www.thales-esecurity.com

Mobile Payments Applications and Challenges

Jose Diaz Director, Business Development & Technical Alliances

Thales e-Security

2 / 2 / Verizon Data Breach Report

www.thalesesec.com

3 / 3 / Victim Industry

Source: Verizon 2013 Data Breach Investigations Report

www.thalesesec.com

4 / 4 / Compromised Data

Source: Verizon 2013 Data Breach Investigations Report

www.thalesesec.com

5 / 5 / Mobile Threats – Global Overview

5.6 million potentially‐malicious files reported on Android, of which 1.3 million are confirmed malicious by multiple AV vendors

Source: APWG White Paper: Mobile Fraud, May 2013

www.thalesesec.com

6 / 6 / Trustwave 2013 Global Security Report

Key points on mobile device security Android platform continues to be the focus of

malware In 2012, Trustwave’s malware collection for Android

grew 400%, from 50,000 to over 200,000 samples

Malware also appeared in the Apple iTunes Store All malware discovered was quickly removed Most notable being Find and Call - malware would

upload a copy of the user’s address book and send SMS spam to all contacts

Several new variants of Zeus family targeting BlackBerry devices, primarily in Germany, Italy and Spain

Windows 8 for mobile, released late October 2012. Not much seen in way of malware or exploits directed at this operating system, so far

www.thalesesec.com

7 / 7 / Does Anybody Care?

Source: Advanced Payments Report 2013 Edgar, Dunn & Company, Sponsored by First Data

www.thalesesec.com

8 / 8 /

MOBILE PAYMENTS

9 / 9 / Mobile Banking

Mobile Banking ≠ Mobile Payments It is a direct relationship between you and your bank

You can view your account balances

You can pay bills but: Mostly, these are only to accounts you registered to

pay directly (electric, phone, etc.)

You can transfer money between your accounts Interac e-Transfer enables you to send money to

someone with an account in Canada

You may be able to make a deposit by taking a picture of a check you want to deposit

You cannot walk into a store and pay for purchases with a mobile banking application

www.thalesesec.com

10 / 10 / Why is Mobile Payments Interesting?

CNN Money – Mobile payments are expected to hit $214 billion by 2015. Transactions made by scanning a mobile phone at the register are forecast to

reach $22 billion -- up from "practically none" last year.

www.thalesesec.com

11 / 11 / The Future Trend for Payments

Source: RSR research, March 2013

www.thalesesec.com

12 / 12 / Who is Leading the Way?

“retailers are taking their leads from innovators PayPal and Google, whose success is driven not by service providers, but by consumers themselves”

Source: RSR research, March 2013

www.thalesesec.com

13 / 13 / The Traditional Payments View

Merchant’s Bank Consumer’s Bank

Merchant’s Systems Consumer’s Cards

Network

Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem

www.thalesesec.com

14 / 14 / Mobile Acceptance Expands the Model

Merchant’s Bank Consumer’s Bank

Consumer’s Cards

Network

Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem

www.thalesesec.com

15 / 15 / Mobile Acceptance (mPOS)

Magnetic Stripe

EMV

www.thalesesec.com

16 / 16 / PCI’s View on Mobile Payments

www.thalesesec.com

17 / 17 / Benefit of PCI P2PE

Reduces pain of audit compliance for merchant Eliminates card data from merchant environment

Protects data from acceptance device to Gateway or Acquirer

POI (at the Merchant)

Acquirer Switch Issuer

Acquirer Domain Payments network

Payment Gateway / P2PE Solution Provider

Secure Link Data protected by payments network P2PE

www.thalesesec.com

18 / 18 / What About Mobile Acceptance (mPOS) and P2PE?

Enables transaction data security for mPOS Eliminates card data from mobile device and merchant environment P2PE used to protect the data An important component for mPOS transactions!

Smart Phone Or Tablet

PCI-approved Secure Card

Reader

POI (at the Merchant)

Acquirer Switch Issuer

Acquirer Domain Payments network

Payment Gateway / P2PE Solution Provider

Secure Link Data protected by payments network P2PE

www.thalesesec.com

19 / 19 /

MOBILE PAYMENTS

20 / 20 / Paying with Mobile Brings New Challenges

Merchant’s Bank Consumer’s Bank

Merchant’s Systems Consumer’s Cards

Network

Everything stays the same - but… • Phones are insecure • They are consumer controlled • They can’t be ‘read’ in stores

Traditional ‘Four’ Corner Model defines a tightly controlled ecosystem

www.thalesesec.com

21 / 21 / ‘New’ Technologies to the Rescue

Near Field Communications (NFC)

Secure Elements (micro-HSMs for phones)

Mobile Wallets (apps that host payment credentials)

Readability Standardized Format

Security

www.thalesesec.com

22 / 22 / So Why Hasn’t it Happened Yet?

Just unlucky or ill conceived? NFC is just a protocol – not an experience Apple’s iPhone was launched only a year later (June 07) NFC requires POS terminals to be upgraded but few

merchants were motivated (other than taxis and subways) Expected penetration from 8% in 2011 to 53% in 2017

1st NFC phone Nokia 6131 (Feb 2006)

www.thalesesec.com

23 / 23 / Expanded Ecosystem – Several Cooks in the Kitchen

Merchant’s Bank Consumer’s Bank

Merchant’s Systems

Network

The payments industry is no longer a private club

Handset Manufacturers

Mobile Network

Operators (MNO)

Mobile App Developers

Mobile Technology Providers

Trusted Service Managers

(TSM) Mobile Wallet Providers

www.thalesesec.com

24 / 24 / Paying with Mobile in Canada

www.thalesesec.com

CIBC and Rogers

RBC and Bell

Other Banks have announced they will offer NFC payments

25 / 25 /

EXPANDING SECURITY OPTIONS IN MOBILE DEVICE

26 / 26 / Trusted Execution Environment (TEE)

Separate execution environment running alongside OS to provide security services to Rich OS Higher level of security than a Rich OS Not as secure as a Secure Element (SE), but lower cost Offers layer of security between a Rich OS and a SE Addresses use cases with lower security requirements

Security framework within the device Isolates access to its hardware and software security resources from the

Rich OS and its applications Enforces protection, confidentiality, integrity, and access rights to the

resources and data belonging to Trusted Applications Trusted Applications independent of each other, cannot perform

unauthorized access to security resources from other Trusted Application

www.thalesesec.com

Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market

27 / 27 / Architecture of the TEE

www.thalesesec.com

Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market

28 / 28 / Rich OS, TEE and SE Positioning

Rich OS, TEE and SE Positioning

Security positioning for TEE compared to Rich OS or a SE

www.thalesesec.com

Source: Global Platform’s White Paper The Trusted Execution Environment: Delivering Enhanced Security at a Lower Cost to the Mobile Market

29 / 29 / Summary

Risk of data compromise is still high in the market Protection of payment card data is important Mobile devices are also targets for malware

No question mobile is area of interest for payments mPOS has been primary driver for mobile use Has caused disruption in the payments environment

Whether acceptance uses ‘traditional’ terminal or mobile device, there is need for protecting data Actually, even more important for a mobile device Use of P2PE helps protect payment data

Payment with mobile devices brings challenges Banks in Canada have deployed NFC payment options Global Platform has introduced more security options

Security is an essential part of deployments to ensure customer confidence Customers expect it!

www.thalesesec.com

30 / 30 / Any Questions ?

www.thalesesec.com