Mobile payments must be as secure as EMV in order to be adopted and consumers do not currently believe this to be the case. In fact, a recent survey by Intersperience research found that most consumers would be reluctant to use mobile wallets because of security concerns (2). An additional 44 per cent worry about the lack of security software on mobiles.

Mobile payment standards:

Creating and meeting standards are a key way for the industry to begin addressing these concerns. As within traditional payments, standardisation is essential to bring about the time and resource benefits to the industry, as well as provide a foundation for a secure mobile payments ecosystem. While it will take some time before standards are widely adopted, there are a number in fruition that show an appetite in the market for security standards and tools:

• Managing Mobile NFC Services – the Trusted Service Manager (TSM) acts as an intermediary between Mobile Network Operators (MNOs) and any third party service provider that wishes to add a service to a mobile phone. GlobalPlatform’s “System Messaging Specification for Management of Mobile-NFC Services” defines the messaging between each of the three parties to ensure secure ‘provisioning’ of services to the phone.

• The SIM Alliance Open Mobile API - Apps which use the Secure Element to secure their critical operations such as banking, payments or transport tickets, can have a component running in the phone’s operating system so the user can securely interact with the keyboard/touch screen and enjoy a rich graphical user experience. The SIM Alliance Open Mobile API enables app developers to use the additional security of the Secure Element more easily, whether this be in a UICC SIM, a dedicated Secure Element built into the phone, or a secure SD card, by providing a common means of interfacing with it.

• Trusted Execution Environment (TEE) - The Secure Element looks after critical data on the mobile handset but it cannot easily host apps with a highly developed or cutting edge user interface. Apps that require complex user interactions must run on the phone’s main processor. TEE is designed to secure these apps and GlobalPlatform is leading the standardisation and interoperability in this area to ensure that data and apps are adequately protected. For example, payment apps that run their user interface in TEE and their transaction security in the Secure Element would have an extremely high level of security.

Standards and common approaches are guidelines to help the industry work together and benchmark best practices, but they are only a starting point to ensure adequate security. Technologies which make the security of issuing mobile payments as secure as issuing cards are required to build confidence in mobile payments. The good news is that this technology already exists.

Mobile provisioning

Much of the debate on security focuses on the possibility of data being compromised on the phone or intercepted mid-transaction. However, it is equally important to get the payment app to the phone securely, the process known as mobile ‘provisioning’.

Mobile contactless payment applications must be ‘provisioned’ before they can be used. ‘Provisioning’ covers the process of preparing and loading an application onto a user’s phone with personalised account data. It also includes the deployment of unique personalisation keys to protect the loading of information to the device and the transactions made by the payment application.

Payment applications on mobiles will typically be provisioned ‘Over-the-Air’, which means that numerous parties can be involved in the process. Potential players include the payment application provider (usually a bank), a Trusted Services Manager, the Mobile Network Operator and the phone and its SIM. The number of parties involved significantly increases the risk profile and consequently it is critically important that the various data exchanges are highly secure to ensure that no data is compromised.

Encryption essential to secure ‘provisioning’

Using cryptography, there are numerous ways to ensure that ‘provisioning’ happens securely. Issuers of physical payment cards tend to prefer Hardware Security Modules (HSMs), which generate and protect the encryption keys that are essential to managing the risks associated with issuance - this approach is also applicable ‘provisioning’ cards to a phone. Using HSMs can greatly simplify the task of issuing payment applications to mobiles securely. But their main benefit is to secure encryption keys and sensitive data in a way which ensures that sensitive data is never exposed. In this way, the risk for the service provider is reduced.

While encryption is essential to the security of mobile payments, it is not the sole answer. For maximum security in this new payments channel, encryption must be teamed with authentication technologies to provide protection for data exchange and authorisation.

The mobile payments space will continue to evolve at a rapid rate. However, there are still security issues to overcome and it is essential security is built in at the very foundation of mobile payments as well as within the transaction process. Only when this foundation is in place can the widely predicted huge growth in mobile-based payments occur.

1. Juniper Research Report

2. Consumers fear phone hackers will crack mobile wallets

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development