www.thales-esecurity.com
Mobile Payments Applications and Challenges
Jose Diaz Director, Business Development & Technical Alliances
Thales e-Security
2 / 2 / Verizon Data Breach Report
www.thalesesec.com
3 / 3 / Victim Industry
Source: Verizon 2013 Data Breach Investigations Report
www.thalesesec.com
4 / 4 / Compromised Data
Source: Verizon 2013 Data Breach Investigations Report
www.thalesesec.com
5 / 5 / Mobile Threats – Global Overview
5.6 million potentially‐malicious files reported on Android, of which 1.3 million are confirmed malicious by multiple AV vendors
Source: APWG White Paper: Mobile Fraud, May 2013
www.thalesesec.com
6 / 6 / Trustwave 2013 Global Security Report
Key points on mobile device security Android platform continues to be the focus of
malware In 2012, Trustwave’s malware collection for Android
grew 400%, from 50,000 to over 200,000 samples
Malware also appeared in the Apple iTunes Store All malware discovered was quickly removed Most notable being Find and Call - malware would
upload a copy of the user’s address book and send SMS spam to all contacts
Several new variants of Zeus family targeting BlackBerry devices, primarily in Germany, Italy and Spain
Windows 8 for mobile, released late October 2012. Not much seen in way of malware or exploits directed at this operating system, so far
www.thalesesec.com
7 / 7 / Does Anybody Care?
Source: Advanced Payments Report 2013 Edgar, Dunn & Company, Sponsored by First Data
www.thalesesec.com
8 / 8 /
MOBILE PAYMENTS
9 / 9 / Mobile Banking
Mobile Banking ≠ Mobile Payments It is a direct relationship between you and your bank
You can view your account balances
You can pay bills but: Mostly, these are only to accounts you registered to
pay directly (electric, phone, etc.)
You can transfer money between your accounts Interac e-Transfer enables you to send money to
someone with an account in Canada
You may be able to make a deposit by taking a picture of a check you want to deposit
You cannot walk into a store and pay for purchases with a mobile banking application
www.thalesesec.com
10 / 10 / Why is Mobile Payments Interesting?
CNN Money – Mobile payments are expected to hit $214 billion by 2015. Transactions made by scanning a mobile phone at the register are forecast to
reach $22 billion -- up from "practically none" last year.
www.thalesesec.com
11 / 11 / The Future Trend for Payments
Source: RSR research, March 2013
www.thalesesec.com
12 / 12 / Who is Leading the Way?
“retailers are taking their leads from innovators PayPal and Google, whose success is driven not by service providers, but by consumers themselves”
Source: RSR research, March 2013
www.thalesesec.com
13 / 13 / The Traditional Payments View
Merchant’s Bank Consumer’s Bank
Merchant’s Systems Consumer’s Cards
Network
Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem
www.thalesesec.com
14 / 14 / Mobile Acceptance Expands the Model
Merchant’s Bank Consumer’s Bank
Consumer’s Cards
Network
Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem
www.thalesesec.com
15 / 15 / Mobile Acceptance (mPOS)
Magnetic Stripe
EMV
www.thalesesec.com
16 / 16 / PCI’s View on Mobile Payments
www.thalesesec.com
17 / 17 / Benefit of PCI P2PE
Reduces pain of audit compliance for merchant Eliminates card data from merchant environment
Protects data from acceptance device to Gateway or Acquirer
POI (at the Merchant)
Acquirer Switch Issuer
Acquirer Domain Payments network
Payment Gateway / P2PE Solution Provider
Secure Link Data protected by payments network P2PE
www.thalesesec.com
18 / 18 / What About Mobile Acceptance (mPOS) and P2PE?
Enables transaction data security for mPOS Eliminates card data from mobile device and merchant environment P2PE used to protect the data An important component for mPOS transactions!
Smart Phone Or Tablet
PCI-approved Secure Card
Reader
POI (at the Merchant)
Acquirer Switch Issuer
Acquirer Domain Payments network
Payment Gateway / P2PE Solution Provider
Secure Link Data protected by payments network P2PE
www.thalesesec.com
19 / 19 /
MOBILE PAYMENTS
20 / 20 / Paying with Mobile Brings New Challenges
Merchant’s Bank Consumer’s Bank
Merchant’s Systems Consumer’s Cards
Network
Everything stays the same - but… • Phones are insecure • They are consumer controlled • They can’t be ‘read’ in stores
Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem
www.thalesesec.com
21 / 21 / ‘New’ Technologies to the Rescue
Near Field Communications (NFC)
Secure Elements (micro-HSMs for phones)
Mobile Wallets (apps that host payment credentials)
Readability Standardized Format
Security
www.thalesesec.com
22 / 22 / So Why Hasn’t it Happened Yet?
Just unlucky or ill conceived? NFC is just a protocol – not an experience Apple’s iPhone was launched only a year later (June 07) NFC requires POS terminals to be upgraded but few
merchants were motivated (other than taxis and subways) Expected penetration from 8% in 2011 to 53% in 2017
1st NFC phone Nokia 6131 (Feb 2006)
www.thalesesec.com
23 / 23 / Expanded Ecosystem – Several Cooks in the Kitchen
Merchant’s Bank Consumer’s Bank
Merchant’s Systems
Network
The payments industry is no longer a private club
Handset Manufacturers
Mobile Network
Operators (MNO)
Mobile App Developers
Mobile Technology Providers
Trusted Service Managers
(TSM) Mobile Wallet Providers
www.thalesesec.com
24 / 24 / Paying with Mobile in Canada
www.thalesesec.com
CIBC and Rogers
RBC and Bell
Other Banks have announced they will offer NFC payments
25 / 25 /
EXPANDING SECURITY OPTIONS IN MOBILE DEVICE
26 / 26 / Trusted Execution Environment (TEE)
Separate execution environment running alongside OS to provide security services to Rich OS Higher level of security than a Rich OS Not as secure as a Secure Element (SE), but lower cost Offers layer of security between a Rich OS and a SE Addresses use cases with lower security requirements
Security framework within the device Isolates access to its hardware and software security resources from the
Rich OS and its applications Enforces protection, confidentiality, integrity, and access rights to the
resources and data belonging to Trusted Applications Trusted Applications independent of each other, cannot perform
unauthorized access to security resources from other Trusted Application
www.thalesesec.com
Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
27 / 27 / Architecture of the TEE
www.thalesesec.com
Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
28 / 28 / Rich OS, TEE and SE Positioning
Rich OS, TEE and SE Positioning
Security positioning for TEE compared to Rich OS or a SE
www.thalesesec.com
Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market
29 / 29 / Summary
Risk of data compromise is still high in the market Protection of payment card data is important Mobile devices are also targets for malware
No question mobile is area of interest for payments mPOS has been primary driver for mobile use Has caused disruption in the payments environment
Whether acceptance uses ‘traditional’ terminal or mobile device, there is need for protecting data Actually, even more important for a mobile device Use of P2PE helps protect payment data
Payment with mobile devices brings challenges Banks in Canada have deployed NFC payment options Global Platform has introduced more security options
Security is an essential part of deployments to ensure customer confidence Customers expect it!
www.thalesesec.com
30 / 30 / Any Questions ?
www.thalesesec.com