Connect with us

Technology

SECURE ELEMENTS VS CLOUD-BASED HCE: WHAT IS MORE SECURE FOR NFC MOBILE PAYMENTS?

Published

on

SECURE ELEMENTS VS CLOUD-BASED HCE: WHAT IS MORE SECURE FOR NFC MOBILE PAYMENTS? 1

With the introduction earlier this year of Host Card Emulation (HCE) and last month’s reveal of the iPhone 6, Near Field Communication (NFC) technology is making a strong move to fulfill its promise to be the dominant “physical world” payments technology.

The reinvigoration of interest in NFC is raising the stakes for enabling technologies that make secure mobile payments possible. And as discussions move from “if” to “when,” implementation issues come to the forefront, with no issue bigger than security. That’s especially true between the proponents of on-device secure elements versus cloud-based cards HCE.

The arguments for superior security from both sides of the debate lead me to reflect on an old saying that goes “absolute security is only attainable when you’re protecting something absolutely worthless.” No matter the effort to protect something, any security can be defeated given enough time, money, and technical resources. In other words, there is no perfect security, just better or worse security. So which security is better — hardware-based secure element or cloud-based Host Card Emulation? From a security perspective, both of these competing technologies have persuasive arguments in their favor.

The Secure Element

Lance Johnson

Lance Johnson

Years of effort have gone into developing a trustworthy mobile payment solution that relies on highly secure, tamper-resistant secure elements (SE). A secure element can be thought of as a smart card in the phone isolated from tampering by a restricted access interface and strong encryption. The standard in Europe for over 20 years, EMV smart cards — so called “chip” cards — have virtually eliminated many types of fraud still common in the US. In fact the US is finally adopting EMV standards. Based on proven EMV smart card technology, secure elements are very tough nuts to crack. They are tested against a set of requirements defined by the payment networks and only those that can satisfy the evaluation criteria are allowed to store payment credentials. Extreme efforts and corresponding time and money are required before there is any hope of success with limited value to the successful attacker.

Additionally SE’s have the added benefit that the fraud opportunity is limited to each device. That is only a small amount of data is stored on them (single customer credentials and device specific cryptographic information). This restricts the opportunity of any hacker to the value of each device. In other words, to get lots of fraud value the hacker must compromise many individual devices.

HCE, Tokens and Device Fingerprinting

HCE assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or “cloud” databases. These databases must be managed to a high security standard. The security requirements are a very high level, exceeding common security (e.g. PCI DSS) and equivalent to card personalization bureaus. They have to be; the concentration of payment information and credentials is a very attractive target.

Preventing unauthorized access in HCE depends on four pillars: limited use keys, tokens, device fingerprinting, and transaction risk analysis. Limited use keys expire quickly preventing their misuse. Tokens reduce risk by replacing the PAN with limited use data that passes seamlessly through the payment system. Device profiles (fingerprints) validate the phone. Data analysis provides real-time transaction assessment to identify unusual activity. In short, HCE security relies on managed intelligence at the device and systems levels by leveraging the “always-on” and “big-data” ecosystems. The more data used to measure and analyze, the better the overall security.

Regardless of technology, an on-device a client must control secure storage, should collect locally available data, perform risk assessment (according to pre-defined rules), and trigger updates. The backend is constantly communicating with the client, testing the information and validating actions according to the risk tolerances of the card issuer. HCE benefits more since it is designed to utilize these backend systems more effectively, but SE is less reliant on “always on” networks.

Apple Pay: All the Above

Apple has recently demonstrated aspects of both secure element and cloud-based HCE technology can be combined into one solution. Apple Pay uses the secure element to store tokens and the payment client and adds biometrics with Touch ID for multifactor authentication. It allows Apple to use the power of local and backend data for risk management while removing all doubt about the security of a token or credential. By using the best of both worlds and adding a few new wrinkles, Apple has built a strong system. It is a fair estimation that Apple Pay will earn a “Pass” on the security test.

So what is better?

Host-Card-Emulation-VS-Secure-Element_SMALLActually, that is the wrong question. The real question is whether either technology reaches the level of security needed to protect payment data. The introduction of Apple Pay, a hybrid solution, shows that a secure element versus HCE debate is too focused on technology and not on an overall effective solution. In fact where the debaters lose site of the objective is in having a debate at all. This isn’t a competition, it is an examination graded only as “Pass/Fail.” Depending on how they are deployed either can Pass (or Fail).

Bottom line is that if you are fortunate enough to have an SE, then use it. But if you don’t have use of secure elements, then focus on HCE which is supported by the majority of smart phones. Banks and merchants can deliver secure mobile payments to consumers today using HCE with tokenization, device fingerprinting, risk modeling and robust on-device software. You may have the added advantage of delivering services through your own branded apps instead of a wallet, preserving your consumer connection.

What banks and merchants must adapt to is an environment where secure elements and cloud-based HCE will co-exist. The key is to understand the strengths and weaknesses of each and deploy solutions that can leverage both, because that is the only way 100% of consumers will be served.

Written by: Lance Johnson

Lance Johnson is the Chief Security Officer of Sequent. Lance is a 30 year veteran in banking and payment services, having spent spent over 20 years at Visa as the Senior Vice President responsible for payments risk and fraud control operations and later Senior Business Leader responsible for Payment System Risk Strategy and Policy.

Technology

BNP Paribas joins forces with Orange Business Services to deploy SD-WAN for 1,800 retail sites in France

Published

on

gbaf1news
  • Co-construction approach ensures business continuity during deployment

BNP Paribas has chosen Orange Business Services to deploy an SD-WAN solution in more than 1,800 bank branches across France. Focused on developing and integrating new digital solutions, BNP Paribas continues to provide the highest standards to improve user experience for customers and employees alike.

By integrating Flexible SD-WAN from Orange Business Services, BNP Paribas benefits from a modern and agile technological platform to accelerate its digital transformation. This enables quick and easy deployment of multiple services, such as dynamic routing and path selection, with scalability and flexibility. It also empowers administrators to monitor infrastructure performance and resolve potential network congestion through simple software modifications, thereby optimizing application performance. By deploying SD-WAN, BNP Paribas can take advantage of a fully secure hybrid network that is natively multi-cloud, multi-access and multi-application. The Bank will also benefit from optimized and centralized management and intelligent routing for its new infrastructure.

Close collaboration between business and IT for greater agility

From the start of the project, experts from Orange Business Services and BNP Paribas built the solution design together and prioritized the features to be deployed. More than 3,600 access lines—two per branch, including one Internet access line – are currently being rolled out with a focus on maintaining business continuity for each site during the migration. In addition to the SD-WAN overlay, firewalls for enhanced security are also part of this deployment.

“It was paramount for us to choose a partner who already had proven experience implementing and operating SD-WAN solutions. Orange Business Services stood out as this trusted partner. In addition to their IT expertise, the Orange teams demonstrated a great ability to understand our business challenges, and they knew what needed to be done to support our end-to-end digital transformation. This close collaboration between our teams from the very beginning of the project was one of the keys to its success and to a smooth roll out,” said Bernard Gavgani, Chief Information Officer at BNP Paribas Group.

“We are delighted to support BNP Paribas in their transformation program and deploy the first large-scale SD-WAN project in the retail banking industry for the French market. An indepth understanding of our customers’ business needs is essential to co-develop customized and innovative solutions. Orange Business Services will continue to accompany BNP Paribas’ central and local teams to learn and develop their SD-WAN skills,” said Nadine Foulon-Belkacémi, Executive Vice President, French Major Clients at Orange Business Services.

Continue Reading

Technology

How to ensure you bullet proof your IT in a hybrid finance workplace 

Published

on

How to ensure you bullet proof your IT in a hybrid finance workplace  2

By Caleb Mills, Chief Technical Officer at Doherty Associates outlines the dangers faced by finance and private equity firms when it comes to IT infrastructure in a pandemic. Caleb warns that maintaining security is critical as firms continue to work remotely in the current lockdown while making plans to return to the new blended workplace in 2021.

2020 was a year of rapid change – for the technology sector in particular. Virtually overnight, IT firms had to meet the growing demands of many businesses accelerating their technology plans in a bid to stay ahead of the new virtual business environment we suddenly found ourselves in. Covid-19 forced many organisations to automatically relax their security policies so that employees could operate in the remote-only world which followed the UK’s first national lockdown in March.

Can personal devices ever be compliant?

When the announcement of the first March lockdown was made, employees were sent home to work, and largely did so on their personal devices; home PCs, personal mobile devices or shared laptops. Compliance calls for organisational data to be encrypted and kept private, access to be audited and for its transmission to be only over secure channels. Many of these requirements are not met if the use of personal devices is allowed carte blanche – so it’s very likely that some firms are falling short of their compliance obligations.

Added to this is the fact that many employees do not want to allow their organisation to install management software, enforce policies, or limit their freedom on the use of personal devices. They may feel that their company is infringing personal liberties or ‘spying on them’. The most simple and effective (yet costly) solution is to issue company devices for all staff – although there may be some resistance from some to having two devices.

There is an option for controlling company data on personal devices that can satisfy some compliance requirements. Technologies now exist to allow organisational data to be kept in a separate virtual container on the device where policies around encryption and such can be enforced without contravening your employees’ privacy. The company portion of the device can be kept in a secure bubble, without enforcing rules or infringing on individual’s freedom with their own personal devices.

New risks and responsibilities

The accelerated adoption of remote working has meant many risk and compliance teams are still rushing to catch up. Many firms have not thoroughly identified the risks associated with remote or hybrid working, which continue to evolve as the constant demands for businesses change. Even those who have identified risks are likely only considering the ones they understand. In many cases, compliance teams need assistance from a cyber security expert who can help define the risks they are not aware they are taking. An expert will understand the wide and varied attack vectors and provide context and insight into how they could impact risk. The changing environment might call for updates to your IT use policy, cyber security policy, or other IT related policies.

Navigating risk and liability

The approach for managing risk must start by having a clear understanding of what your organisation’s risk appetite is. It is not possible to mitigate or eliminate all risks – there will always be some residual risk and it is important for your organisation to know what level of risk it is willing to accept.

When creating treatment plans for each of your risks, the business should consider the many different angles for controlling and mitigating. There are many technical controls which can enforce your policies, but often organisational controls such as processes or workflows can be just as effective. Choosing to adopt a program like Cyber Essentials can help to ensure that your organisation meets certain requirements. Even the very low bar of its framework can help you to ask pertinent questions about your organisation’s security posture.

Changing security boundaries

In days gone by, businesses took some comfort from knowing they had a secure network. They invested in firewalls to build a border around their network, and they trusted workers and the data they accessed to be protected against security threats. Now, many things have changed.

Data is no longer kept solely on servers in the office, it’s now stored largely in the cloud. And, thanks to Covid-19, many users are now operating outside of this safe and secure network too. The net effect of these two key changes is that the approach of building a highly secure boundary around your network no longer delivers the desired results. The post-pandemic workplace, even more so in finance and private equity, needs to be productive and secure from anywhere in the world.

The modern hacker is not just focused on defeating a firewall – they want to steal your firm’s data – and the way they achieve that is typically to hijack an individual’s identity. Modern security now focuses on protecting the data and the identity of workers by using multiple layers of security controls. This multi-layer, or “onion” approach, works on the assumption that a determined attacker can breach anyone or two layers of security protection. To keep your organisation protected, you should have multiple security controls in place to ensure coverage to help keep your environment safe.

Securing and supervising data rooms in a hybrid world

Data rooms provide a critical function by allowing third party organisations to securely access confidential data, so it’s important that the sensitivity of this is considered before embarking on any data room project. Appropriate policies about how the data should be accessed and used can then be enforced by the technology, and these clearly defined policies will allow for tightly configured security controls to limit access appropriately.

For example, data room guests might be allowed to view documents, but prevented from downloading them or copying and pasting content from them. Modern capabilities even include the ability to “timebomb” documents – for example to block access to documents after an NDA has expired.

Finally, consider taking Cyber Insurance. This can provide help with investigations, guidance on reporting to the ICO, help with public relations and communications, and help cover other expenses incurred as part of a cyber event.

The ongoing events of 2020 have changed the way we work forever. New risks and opportunities have continued to emerge through this period, and it’s ever more apparent that the world will never  go back to how it worked before. Hybrid working is here to stay so we need to understand the implications and take appropriate steps to ensure we meet our compliance obligations and control risk exposure through a mixture of controls to stay ahead of the game.

Continue Reading

Technology

Fraud prevention and user experience: how finance institutions can navigate the increasingly complex digital challenge

Published

on

Fraud prevention and user experience: how finance institutions can navigate the increasingly complex digital challenge 3

By Frank Teruel, Chief Operating Officer at Adara.

Well, here we go again.  As Covid-19 cases continue to surge and local officials impose restrictions, brick and mortar companies are once again limited in their ability to deliver their services forcing them to double down on their remote location strategies.   From curbside pickup, to Uber eats, to an “Amazon Prime” Christmas, the surge in the last 90 days has exacerbated an already difficult business environment.  And banking has been no exception. In fact, the consequences have been more significant given the nature of in-person banking…just imagine the difficulties inherent in bringing that service curbside.  So, what exactly has the pandemic done to banking?

Customers galore

With in-branch services limited, less digitally-savvy, first time, digital customers have made the jump to online banking products like Klarna for real-time loans, and digital-only bank account offerings like Starling Bank, Atom Bank, and Monzo.  The move has been a digital consumer bonanza for online financial institutions which, while happy with the new customers, are left with the daunting task of determining who they are and whether to trust them.

Who are these people?

Unquestionably, the transition to digital banking has brought positive benefits to first-time users such as greater convenience and transparency, but it has also resulted in a less than desirable outcome: increasing levels of fraud and sophistication in attacks. The reality is that many of these nascent digital customers have very little on-line transaction history and virtually no digital identities as a reference point for identity and verification.  Consequently, with more and more of them moving their banking online, traditional methods of determining “who is on the other end of a transaction” have been tested, and in many cases become less effective or completely obsolete.   And here’s the rub; with little to no digital identities, limited transaction history, and never before seen devices, financial organisations are defaulting to more draconian verification methods…stepping up customers, challenging them with KYC questions, and generally increasing transaction friction.

Go easy on them

Yet, before we castigate the institutions in question, a degree of understanding is warranted.  After all, the tsunami of new online transactions represents a significant challenge. And what’s a bank to do?  If a bank falsely deems a transaction fraudulent, they are ruining a customer’s on-line experience by creating unnecessary friction which predictably leads to transaction abandonment.  On the other hand, if the bank defaults to no friction and allows all of these new transaction to run, it could be a fraudster’s paradise…”free loans, credit cards, and other financial instruments on isle 3!” So, determining the person on the other end of the transaction is paramount to a customer’s experience as well as the future success of a financial institution in maintaining account holders and preventing fraud losses.

Fraud fighting is a full-time, real-time business…and it isn’t cheap!

Fraudsters learn, adapt, share insights, and then repeat the cycle.  Always searching for vulnerabilities, they create new and complex methods to circumvent detection. For example, during the pandemic, banks and other on-line business are seeing a significant increase in spear phishing, cross-site scripting, and man in the middle attacks.  Tack on impersonation scams, scary intrusions like the SolarWinds hack that has left government and commercial organizations scrambling, and incessant BOT attacks and its clear the velocity and diversity of attacks add a whole new level of complexity…and the dollars start adding up quickly!  Not only do these attacks result in higher costs for financial organisations but they create significant brand blow back.   Online businesses, especially banks, need to rethink their identity verification protocols landing on those that balance digital identity solutions that factor in identity, context, and behavior.  Context is a key element to ensure a balanced approach and mitigate  overreactions.   Because with fraud currently surging, there is a danger that financial institutions over-correct and prevent customers from completing legitimate transactions. Organisations need to resist the urge to implement stringent measures or checks and instead they need to be smarter in rooting out fraudulent purchases in the first place.

Harmonizing Identity…the only real verification 

Effective identity verification starts with harmonizing all of a customer’s disparate digital personas into one digital identity.  Every customer has multiple digital personas with which they transact in the online world.  For example, assuming email as the common credential denominator (along with an appropriate password), a customer may use Gmail to access Lloyds Bank, Yahoo for a Gumtree ad, and Hotmail to place a Tesco grocery order.  While each of these are all different digital personas, they represent the same customer.  Understanding the collective personas and associating them with one harmonized identity provides the necessary confidence as to the integrity of the identity. Next, understanding the context derived from prior transaction history, device information, location, and intent data like searches and outcome data, allows organizations to also add a predictive element to the analysis.  Together, these factors help build confidence that the customer is legitimate and, equally importantly, whether to trust the customer within the context of the transaction.

The Time Space Continuum

Context can help interpret behavior that would otherwise be immediately flagged for fraud.  Consider a customer that has just purchased a jacket at John Lewis using a London IP address and then immediately purchases a package tour from an IP in Reykjavik. Relying solely on the IP signals would flag the second transaction as likely fraud. However, if the person routinely uses a VPN while making transactions and using the Reykjavik IP is a known transactional attribute, then the time distance conundrum is nonexistent because the  1173-mile journey is just a quick digital hop…it’s likely legitimate and hasn’t broken the laws of physics.  If it’s also determined that the customer has been searching for Iceland trips and subsequently books a flight, the tour purchase becomes even more credible because every transaction that uses those elements is mapped to that digital identity and strengthens the association between that specific transactional element and the identity’s behavior.

While one imaginary purchase is certainly not the whole picture, financial institutions need to make these decisions around fraud in an instant. Without the proper contextual information, banks and other organisations can easily flag a genuine purchase as fraudulent and is so doing, aggravate the customer and because of transaction abandonment, hand market share to their competitor.  The only solution that fits the bill is to harmonize digital identities.  Armed with a verified identity, deterministic facts (the customer is in London) and probabilistic measures (the customer is planning on visiting Iceland) the transaction assessment will be accurate and eliminate friction.

The Solution?

Use digital identities that are:

  • built on global consortiums that provide a global view of a customer
  • harmonized to ensure no single digital persona is compromised or acting anomalously
  • provide both deterministic and probabilistic insights
  • and most importantly, built on consented and permissioned data

COVID-19 and the subsequent increased use of digital banking products have opened the door to fraud. While fraudsters try to take advantage of the current situation, financial institutions can ruin their schemes by ensuring that they work with the best data partners in order to provide the context needed to verify transactions and reduce friction.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate

Latest Articles

FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India 4 FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India 5
Finance2 days ago

FSS and India Post Payments Bank AePS Partnership Advances Financial Inclusion in India

New Delhi, January 12th,2020: FSS (Financial Software and Systems), a leading global payment processor and provider of integrated payment products,...

Seven lessons from 2020 6 Seven lessons from 2020 7
Top Stories2 days ago

Seven lessons from 2020

Rebeca Ehrnrooth, Equilibrium Capital and CEMS Alumni Association President   Attending a New Year’s luncheon on 31 December 2019, we...

Over a quarter of Brits now have an account with a digital-only bank 8 Over a quarter of Brits now have an account with a digital-only bank 9
Banking2 days ago

Over a quarter of Brits now have an account with a digital-only bank

The number of Brits with a digital-only bank account has gone up by a percentage increase of 16% Almost 1...

Fintech M&A: the terrible teens? Fintech M&A: the terrible teens?
Business3 days ago

How fintech companies can facilitate continued growth

By Jackson Lee, VP Corporate Development from Colt Data Centre Services The fintech industry is rapidly growing and, in the...

gbaf1news gbaf1news
Technology3 days ago

BNP Paribas joins forces with Orange Business Services to deploy SD-WAN for 1,800 retail sites in France

Co-construction approach ensures business continuity during deployment BNP Paribas has chosen Orange Business Services to deploy an SD-WAN solution in...

Managing Operational Resilience And Safeguarding Data Are Core To Sustainable Digital Financial Services Managing Operational Resilience And Safeguarding Data Are Core To Sustainable Digital Financial Services
Business3 days ago

2021 Predictions: Operational Resilience Takes Center Stage

Breaking down barriers between Risk and Business Continuity By Brian Molk, Fusion Risk Management What a year! Simply put, the global...

Five Workplace Culture Trends of 2021 14 Five Workplace Culture Trends of 2021 15
Business3 days ago

Five Workplace Culture Trends of 2021

5 January 2021 – 2020 – a year like no other – is responsible for driving organisational change, especially workplace...

The Impact of the Digital Economy on the Banking and Payments Sector 16 The Impact of the Digital Economy on the Banking and Payments Sector 17
Banking3 days ago

The Impact of the Digital Economy on the Banking and Payments Sector

By Gerhard Oosthuizen, CTO Entersekt. New banking regulations, digital consumers, the eradication of passwords, contactless technology – these are just...

Is COVID-19 an opportunity for banks to skyrocket their electronic payments Is COVID-19 an opportunity for banks to skyrocket their electronic payments
Finance4 days ago

Be Future-Ready: The Case for Payments as a Service (Paas)

By Barry Tarrant, Director, Product Solutions, Fiserv Over the years, financial institutions have faced a myriad of changes in regulations,...

How to answer interview questions How to answer interview questions
Interviews4 days ago

Mark Wright – No Longer an Apprentice

Just for context, you won The Apprentice and became Lord Sugar’s business partner in 2014 – you set up your...

Newsletters with Secrets & Analysis. Subscribe Now