UL Identifies Elevated Risks for HCE in NFC Transactions
March 27, 2014
The use of Near Field Communication to complete mobile transactions at the point of sale received a shot in the arm last month when Visa and MasterCard announced they would support NFC payments that leveraged host-card emulation (HCE) rather than storing payment details on the handset’s secure element. HCE, a feature included in the newest release of the Android operating system, enables NFC payments that access information from an emulated card stored in the cloud rather than on the phone.
A new report, however, warns merchants and service providers interested in employing HCE there could be security concerns. Underwriters Laboratories released a white paper this week that detailed several ways HCE could be less secure than a secure element. In devices that are rooted (i.e., those where a user has gained access to privileged control within the Android sub-system) either by the user, via malware or on a lost or stolen device, the sensitive payment information is available to anyone with access to the device.
While UL agrees HCE could accelerate adoption of NFC payments, service providers that want to offer it—and disintermediate the parties that control the secure element—should understand the potential drawbacks.
“[HCE] it provides an alternative, more-simple-but-less-secure way to provide an NFC card emulation service. In this way, it has great added value for SPs that can accept a reduced level of security in exchange for an improvement of other factors such as time to market, development costs and the need to cooperate with other parties. In these cases, HCE would make life for SPs considerably easier and could eliminate the role of Secure Element Issuers,” the UL report said. “The sheer value potentially flowing through the payment application once the solution sees mass market adoption makes the potential impact of a security breach very high. Whether the identified vulnerabilities are actually exploited depends to a great extent on the ‘business case’ for a hack.”