Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile security: the coming battle of hardware versus software

Maria Korolov | June 19, 2015
According to security experts, there are several paths forward for mobile payments, each with its own security implications

apple watch pay

I'm starting to see signs for Apple Pay and Google Wallet everywhere I go. Google just announced its Android Pay platform and deals with AT&T, Verizon and T-Mobile to pre-install it on Android phones. Samsung is gearing up for its own payment system, Samsung Pay, Walmart is planning its retailer-focused CurrentC system, and PayPal, about to spin off from eBay, has been buying up payment technology vendors and can't be counted out yet.

For consumers, the decision will likely boil down to whether they own an iPhone or an Android phone, and which apps are easier to use and accepted by most merchants.

Merchants are upgrading this year anyway, as part of a mandated transition to chip-and-pin or "smartcards" and might as well bite the bullet and go all the way to mobile payments while they're at it. Fortunately, they won't have to decide between supporting Apple's platform or Google's -- adding support for one automatically means that they'll be able to accept the other.

But what about the back-end technology at work? How do they stack up in terms of security?

According to security experts, there are several paths forward, each with its own security implications.

Hardware versus software

The main distinguishing characteristic between Apple Pay and most other mobile payment platforms is that Apple Pay uses hardware-based security, a "secure element" inside the phone, protected against tampering.

On the iPhone, this is combined with a fingerprint scanner for additional security.

According to Adam Kujawa, head of malware intelligence at Malwarebytes, no unencrypted personal information is transmitted.

The only security problems reported so far are with initial onboarding, where scammers were able to talk call center operators into adding stolen credit cards to their iPhones.

In addition, thieves might, theoretically, be able to fool the fingerprint scanners and make unauthorized purchases, said Kujawa.

But the biggest downsides of ApplePay aren't so much technical, he said, as practical. The phones are expensive, and there's no way to make a payment, for example, if the iPhone's battery is dead.

The chief alternative to the secure element is HCE, or host card emulation. It's the software alternative to hardware-based security, and uses a cloud-based tokenization process.

"From a security standpoint, HCE provides the best protection because the encryption and communication of your financial information is in the hands of a bank and there is no connection between payment info and the device itself, in case it gets stolen," said Kujawa.

However, it could be that malicious apps will be designed to hijack the HCE process and steal money from users.

The ideal combination, said Kujawa, would be a secure element on the device, combined with HCE, combined with biometric authentication.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.