Join the Community

22,039
Expert opinions
43,969
Total members
395
New members (last 30 days)
177
New opinions (last 30 days)
28,688
Total comments

Look, Ma, No Hands!

  0 7 comments

Finextra ran an article today about the UK banking sector "gearing up for the introduction of an industry-wide mobile payments". Which industry? There is no "payment" industry as such. Are we talking about banks? Or mobile operators? Or card schemes?

The article stated that "the new service will enable secure payments to be made [...] by simply using a mobile phone number as a proxy."

Wait a second. If my sort code and account number is a sensitive information, why do we hide it behind something known to hundreds of people? Perhaps because a malicious attacker cannot "simply" use my phone number to make a "secure" payment. He would need something else to do so. Something "secure".

The mystery was finally revealed: "the group can also take heart from the success of Pingit". Hm, that's where things are getting really interesting.

Pingit is an app. There is nothing secure about an app (unless it runs inside "trusted execution environment" which is not the case with Pingit). Now, the banks have been educating us for decades about the wonders of "chip" cards. The industry has been educating us about EMV standards and certifications. The industry is pointing its accusing finger at the US where hard-to-die magnetic stripe is wide open to fraud. 

Why, then, all of a sudden you can stick an app onto a phone and magically have a "secure payments solution"?..

When it comes to mobile phones, "secure" means some form of a Secure Element (SE), typically a protected memory or "trusted execution environment" (TEEs) inside a (secure) microcontroller - in layman's terms, a "chip". Currently, such "chips" inside the phones are controlled either my handset OEMs or, mainly, by mobile operators. Hence, any "industry-wide" solution would need to bed every single operator in the UK (including virtual ones). Was the word "operator" mentioned in that article at all? Take a wild guess.

"With security the main concern for potential users, the Payments Council says it will make sure that, at minimum, a passcode or similar feature will be required to authorize payments." A passcode. Is that the same passcode which can be easily read by a simple virus sitting undetected on my phone (and controlling my "secure" app too)? I now understand why security is the "main concern" only for the "potential users". The industry doesn't give a damn. 

Banks couldn't make a deal with the operators and decided to cut corners by introducing dual standards: "chip" for card payments vs a piece of software code on a phone for mobile payments; secure PIN encryption and secure PIN delivery channels in case of ATM and POS vs a "passcode" entered on a (non-EMV compliant) phone. Genius!

What's next? Let's wait and see...

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Join the Community

22,039
Expert opinions
43,969
Total members
395
New members (last 30 days)
177
New opinions (last 30 days)
28,688
Total comments

Trending

David Smith

David Smith Information Analyst at ManpowerGroup

Best 5 White-Label Neobank Solutions in 2024

Ruoyu Xie

Ruoyu Xie Marketing Manager at Grand Compliance

Governance, Risk and Compliance: How AI will Make Fintech Comply?

Now Hiring