Friday, January 23, 2009

SIM Secure Element

One of the most important problems to be solved in the mass deployment of mobile payment solutions is where the "secure element" should be stored. Without going into a lot of detail, this is basically the need to store a digital ID of the payer in such a way that it is very difficult to compromise. Much has been written and speculated on how this should be achieved in mobile payments. (Read this and this for a sample)

It was generally agreed that the Secure Element (SE) could be stored in three possible places:
  • In a Memory card that can be inserted in a phone
  • In an external device attached to the phone or
  • on the SIM card
During the past period, I have heard quite a few organisations (the Euro payment council, the US FSTC an dthe Mobey Forum) verbally confirm that they are starting to realise that the only workable solution is the SIM card. This will start to influence solutions and I believe will help with acceleration of standards and also working solutions.

I believe that the work that we have done at Fundamo have lead toi the most advanced and proven SIM card based solutions currently available.


philip said...

The question disturbs me. The Banking community developed EMV to protect credit and debit card payments with an initial level of security based on static data authe3ntication (certificate stored in a smart card (SIM) and then when the criminal element figured out how to develop the yes chip update to dynamic data authentication. Embedding EMV enhance for ISO 14443 (NFC or contactless) into a SIM is easy and would offer a solution that enables a consumer to ultimately have all their payment cards installed within their mobile phone.

Yes there are some branding issues that will have to be addressed and consumer services issues to resolve.

Branding = LCD
Consumer service = Trusted Agent.

Oscar said...

Hi there,

I agree with the security element being on a SIM card.

However, thinking about security in a more holistic manner, are banks and mobile phone companies focussing enough on the non-technology aspects of security? I'm thinking here about the processes, education and awareness (especially to owners of phone who use their system) etc? Whereas in the west, companies can get away with long terms and conditions statements, which it is hoped customers will read and understand, how can this best be implemented in locations where literacy is not high?
Although of course the technology must be right, so much the human aspects as well.

Christian said...

We are working at making NFC payment PCI DSS compliant. The problem with NFC is that soemone could hide a skimming antenna in the store POS and as NFC is limited to 100Kbit/sec, play the message over and over to find the key structure.

This to me mean that the only solution is a One Time Password base structure, i.e. a One time Password central server needs to be present... and In mobile an extra problem is : His the NFC chip in the proper phone!

Anyway I just wrote a white paper on this and it will be posted on our web page before the end of October

Good to read you


Niall said...

Why must the SE be on a SIM? It could be embedded. It could be in a UICC. It could be on a micro SD.

Why should one stakeholder (MNOs) gain almost total control over banking and payment ecosystems because it's all about SIM?

There are many possibilities, and I do believe it is the *business cases* and not the security levels or stakeholders' hunger for control that will decide what format of secure element is adopted depending on the business case and nature of collaboration.

Anonymous said...

Oscar, I was just wondering what you meant by the processes, awareness as methods of security?
I agree that literacy is not high, especially of security docs etc. therefore, how do you propose that processes be communicated to consumers?

Info2hand said...

Totally agree with Niall. MNO controlled the mobile app in the past some years and finally been broken by app store. Now, we don't need MNO control the whole NFC based mCommerce and payment ecosysem again by just put SE in SIM.

"Why must the SE be on a SIM? It could be embedded. It could be in a UICC. It could be on a micro SD.

Why should one stakeholder (MNOs) gain almost total control over banking and payment ecosystems because it's all about SIM?"