Bankinter circumvents secure element hassle for mobile NFC payments

Questions keep exploding in my head like those famous music fireworks held in Côte d'Azur every summer.

Tokenization is a cute concept. Especially if Bankinter can tell me how I can use their service in places with no online connectivity. Like London Undeground...

When banks cannot (or cannot be bothered) to strike a deal with mobile operators or owners of operator-agnostic secure elements, they start re-inventing the wheel. That leads to security breaches.

And then things start getting "interesting": 84% of financial organizations were notified of security breach by external entities. Attackers had an average of 174 days (!!) within the victim's environment before detection occured.

The comment about lack of connectivity in the London Underground is a good one, but couldn't you just download a token in advance?  Not ideal, but not a showstopper either.  And most other places, it's not an issue.

As for the security point, I don't get that at all.  How can a one-use token lead to any sort of bank breach?  It's actually safer than passing a real card number through a terminal.

With regard to the inability of banks and carriers to come together on mobile payments, my hope is that ideas like this will persuade the carriers that they cannot control the handset, and therefore must negotiate with the banks if they don't want to be irrelevant.

Aaron,

Downloads to a smartphone require at least GPRS connection. There are many places, outside such "extreme" examples as London Underground, where GSM data connectivity cannot be guaranteed - some shopping malls, car parks, trains, airplanes, taxis, etc. Think of ubiquity.

As for the security: lack of secure element means that the target phone cannot be identified with a 100% certainty. Hence, there is a scope for that one-time token to be downloaded (or diverted) to the attacker's phone - not hard to implement, in fact.

Who said BANKS are relevant to payments?.. Just ask Amazon, PayPal, Apple, etc. Tokenization, in fact, is one of the latest fabs via which banks hope to avoid being used as dumb pipes. However, they need to deliver value, instead of control, to remain relevant.

Or we can praise Bankinter, a mid-size spanish bank, for being innovative and dare to challenge the NFC mobile payment value chain status quo, in a tough environment for banks in Spain

Talking of Spain, innovation and "dare to challenge": http://gizmodo.com/5986820/this-atm-gives-you-money-for-free-expecting-you-to-help-people

There are other examples, where mobile payments are securely executed using an online device without a secure element. Wywallet is currently running with more than 600k users in Sweden and an eastern european bank will launch this week with 5 M users and 30k POS. By storing private keys on the phone, you achieve 2 factor PKI authentication, independent of device and network.

I always question the motives behind any decision: is that THE best and most appropriate solution or is it just a "forced" "good enough" alternative to the former...

Kudos to Bankinter for showing that Banks Have Nothing To Fear From TELCOs.