- Thierry Spanjaard
The secure transactions industry is used to arguments either defending hardware based security or claiming that software can now do as well as hardware to reach the needed security level to complete transactions.
The development of NFC transactions had stalled for long when SimplyTapp introduced the HCE (Host Card Emulation) concept in 2013. HCE consists in emulating the card on a host, in the cloud, while keeping only basic security features running in software aboard the handset. Obfuscation, or in other terms hiding cryptography elements in software, is the technique used to run these cryptographic functions.
The inception of HCE has allowed the development of many NFC wallets as several companies now propose white label wallet applications for financial institutions, merchants, or any group of players willing to introduce their own wallet. Only Apple Pay, and some implementations of Samsung Pay, now use secure elements that bring hardware-based security.
In this context, the news that broke earlier this week may trigger some changes. The police in Sydney, Australia has arrested two men accused of having completed AUD 1.5 million (EUR 1.01 million) fraud thanks to a hack targeting the HCE implementation. Details of the attack are still uncertain, but the police says the fraudsters hacked bank accounts through mobile applications, and used stolen credit card details to buy luxury goods, which were then sold; around 45 bank accounts were hacked.
If a more detailed analysis confirms these issues with the principles of HCE, several conclusions are to be drawn for our industry.
This can be seen as a reaffirming that only hardware secure elements can provide the most appropriate level of security for payment transactions as had been established in a White Paper published by SPA (Smart Payment Association) a few months ago.
Also, any security issue in a process is a renewed demonstration that security cannot rely on a single factor or technique. Good and resilient security architecture is built on a combination of different techniques, developed with a global security scheme in mind.