Smart Card Alliance: HCE Unlocks NFC Potential, Poses Hacker Risks (Aug. 14, 2014)
Host card emulation (HCE) unlocks the potential for NFC to expand mobile payments by making them more convenient and consumer-friendly, but developers must proceed with caution because of various security risks HCE poses, according to a new white paper from the Smart Card Alliance. The report echoes concerns about HCE other organizations, including SIMalliance, raised earlier this year.
In “HCE 101,” the nonprofit organization explains how HCE opens doors for NFC, enabling app developers to store users’ payment credentials in the cloud instead of embedding them in the handset via various methods, including a SIM card or a secure element (SE). This frees developers from dependence on a specific network operator or handset manufacturer. But HCE also increases chances of hackers accessing information through malware and/or denial of service attacks, according to Randy Vanderhoof, Smart Card Alliance executive director.
When an app uses HCE, communications with the contactless terminal are routed through the mobile device’s NFC controller, where those communications can be spied on by malware applications, according to the white paper. The malware itself may also be able to exploit, root or jailbreak the device, or spoof the user into initiating such actions; cloud storage and backup servers also can be attacked, along with credentials stored in applications used to gain access to them.
Various methods are available to enhance HCE security, including white box cryptography; tamper-proof software; biometric factors; device identity solutions; security frameworks and trusted execution environments; encryption; tokenization; and additional security provided by a secure element (via a hybrid that uses the SE in combination with a cloud-based solution).
The list of advantages and trade-offs will change as more HCE-based solutions are deployed, tested and used in commercial practice, the alliance notes. HCE currently is only commercially supported on Android and Blackberry, and specifications still need to mature and be harmonized across various operating system vendors, the white paper concludes.
See Related Stories: