The rising trend of smartphone-based ‘tap-to-pay’ payments is gaining maximum traction in the overall market. It is anticipated that mobile payments will reach the worth value to $14 trillion by 2022. To introduce Host Card Emulation (HCE) on-going trend, banks and issuers must account proactiveness in offering solutions that evolve with the requirements of their customers.
HCE– based solutions use the principle of tokenization and believe their back-end for security purposes. But as a smartphone device isn’t always connected to the web, it also must store payment credentials to be used when the mobile device is offline, and it must manipulate these credentials when processing a payment. This will be an attack surface for a hacker if they are often exploited, and also if no proper protection is applied to counteract attacks.
To minimize the possible impact of an attack targeting HCE payment solutions, providers have already applied some security processes, like using tokenized card numbers that don’t disclose any of the first card’s data and employing a set of payment credentials that are used for each unique transaction.
The first layer of security that’s provided by HCE solutions is secure communication. It relies on end-to-end secure communication channels from the device up to the server, making it impossible for an attacker to read the information sent through this channel (man-in-the-middle attack). This approach allows secure handling of data but requires the device to be a trustable source of data, which is currently not the case in REEs.
Furthermore security is also provided through user authentication; when a payment is close to be processed, HCE solutions require a user to enter their personal PIN or to use a biometric authentication means to be ready to compute a legitimate cryptogram for a transaction. All these security measures are relevant, but there are still flaws available for an attacker to leverage. Some users might be negligent, and malware might be present on the REE where the HCE solution is installed.
To mitigate these attacks, HCE solutions typically believe software protection, like code obfuscation or white box cryptography. State-of-art HCE solutions, like dejamobile’s ReadyToTapTM Payment, implement advanced software protection methods and have obtained certifications from Payment Schemes (including CB, Mastercard and Visa) supported these implementations. But because the market volume of mobile payments increases, the probability of attackers trying to bypass these software protection countermeasures will inevitably increase.