Community

Join the Community

22,521
Expert opinions
44,523
Total members
531
New members (last 30 days)
195
New opinions (last 30 days)
28,866
Total comments
Join Sign in

A condom with a hole

  0 Be the first to comment
Retired member
Unfollow

Google made waves last week with their announcement about Host Card Emulation (HCE) solution that allows, inter alia, to "emulate" EMV without requiring any secure element (SE). Oh my...

Google's own source claims that "Android HCE emulates ISO/IEC 7816 based smart cards". Well, ISO 7816 is a standard for contact (!) cards that describes... physical characteristics of... SE - nothing to do with contactless payments interface or protocol, let alone SE-less payments. Also, Google says that HCE allows to implement transit application; however, HCE does not support such popular low-level transit protocols as Mifare. Does Google truly understand what it is talking about?..

Let's take a step back and re-visit Socrates who said: "The beginning of wisdom is a definition of terms." What does "emulate" mean?.. "To try to be like something you admire". Even if we discount the "admire" bit, if one (legitimate) Android app can pretend to be an EMV card, so can another (malicious) app...

Take a look at Google's "security" pedigree as far as its Wallet is concerned. Problemproblemproblem. Sure, those issues were eventually fixed, but why does anyone need a condom with a hole in the first place, even if that hole can be - disaster post factum (!) - patched up?.. 

HCE is not a new feature - BlackBerry had it for over a year. It takes it roots from SimplyTapp's solution that did entail secure element - that SE was cloud-based. When adopting HCE, Google decided to drop SE altogether (as far as one can tell) not because it made perfect technological sense, but because it made some business sense. For Google.

What about banks? Compromised HCE can result in £100+ loss. The cost of SE is £2 or less. If that level of risk really worth it?..

So, where does all that lead us to? To make things work properly, mobile payments market need agnostic (and free) secure element which can be used by any legitimate third party via "open API". Such a secure element should work with any smartphone out there - not just with Android (let alone just with Google's own phone).

Such a secure element should have a magic "press to pay" (mechanical) button that puts the user firmly in control and also prevents "man in the middle" attacks.

Such a secure element would support any transit and access control protocol out there. And be EMV-compliant. And allow to implement "card present" e-commerce. Now that's what I call a true game-changer.

 

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

4016
 

Share

 
 
 
 
 

Channels

/payments
 

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Join group

1747 opinions 249 members

Comments: (2)

A Finextra member 

When I read the marketing blurb on HCE I made the assumption it was just another term for CloudSE - however in reading the Android Developer Website I find it is an internal API for providing "SE-like" services in Software.  My main concern: how can the device securely emulate a SE in Software?  Thinking back to 2003 - there was a reason Visa and MasterCard mandated the use of Cryptographic Hardware Security Modules instead of doing Crypto in-software (it is inherently insecure!).

Google really should know better...

A Finextra member 

I agree with pretty much everything in this blog. The only thing I would want to correct is that not all mobile payments require the use of debit/credit cards or the use of NFC. So those solutions don't require SE and as such your game-changer comments only fit well with card backed based transactions....

The whole thing though smells of Google and others changing the rules of their own game to stop others trying to get involved. I would like to see what carriers do re Android 4.4, will they stop stocking so many Android devices and favour those that don't threaten their own investment in ISIS or WEAVE?

More expert opinions

Joris Lochy

Joris Lochy Product Manager at Intix | Co-founder at Capilever

Bitcoin’s Scarcity and Inflation Resistance: A Safe Haven or a Risky Gamble?

Micah Willbrand

Micah Willbrand Chief Product Officer at GBG

The evolution of identity verification and what’s next

Alex Kreger

Alex Kreger Founder & CEO at UXDA

How Innovation Can Ruin Financial Brands Consistency and Users Trust

16

Jamel Derdour

Jamel Derdour CMO at Transact365 - www.transact365.io

Unlocking Growth: The Boom of Digital Payments in Nigeria

See all opinions

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,521
Expert opinions
44,523
Total members
531
New members (last 30 days)
195
New opinions (last 30 days)
28,866
Total comments
Join Sign in

Trending

Jamel Derdour

Jamel Derdour CMO at Transact365 - www.transact365.io

Unlocking Growth: The Boom of Digital Payments in Nigeria

Ben O'Brien

Ben O'Brien Managing Director at Jaywing

The changing face of AML: How PSPs can stay ahead of financial crime

Alex Kreger

Alex Kreger Founder & CEO at UXDA

The Risk of AI-Driven Banking Commoditization

Prakash Bhudia

Prakash Bhudia HOD – Product & Growth at Deriv

The potential Bitcoin bounce: Will we see historical highs in February?

Now Hiring

All companies

Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.

Please read our Privacy Policy.

Accept