Connect with us

Technology

SECURE ELEMENTS VS CLOUD-BASED HCE: WHAT IS MORE SECURE FOR NFC MOBILE PAYMENTS?

Published

on

SECURE ELEMENTS VS CLOUD-BASED HCE: WHAT IS MORE SECURE FOR NFC MOBILE PAYMENTS? 1

With the introduction earlier this year of Host Card Emulation (HCE) and last month’s reveal of the iPhone 6, Near Field Communication (NFC) technology is making a strong move to fulfill its promise to be the dominant “physical world” payments technology.

The reinvigoration of interest in NFC is raising the stakes for enabling technologies that make secure mobile payments possible. And as discussions move from “if” to “when,” implementation issues come to the forefront, with no issue bigger than security. That’s especially true between the proponents of on-device secure elements versus cloud-based cards HCE.

The arguments for superior security from both sides of the debate lead me to reflect on an old saying that goes “absolute security is only attainable when you’re protecting something absolutely worthless.” No matter the effort to protect something, any security can be defeated given enough time, money, and technical resources. In other words, there is no perfect security, just better or worse security. So which security is better — hardware-based secure element or cloud-based Host Card Emulation? From a security perspective, both of these competing technologies have persuasive arguments in their favor.

The Secure Element

Lance Johnson

Lance Johnson

Years of effort have gone into developing a trustworthy mobile payment solution that relies on highly secure, tamper-resistant secure elements (SE). A secure element can be thought of as a smart card in the phone isolated from tampering by a restricted access interface and strong encryption. The standard in Europe for over 20 years, EMV smart cards — so called “chip” cards — have virtually eliminated many types of fraud still common in the US. In fact the US is finally adopting EMV standards. Based on proven EMV smart card technology, secure elements are very tough nuts to crack. They are tested against a set of requirements defined by the payment networks and only those that can satisfy the evaluation criteria are allowed to store payment credentials. Extreme efforts and corresponding time and money are required before there is any hope of success with limited value to the successful attacker.

Additionally SE’s have the added benefit that the fraud opportunity is limited to each device. That is only a small amount of data is stored on them (single customer credentials and device specific cryptographic information). This restricts the opportunity of any hacker to the value of each device. In other words, to get lots of fraud value the hacker must compromise many individual devices.

HCE, Tokens and Device Fingerprinting

HCE assumes that any data stored on a handset is vulnerable and therefore restricts the storage of sensitive data to host or “cloud” databases. These databases must be managed to a high security standard. The security requirements are a very high level, exceeding common security (e.g. PCI DSS) and equivalent to card personalization bureaus. They have to be; the concentration of payment information and credentials is a very attractive target.

Preventing unauthorized access in HCE depends on four pillars: limited use keys, tokens, device fingerprinting, and transaction risk analysis. Limited use keys expire quickly preventing their misuse. Tokens reduce risk by replacing the PAN with limited use data that passes seamlessly through the payment system. Device profiles (fingerprints) validate the phone. Data analysis provides real-time transaction assessment to identify unusual activity. In short, HCE security relies on managed intelligence at the device and systems levels by leveraging the “always-on” and “big-data” ecosystems. The more data used to measure and analyze, the better the overall security.

Regardless of technology, an on-device a client must control secure storage, should collect locally available data, perform risk assessment (according to pre-defined rules), and trigger updates. The backend is constantly communicating with the client, testing the information and validating actions according to the risk tolerances of the card issuer. HCE benefits more since it is designed to utilize these backend systems more effectively, but SE is less reliant on “always on” networks.

Apple Pay: All the Above

Apple has recently demonstrated aspects of both secure element and cloud-based HCE technology can be combined into one solution. Apple Pay uses the secure element to store tokens and the payment client and adds biometrics with Touch ID for multifactor authentication. It allows Apple to use the power of local and backend data for risk management while removing all doubt about the security of a token or credential. By using the best of both worlds and adding a few new wrinkles, Apple has built a strong system. It is a fair estimation that Apple Pay will earn a “Pass” on the security test.

So what is better?

Host-Card-Emulation-VS-Secure-Element_SMALLActually, that is the wrong question. The real question is whether either technology reaches the level of security needed to protect payment data. The introduction of Apple Pay, a hybrid solution, shows that a secure element versus HCE debate is too focused on technology and not on an overall effective solution. In fact where the debaters lose site of the objective is in having a debate at all. This isn’t a competition, it is an examination graded only as “Pass/Fail.” Depending on how they are deployed either can Pass (or Fail).

Bottom line is that if you are fortunate enough to have an SE, then use it. But if you don’t have use of secure elements, then focus on HCE which is supported by the majority of smart phones. Banks and merchants can deliver secure mobile payments to consumers today using HCE with tokenization, device fingerprinting, risk modeling and robust on-device software. You may have the added advantage of delivering services through your own branded apps instead of a wallet, preserving your consumer connection.

What banks and merchants must adapt to is an environment where secure elements and cloud-based HCE will co-exist. The key is to understand the strengths and weaknesses of each and deploy solutions that can leverage both, because that is the only way 100% of consumers will be served.

Written by: Lance Johnson

Lance Johnson is the Chief Security Officer of Sequent. Lance is a 30 year veteran in banking and payment services, having spent spent over 20 years at Visa as the Senior Vice President responsible for payments risk and fraud control operations and later Senior Business Leader responsible for Payment System Risk Strategy and Policy.

Technology

Everything you need to know about APIs for business

Published

on

Everything you need to know about APIs for business 2

By Omar Javaid, president, Vonage API Platform, Vonage 

If your work brings you into close proximity with technology, chances are that you’ve come across APIs. Like many of the tech acronyms we hear –  DNS, VOIP, SaaS – APIs fall into a category of terms that most of us would consider best left to the IT department. However, APIs are a vital tool for any tech-enabled business, and a basic understanding of them at management level can help to drive sales, increase customer satisfaction, and improve the user experience.

Although they seem daunting, getting to grips with APIs is surprisingly straightforward. API stands for Application Programming Interface, and can be simply defined as a software tool used to control programmes. Essentially, APIs create sets of rules that allow applications to communicate with each other – they are the part of the server that receives requests and sends responses. Today, when data is transferred between a pair (or more) of programs or applications, an API normally makes it happen.

To give a real-world example: when a user types Instagram’s URL into their browser and hits the Return key, a request is subsequently transmitted to Instagram’s remote servers. That browser then processes the response code it receives and displays the page. For the browser, Instagram’s server is an API – allowing it to communicate and relay information back to you without interruption or delay.

The job of the API is to simplify the complex data exchanged between these servers, and to make the interaction as seamless as possible for the end user. Considering that the vast majority of our business and personal lives now take place virtually, any solution that optimises the online experience is extremely valuable.

Using APIs to improve the customer experience 

One of the core benefits of APIs is that they enable businesses to free themselves from the time consuming and costly process of developing in-house software to power a single core application. Instead, developers can outsource certain tasks to remote “off-the-shelf” APIs, saving time, money, and allowing resources to be channeled elsewhere. These add-on services allow businesses to offer a more complete, one-stop solution to customers, whilst streamlining the process to optimise user experience.

Omar Javaid

Omar Javaid

Although we may not always realise it, APIs are playing a vital silent role in almost every purchase and interaction we have online. Take booking a holiday for example. As we browse comparison sights, APIs are working furiously behind the scene to aggregate information from airline databases, hotel websites, and excursion providers. The API performs the back and forth needed to retrieve the information, whilst we are able to sit back and view all of the results on the same page. Simplifying this process enables travel comparison websites to make the search for holidays quick and easy, and encourages customers to stay on the site by offering all that they need in one easy to consume package.

APIs also allow smaller businesses to utilise tools provided by some of the world’s largest and most successful companies. Google’s Calendar API for example could be used within a beauty salon website to enable customers to book and schedule treatment reminders, whilst Apple’s weather tool could be plugged-in to an events company website to give customers real-time weather updates. While the API’s developer does retain ultimate control over how the API is used, there are still countless ways to integrate these tools to benefit your business and improve the functionality of your website.

Communications APIs

The recent Covid-19 pandemic in particular has highlighted the value of an API class that normally receives little attention; communication APIs.

Today, companies are boosting spending on unified communications-as-a-service (UCaaS), along with video conferencing, collaboration, and voice technology solutions given the exponential growth in home and remote working as a result. Where face-to-face contact is limited by necessity, businesses need to be able to communicate with employees and customers in ways which are secure, simple, and cost-effective.

Given how rapidly the technology landscape changes, APIs are the clear solution to avoiding the expense of developing tools from scratch, in addition to harnessing the power of the advanced features offered by established API providers.

Using them, businesses are able to adapt to suit changing customer preferences; for example offering an online chatbot to handle customer queries, or by using multi-channel messaging to connect with customers via WhatsApp or Messenger. These tools are not only useful, but can also allow you to gain intelligence into a customer’s preferences and habits – both useful marketing gauges.

On the other hand, comms APIs can also help to address problems that may crop up internally within organisations and workforces. There are APIs which allow callers to automatically sync calendars, meaning that meetings will only be scheduled when all parties can attend. There are also APIs for timezone conversion, permissions requests, and for video link calls and messaging. With the work from home trend continuing for the foreseeable future, investing in these areas is critical if businesses want to keep delivering at the highest levels.

Considering all of the above, it’s clear that we can expect to see the adoption of APIs continue. Developers are constantly working to create increasingly sophisticated products, and many have moved towards exclusively building and hosting APIs, rather than building the apps themselves – creating a so called “API Economy” of sorts.

This focus on creating the best possible APIs has allowed smaller businesses to harness the collective expertise of the world’s largest and most successful companies, and the chance to use these tools represents a fantastic opportunity for growth. The reach of APIs extends far beyond the IT department, and with a basic understanding, they can be used by senior management and leadership teams to optimise all areas of the business – not bad for three small letters.

Continue Reading

Technology

Unexplained Wealth Orders: Rightly Celebrated or Over-Rated?

Published

on

Unexplained Wealth Orders: Rightly Celebrated or Over-Rated? 3

By Nicola Sharp of financial crime specialists Rahman Ravelli considers the attention given to unexplained wealth orders – and emphasises that they can be challenged.

There is little doubt that many sectors of the media – and their readers – enjoy a story that involves an unexplained wealth order (UWO). They do, after all, have many of the ingredients that many look for in a good tale: allegations of wrongdoing on a large scale, someone being made to hand over assets worth more than most people will earn in a lifetime and the sense that justice has been seen to be done.

In the latest UWO, which was widely covered in the media last week, Leeds businessman Mansoor Mahmood Hussain was compelled to hand over property worth just short of £10M, after being accused of acting as a money launderer. He has been ordered to surrender the assets because the National Crime Agency (NCA) believed his wealth was the proceeds of crime, and so considered him a suitable target for a UWO.

Introduced by the Criminal Finances Act 2017, UWOs give law enforcement agencies powers to require persons to explain how they came to possess their assets, and to show that their wealth has come from legitimate sources. A UWO can be sought without any civil or criminal proceedings having begun. There is no need for the subject of a UWO to have been convicted of an offence or to have had a civil law judgement against them. Agencies can apply to the High Court for a UWO against any property valued at over £50,000, if the person owning it is reasonably suspected of being involved in serious crime (or connected to a person who is) and there are reasonable grounds to suspect that a person’s lawfully-obtained income would be insufficient to allow that person to obtain that property.

Like Zamira Hajiyeva before him, Mansoor Hussain’s inability to provide a credible, innocent explanation for his wealth has cost him – and generated headlines. Hajiyeva may be best known for somehow racking up £16M of expenditure at Harrods. But this only became known when she was the first person to be the subject of UWOs. The NCA expected her to explain how she had bought a £11.5M Knightsbridge house and a £10.5M golf course in Ascot, bearing in mind her husband is the former head of the state-owned International Bank of Azerbaijan, had a salary of no more than $70,000 and was convicted of fraud and embezzlement. Earlier this year, she lost her appeal against the UWOs, thus enabling the media to re-run her story and giving the NCA the chance to make approving noises about UWOs being a valuable tool in tackling illicit finance.

But before there is a rush to applaud UWOs, it should be said that the NCA’s relationship with them has been a chequered one, to say the least. Since becoming available to the NCA, the agency’s success rate with UWOs has been patchy. This is despite the standard of proof for UWOs being significantly lower than that required in criminal cases. Last year saw the NCA granted three UWOs for London property valued at £80M. Yet less than a year later, these UWOs were discharged, with a judge criticising the NCA’s “unreliable’’ assumptions and “artificial and flawed’’ reasoning. The Court of Appeal then refused the agency permission to appeal this decision.

While a UWO is a tool that enables law enforcement agencies to seize assets they believe are the proceeds of crime without anyone ever being convicted, it does not yet appear to have become the great weapon against illicit wealth that many would have hoped. Of the four cases begun since UWOs were introduced, two are still being contested. Mansoor Hussain’s case is the first time a UWO has successfully led to the recovery of assets from an individual.

Although, a UWO can be seen as effective in certain situations, it will often be considered the most (and perhaps only) viable option when a prosecution has failed or when the authorities do not believe there is enough evidence for a realistic chance of a conviction.

When being faced with an UWO it should be remembered that whilst agreeing to settle and hand over property is not an admission of guilt, anyone facing a UWO must consider carefully how they respond to the authorities. It is vitally important to take the right advice. Deciding how to proceed when assets worth millions are at stake can be the biggest decision a person ever has to make.

In such circumstances it will often be the case that an intelligent, robustly-argued challenge to a UWO – and, in particular, to the allegations being made by the law enforcement agency seeking the UWO – will bring success. But that success will depend on knowing precisely how to respond – and who to turn to – if and when you become the intended target of a UWO.

Continue Reading

Technology

How Siloed Data Leaves Financial Institutions Open to Fraud

Published

on

How Siloed Data Leaves Financial Institutions Open to Fraud 4

By Stephany Lapierre, CEO Tealbook

Reducing the risk of fraud is a top priority for all financial institutions since fraud is responsible for massive profit loss, as well as the degradation of an institution’s integrity and brand.

In trying to prevent fraud, most executives look to protect themselves from the outside in, implementing layers of security and launching reactive measures. However, in order to truly protect your organization from fraud, it’s imperative to begin by looking at your existing internal structures. The most critical and often overlooked area to assess is how your organization obtains, enriches, and distributes data.

Streamlining and scrubbing your data can increase profitability without adding to resource spend. Having good data allows you to complete your due diligence on vendors and external entities your organization regularly deals with. It favorably adjusts your efficiency ratio and reduces risk by eliminating redundancies, conflicting information, and information gaps. In addition, it allows smaller teams to operate with increased scale and effectiveness. In turn, this leads to a more effective vendor vetting process and less room for error in payment information verification.

Conversely, poorly managed data is confusing and deceiving and can play an unfortunate role in giving fraudulent access to outside parties through internal miscommunications. For example, updates could be made in one system and not another, and suddenly different departments are working with different data sets like payment information or legal formation documents that regulators look for in audits, and no one knows what is true or accurate. This effect snowballs over time, creating massive holes in the integrity of the data, creating unnecessary risk exposure and audit failures.

All of these vulnerabilities can serve as the foundation for developing a risk management protocol that may be rendered useless if it is based on poor data. It is  impossible to properly vet vendors and suppliers or verify payment information if the data is unreliable.

By investing in a solid Data Foundation, you’ll see an increase in the success of your risk management and fraud prevention measures. In many instances, you won’t need to add more steps or resources, just power your existing systems with clean, agile, and accurate data to see improved efficiency.

Here’s a closer look at the most common vulnerabilities within a typical financial institution’s data ecosystem:

Fragmented Organization Structure

As organizations grow and scale, it’s inevitable that different subsections will become isolated from one another and begin different processes for data management. Poorly managed systems can exacerbate this lack of communication and threaten data integrity.

It may not seem like cause for concern if a few different arms of an organization aren’t completely in sync. However, in the financial space, this issue rarely applies to just one or two organizational divides. For example, a prominent US-based financial institution boasts over 90 business units, all of which need to be synergized in order to prevent inaccurate data, redundancies, and problems with regulatory information gathering. This siloed information is, unfortunately, a common practice that needs to be addressed.

Unmanaged Proprietary Systems

In an attempt to serve data in a highly specialized way, many institutions have explored developing proprietary data systems for internal use. However, because of factors like employee turnover or an inability to keep up with data integrity best practices, these legacy systems quickly become obsolete and unmanaged. Their custom nature also renders them inflexible and unable to integrate with other solutions.

When trying to work around an unmanaged system, different branches of an institution may turn to different solutions. When work is being done across different platforms, this reduces visibility and increases risk for inaccuracies, which leads to poor decisions, costly rework, and potentially fraud.

If your organization is reliant on a proprietary system, consider if that system is functional and scalable. If it’s not, you may want to look into a flexible data management system that can work with other technologies.

 Disparate Information Across Systems

Mergers, acquisitions, and growth also lead to using and implementing many different ERP solutions and antiquated legacy software that are forced to communicate with each other using painful manual efforts. A major problem arises from the fact that these systems operate across numerous lines of businesses, all with different siloed data. By having so many siloed systems that could be compromised with harmful data, these disparate data sources leave banks and other financial institutions exposed to unnecessary risk.

Different departments have different needs, so it makes sense that they would use different solutions, but it’s important that those solutions pull from a single source of truth in order to prevent the types of data inaccuracies that lead to vulnerabilities.

Final Thoughts

Closing the holes in your data integrity is the most proactive way a financial institution can defend against fraud. As hackers get increasingly creative and aggressive, it becomes even more critical that organizations have a trusted Data Foundation to base their decisions on. This can be achieved by ensuring that siloed systems are powered by consistent and accurate data from a single reliable source.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

Everything you need to know about APIs for business 5 Everything you need to know about APIs for business 6
Technology4 mins ago

Everything you need to know about APIs for business

By Omar Javaid, president, Vonage API Platform, Vonage  If your work brings you into close proximity with technology, chances are...

Accountants have become critical to the survival of businesses and their reputations during Covid-19 7 Accountants have become critical to the survival of businesses and their reputations during Covid-19 8
Finance15 mins ago

Accountants have become critical to the survival of businesses and their reputations during Covid-19

The opportunity for fraudulent activity to flourish as finance departments operate remotely with less oversight in these extraordinary Covid-19 times...

Unexplained Wealth Orders: Rightly Celebrated or Over-Rated? 9 Unexplained Wealth Orders: Rightly Celebrated or Over-Rated? 10
Technology30 mins ago

Unexplained Wealth Orders: Rightly Celebrated or Over-Rated?

By Nicola Sharp of financial crime specialists Rahman Ravelli considers the attention given to unexplained wealth orders – and emphasises...

Taking advantage of the UK’s renovation revolution 11 Taking advantage of the UK’s renovation revolution 12
Finance47 mins ago

Taking advantage of the UK’s renovation revolution

By Paresh Raja, CEO, Market Financial Solutions UK property is a popular asset class because of its historical resilience to...

What is a glocal supply chain? 13 What is a glocal supply chain? 14
Business1 hour ago

What is a glocal supply chain?

Thanks to rapid advances in communication and information technology, manufacturers are now able to operate at a truly global level,...

Rise in Digital Banking Activities: Should UK Banks Be Wary Of Cyber Attacks? 15 Rise in Digital Banking Activities: Should UK Banks Be Wary Of Cyber Attacks? 16
Business1 hour ago

Rise in Digital Banking Activities: Should UK Banks Be Wary Of Cyber Attacks?

By Kunal Sawhney, CEO, Kalkine. Cybersecurity in the age of digital banking and technology has had a significant impact. With...

Grey skies ahead – Malta prepares for a gloomy 2021 if they can’t tackle financial crime 17 Grey skies ahead – Malta prepares for a gloomy 2021 if they can’t tackle financial crime 18
Top Stories2 hours ago

Grey skies ahead – Malta prepares for a gloomy 2021 if they can’t tackle financial crime

By Dhanum Nursigadoo, ComplyAdvantage With the summer drawing to a close, many countries who rely significantly on warm weather tourism...

Why Virtual Businesses Might Prove More Profitable in The Future 19 Why Virtual Businesses Might Prove More Profitable in The Future 20
Business2 hours ago

Why Virtual Businesses Might Prove More Profitable in The Future

By Jolyon Hennings, founder of Box Bear – an interactive media company which recently created two new VR products (VR...

Visibility and Performance Key to Finance Success  21 Visibility and Performance Key to Finance Success  22
Business2 hours ago

Visibility and Performance Key to Finance Success 

By Colette Kitterhing, Senior Director UK&I at Riverbed Technology As the global pandemic continues, the majority of Europe is facing...

How to optimise your stockholding power  23 How to optimise your stockholding power  24
Business3 hours ago

How to optimise your stockholding power 

By Paul McFadyen, Managing Director of metals4U  Whatever line of business you are in, every company and sole trader needs to...

Newsletters with Secrets & Analysis. Subscribe Now