A webinar “Evaluating NFC security strategies: The role of the secure element in the evolving landscape” was hosted by NFC World on January 20, 2015.
A few highlights of the webinar is as follows:
The NFC adoption rate is increasing rapidly based on the stats of NFC SIM shipped; 16M shipped in 2011, 30M in 2012, and 72M in 2013.
Geographic stats show the demand in different regions. In 2013, 37M was shipped to Japan/Korea, 24M to North America and 14M to Europe.
The pros and cons analysis of HCE and SE technology.
A SIMalliance recommended deployment model based on security and market reach, application and technology requirements.
A case study on Canada’s success as the #1 mobile payment country in the world. Some stats are as follows: All of Canada’s major MNOs now offer SE based NFC payment capability to their customer; 2/3 of the phones are Android and BlackBerry; 5 of Canada’s “Big Six” Financial Institutions do the same; over 84% major retail merchants have contactless EMV terminals
SIMalliance anticipates a future where SE and HCE will continue to co-exist and in many cases converge. This will be the basis of an optimally efficient and secure NFC ecosystem.
SIMalliance published a whitepaper last month entitled “Secure Element Deployment & Host Card Emulation”. It stated that, “SIMalliance contends that while HCE is good for the NFC ecosystem as a whole, the technology remains immature, unstandardized and, relative to SE-based deployment, vulnerable to malicious attack.”
In general, an evaluation becomes meaningful when context for it is set. I am glad to see the white paper set the following context: “Given HCE’s current and anticipated limitations, SIMalliance considered HCE to be best utilised in use cases where stringent security requirements, optimal transaction speeds and always- available functionality are not mandatory.”
Secure Element (SE) is a more mature and established technology supported by standards groups (ETSI, 3GPP, GlobPlatform and Java Card). Not only does it provide more security for NFC services, but also it has an established certification process. At the same time, SE embedded in SIM cards are controlled by the telecoms, and SE embedded in devices are controlled by device manufactures. They are not open to developers to use freely. Therefore SIMalliance recommends that, “MNOs should request OEMs to implement default NFC routing to the SE”.
So the questions are how many NFC apps need to have stringent security requirements, and how fast telecoms and device manufacturers can implement default NFC routing to the SE. Telecoms and device manufacturers want to make a profit by controlling SE access. That’s why Google is using HCE to implement Google Wallet thereby bypassing the control. I think HCE is here to stay until all stakeholders decide to work together in allowing NFC technology to develop to its full potential.