A webinar “Evaluating NFC security strategies: The role of the secure element in the evolving landscape” was hosted by NFC World on January 20, 2015.
A few highlights of the webinar is as follows:
The NFC adoption rate is increasing rapidly based on the stats of NFC SIM shipped; 16M shipped in 2011, 30M in 2012, and 72M in 2013.
Geographic stats show the demand in different regions. In 2013, 37M was shipped to Japan/Korea, 24M to North America and 14M to Europe.
The pros and cons analysis of HCE and SE technology.
A SIMalliance recommended deployment model based on security and market reach, application and technology requirements.
A case study on Canada’s success as the #1 mobile payment country in the world. Some stats are as follows: All of Canada’s major MNOs now offer SE based NFC payment capability to their customer; 2/3 of the phones are Android and BlackBerry; 5 of Canada’s “Big Six” Financial Institutions do the same; over 84% major retail merchants have contactless EMV terminals
SIMalliance anticipates a future where SE and HCE will continue to co-exist and in many cases converge. This will be the basis of an optimally efficient and secure NFC ecosystem.
SIMalliance published a whitepaper last month entitled “Secure Element Deployment & Host Card Emulation”. It stated that, “SIMalliance contends that while HCE is good for the NFC ecosystem as a whole, the technology remains immature, unstandardized and, relative to SE-based deployment, vulnerable to malicious attack.”
In general, an evaluation becomes meaningful when context for it is set. I am glad to see the white paper set the following context: “Given HCE’s current and anticipated limitations, SIMalliance considered HCE to be best utilised in use cases where stringent security requirements, optimal transaction speeds and always- available functionality are not mandatory.”
Secure Element (SE) is a more mature and established technology supported by standards groups (ETSI, 3GPP, GlobPlatform and Java Card). Not only does it provide more security for NFC services, but also it has an established certification process. At the same time, SE embedded in SIM cards are controlled by the telecoms, and SE embedded in devices are controlled by device manufactures. They are not open to developers to use freely. Therefore SIMalliance recommends that, “MNOs should request OEMs to implement default NFC routing to the SE”.
So the questions are how many NFC apps need to have stringent security requirements, and how fast telecoms and device manufacturers can implement default NFC routing to the SE. Telecoms and device manufacturers want to make a profit by controlling SE access. That’s why Google is using HCE to implement Google Wallet thereby bypassing the control. I think HCE is here to stay until all stakeholders decide to work together in allowing NFC technology to develop to its full potential.
Today, Apple announced the upcoming release of iPhone 5S and iPhone 5C. There are descriptions and discussions about the two iPhones to be released. Unfortunately the revelation that neither phone will have NFC capabilities is a disappointment for the NFC ecosystem.
Despite this fact, iPhone Touch ID, a new fingerprint sensor feature for authentication, may have significant implications for the NFC ecosystem. One of the values that NFC provides is security. Common practice is to save sensitive information in the Secure Element (SE). For example, ISIS, a joint venture between AT&T, Verizon, and T-Mobile, uses this practice for secure mobile payment. With this approach, permission is needed to access SE. Permission is granted after a successful authentication from carriers.
Touch ID has the potential to be utilized as an authentication option for accessing SE. Moreover, Touch ID could limit the need for using UICC/SIM based SE. UICC/SIM based SE is an operator-centric option, since carriers control the access of the UICC/SIM. It provides ultimate security because no one can access it without a carrier’s permission.
Many stakeholders in the NFC ecosystem want to bypass carriers’ control over SE. Touch ID has the potential to shift our perspectives on security and authentication. What are your thoughts on this possibility?