Wednesday, March 06, 2013

Some implications of placing the secure element on the phone

With more and more phones shipping with NFC radios, the possibility of actually seeing mainstream payments migrating into mobile phone tap-and-go, is getting more real. Of course the possibility of identity theft can't be under-estimated and will make the risk of fraudulent transactions even bigger. The key (of course) is to make sure that the credentials on the phone can not be tampered with. The only way that this can be done securely is to place one (or preferably many - so that one can have some expiry management in place) cryptographic keys in or on the phone. These keys would typically be derived from some secret root key and some characteristic of the phone or the MSISDN. IN this way, it is mathematically possible to prove that the payment transaction originated from the phone and that the card used was the card intended for the transaction.
The debate raged about where this cryptographic keys should reside (also referred to as the secure element). Some mechanisms were used to place these keys on removable memory devices or stickers, but until recently it was commonly agreed that the best place is actually on the SIM card as this is a very secure repository, it ties the keys to your phone number (the number is tightly integrated with the SIM card) and provides a proven mechanism to distribute the keys, physically.
Probably because of difficulty getting carriers to play and to increase the relevance for them, mobile phone manufacturers have now unveiled plans to place the secure element in the hardware of the phone. In this way, you would not need carriers to really be involved in the payment eco-system. While initially this seems like a great idea, thinking about it, this can potentially lead to many problems:
  •  Payment credentials are now tied to your physical phone and not your mobile number. While not so critical any-more, one cannot take out a sim card and transfer the payment credentials to another phone. The wallet would now be attached/tied to the actual phone hardware.
  • Version and change-management will be extremely hard. As an illustration, when your secure element has been compromised/corrupted, one will have to replace the phone (even though it may still be in perfect working order) and not just the sim card.
  • One will have to provide secure tools that can be fully trusted to remove a secure element or re-install new ones when a phone changes ownership for instance. Sim cards almost never change ownership, bit phones do. 
  • The process of buying a phone will now have to be controlled from a KYC perspective, as it would become critical to know who owns which secure element. We have this process already in place for sim cards, this will now have to become a double whammy process. Mister client, now that we have done the KYC for your sim card, we will also have to do it for the phone.
I think that placing the secure element in the phone, rather than in the sim card (where it belong), is a step backward. Stakeholders are messing up things because they are not making compromises to work with each other.

No comments: