August 19, 2016
HCE minus SE = ‘Hosed Card Emulation’
By Siva Narendra, CEO, Tyfone, Inc.
Mobile commerce has ushered in the convergence of e-commerce and the more traditional and dominant physical world. Into this environment comes a popular “new kid in town” called Host Card Emulation (HCE). HCE is being promoted for software-based security applications – but that continues to proliferate the basic problem of storing sensitive credentials in the cloud that has proven inadequate time and time again. Compounding the problem, HCE also requires all this sensitive information for security to be stored and managed by an entity other than the HCE provider. The HCE model may appear to be an elegant technical solution that circumvents the need for a hardware-based Secure Element (SE). However can the payment industry really enable secure mobile payments without hardware-based security?
Throwing Out the Baby with the Bathwater
There are two distinct ways to move money in payments today: “Card Present” (CP) transactions that originate at the physical point-of-sale and “Card Not Present” (CNP) for e-commerce. Fraud levels in the CP world are much lower than the CNP world. Based on 2012 data from the U.S. Census Bureau, eMarketer and the Nilson report found CNP fraud in the US accounted for $1.9 billion out of $220 billion in sales, or 0.9 percent. All categories of other fraud totaled $4 billion out of $4.35 trillion in sales – only 0.09 percent. In addition, CNP fraud is growing at a much faster pace than CP fraud according to FICO.
Although CP fraud levels are far lower, the payment industry has concluded that more secure storage of payment information is required in the form of hardware-based security; hence, the global migration to EMV-based smart card SEs for CP transactions. If hardware-based security is the proven solution where fraud is lower, why would anyone expect the CNP scenario to not require something just as effective?
Let’s put it another way: Should we really expect the inadequate password security used in the e-commerce world today to migrate to the physical world OR isn’t it more prudent and consistent to adapt the SE security philosophy that is used in the physical world to e-commerce?
HCE proliferates the weaknesses embodied in software-only password security. While HCE may sound like an elegant solution to the so-called “SE challenge,” it throws out the baby with the bath water. That is, it completely contradicts the fact that secure-element hardware is a necessary component, not just for security but for convenience, too. Local storage of sensitive information in a SE that resides in the hands of each user (similar to the benefit of an EMV plastic card) eliminates wholesale compromises of hundreds of millions of identities with a single breach. In addition, it also enables transactions to be 100 percent available and at least 10x the speed, independent of the status of network connectivity from the mobile phone. That’s better for both merchants and customers.
Secure Element in the Cloud?
Some promoters expect that a “Secure-Element-in-the-cloud” strategy, an oxymoron to say it politely, will help make HCE a reality. However a “SE in the cloud” does not address how an HCE provider can guarantee that only the authorized and correct user can gain access to their data from the SE in the cloud – a fatal flaw in the HCE discussion and a flaw promoters do not address. We are living in an era where securing ALL our information – let alone our sensitive information, including payment credentials – is facing a serious crisis regarding compromise. Our private data is increasingly stored in the cloud and can be accessed on a public network from any computer or mobile phone from virtually anywhere in the world. This is making it easy and convenient not only for you to access your private data from anywhere, but also for the criminals or other unauthorized parties. The paradigm of storing private assets on a public network has now become a way of life and a lucrative target for cyber criminals, especially when they can steal it remotely from anywhere in the world.
In 2013, according to Hewlett Packard, the number of security breaches increased 20 percent and the cost of individual breaches increased 30 percent. This is exemplified by the recent reported attacks on EBay, Target, Yahoo, Kickstarter, LinkedIn, the U.S. Army, and the Mt.Gox bitcoin exchange. This ugly trend continues to grow despite organizations spending $46 billion on cybersecurity in 2013, also according to HP. Moreover, most attacks go undetected by the organization being attacked and, even if noticed, often are not reported to the public. According to the FBI, 94 percent of attacks go undetected and/or unreported. The financial and reputational risks are tremendous. The Target incident alone reduced profits by and an estimated 46 percent. And, how do we measure the damage to their brand? Imagine how much security breaches of government agencies, financial institutions and critical infrastructure entities, such as a power grid operators will cost. The economic impact of cybercrime and cyber espionage is estimated to be $1 trillion in 2013, according to the Center for Strategic and International Studies, and is expected to get materially worse without appropriate mitigating solutions. Corporations of all types, including financial institutions and governments throughout the world, are scrambling to figure out more effective solutions.
It is time to recognize that hardware-based security is one of the only solutions that materially mitigates these problems. First and foremost because local storage in the hands of users enabled by hardware-based security prevents the bulk loss of sensitive information by decentralizing security. Proponents for “SE in the cloud” need only look to the mobile network operators on how they had to control fraud by migrating from centralized validation to decentralized hardware-based secure identity modules (SIM) as SEs.
Back to the Basics
As mobile enables e-commerce to converge with more traditional commerce, there will be an expectation for this converged world to move at the continued pace of mobile. It is important to recognize that the only way to build a successful and sustainable framework for commerce is rely on the basics that are already in place and trending towards global adoption. Let us acknowledge that it may be easy to build a few lines of code that can move money around. But, it is very difficult to get that money back once that software-only code moves it to the wrong place.
The bottom line: Unless mobile commerce comprehends and adopts the inevitable need for hardware-based security, HCE or any other new kid on the block will be a distraction and wasted effort. I am willing to bet that HCE without SE will be referred to as “Hosed Card Emulation” after its demise, and hardware based decentralized storage of identity is and will continue to be the predominant way of life!
Bets taken at @snarend and #hosedHCE
Siva Narendra is co-founder and CEO of Tyfone, Inc. and has a Ph.D. in Electrical Engineering from Massachusetts Institute of Technology. He has authored over 60 technical papers in peer-reviewed journals, and has more than 100 issued/pending patents. He is an adjunct faculty member teaching electrical and computer engineering at Portland State University and Oregon State University. He is the Chair of Technology Directions sub-committee at the International Solid-State Circuit Conference and has been an active member of the Technical Program Committees of A-SSCC, and International Symposiums focusing on Low Power Design (ISLPED) and Quality Electronic Design (ISQED). Narendra lives in Portland,Ore.