Contactless Payments with Mobile Wallets. Overview and Technology

Similar documents
Mobile Near-Field Communications (NFC) Payments

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

permitting close proximity communication between devices in this case a phone and a terminal.

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

The Impact of Emerging Payment Technologies on Retail and Hospitality Businesses. National Computer Corporation

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

EMV and Small Merchants:

American Express Contactless Payments

NACCU Migrating to Contactless:

Mobile Payments Primer

How Secure are Contactless Payment Systems?

EMERGING PAYMENT PRODUCTS AND PAYMENT SYSTEMS

Inside the Mobile Wallet: What It Means for Merchants and Card Issuers

Mobile Electronic Payments

Evolving Mobile Payments Industry Landscape

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Latest and Future development of Mobile Payment in Hong Kong

Android pay. Frequently asked questions

General information about NFC technology

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

How to connect your D210 using Bluetooth. How to connect your D210 using GPRS (SIM Card)

NFC Hacking: The Easy Way

Spring Hill State Bank Mobile Banking FAQs

NFC Hacking: The Easy Way

Credit Card Processing Overview

The State of Pay. A mobile revolution. semble.co.nz

Preparing for EMV chip card acceptance

How to connect your D200 using Bluetooth. How to connect your D200 using GPRS (SIM Card)

CardControl. Credit Card Processing 101. Overview. Contents

welcome to liber8:payment

Mobile Payment: The next step of secure payment VDI / VDE-Colloquium. Hans-Jörg Frey Senior Product Manager May 16th, 2013

Bringing Mobile Payments to Market for an International Retailer

mpos Solution A: Visa, MasterCard and JCB are supported. Both Debit & Credit Cards which is supported by any of this Card Type can be accepted.

Frequently asked questions - Visa paywave

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

BGS MOBILE PLATFORM HCE AND CLOUD BASED PAYMENTS

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

About Visa paywave for mobile

Beyond the Hype: Mobile Payments for Merchants

OVERVIEW OF MOBILE PAYMENT LANDSCAPE

OVERVIEW OF MOBILE PAYMENT LANDSCAPE Marianne Crowe Federal Reserve Bank of Boston NEACH September 10, 2014

PCI and EMV Compliance Checkup

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Mobile Phone Technology: Smarter Than We Thought

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Mobile Payment Transactions: BLE and/or NFC? White paper by Swen van Klaarbergen, consultant for UL Transaction Security s Mobile Competence Center

The Future is Contactless

Mobile Banking FAQ Page 1 of 9

A MOBILE PAYMENT SYSTEM WITH AN EXTRA TOKEN OF SECURITY Nael Hirzallah 1 and Sana Nseir 2

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

Electronic Commerce and E-wallet

The Hang Seng Mobile Payment - FAQs

Secure your Privacy. jrsys, Inc. All rights reserved.

What Merchants Need to Know About EMV

What is a Smart Card?

INTRODUCTION AND HISTORY

Hacking the NFC credit cards for fun and debit ;) Renaud Lifchitz BT Hackito Ergo Sum 2012 April 12,13,14 Paris, France

Apple Pay. Frequently Asked Questions UK Launch

Contactless Payments. Björn Salomon-Sörensen, Account Director - Swedbank November 11, 2015

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Key Topics in Mobile Payments. Marianne Crowe Federal Reserve Bank of Boston m-enabling Summit June 10, 2014

Mobile NFC 101. Presenter: Nick von Dadelszen Date: 31st August 2012 Company: Lateral Security (IT) Services Limited

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

EMV in Hotels Observations and Considerations

A Guide to Contactless Cards

MiniPOS and BluePad-50 user manual

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Euronet s Contactless Solution

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Card Technology Choices for U.S. Issuers An EMV White Paper

Mobile Banking User Guide 2015

EMV Frequently Asked Questions for Merchants May, 2014

Chair: Russell Schrader, Visa, Inc., San Francisco, California Vice Chair: Veronica K. McGregor, Jones Day, San Francisco, California

EMV : Frequently Asked Questions for Merchants

THE ENTERPRISE MOBILITY POLICY GUIDEBOOK

Mobile Applications and OpenTravel Specifications

Welcome to your CIBC Dividend Visa * Card

Payments Transformation - EMV comes to the US

mobile payment acceptance Solutions Visa security best practices version 3.0

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Apple Pay. Frequently Asked Questions UK

Using RFID Techniques for a Universal Identification Device

EMV-TT. Now available on Android. White Paper by

Mobile MasterCard PayPass Testing and Approval Guide. December Version 2.0

Transcription:

Contactless Payments with Mobile Wallets Overview and Technology

History of Contactless Systems Upass (smartcard) a pre-paid card for the transportation system in Seoul and its suburbs, first used in June 1996. Octopus Card (smartcard) a rechargeable contactless stored value smart card for making electronic payments in online or offline systems in Hong Kong. Launched in September 1997 to collect fares for the territory's mass transit system, the Octopus card system is the second contactless smart card system in the world, after Upass, and has since grown into a widely used payment system for all public transport in Hong Kong. The Octopus card was introduced for fare payment on the MTR initially, but the use of the card quickly expanded to other retail businesses in Hong Kong. The card is now commonly used in most, if not all, major public transport, fast food restaurants, supermarkets, vending machines, convenient stores, photo booths, parking meters, car parks and many other retails business where small payment are frequently made by customers.

History of Contactless Systems Mobile Speedpass (keytag) Introduced in 1997, It was originally developed by Verifone. At one point, Speedpass was deployed experimentally in fast-food restaurants and supermarkets in select markets. McDonald's alone deployed Speedpass in over 400 Chicago area restaurants. Additionally, Stop & Shop grocery chain tested Speedpass at their Boston area stores, but removed the units in early 2005. The test was deemed a failure and McDonald's removed the scanners from all their restaurants in mid 2004.

Current Contactless Credit Cards Credit card companies launched contactless credit cards in 2005. Other form factors were also available, including miniature keyring credit cards and key tags (similar to Mobile SpeedPass). Contactless runs over the same chip and PIN network as normal credit and debit card transactions, there is a payment limit on single transactions and contactless cards can only be used a certain number of times before customers are asked for their PIN. Contactless debit and credit transactions are protected by the same fraud guarantee as standard transactions. All use of the contactless cards are based on the merchant hardware.

Contactless Credit Card Types Contactless MSD (magnetic swipe data) Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the USA. Payment occurs in a similar fashion to magstripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer's systems.

Contactless Credit Card Types Contactless EMV (Europay Mastercard Visa) Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface (a small chip embedded in the card, similar to current PIV/CAC) provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an "offline balance" stored in their chip, similar to the electronic wallet or purse that users of transit smartcards are used to.

Merchant Side American Express ExpressPay (introduced in 2005) MasterCard PayPass (introduced in 2005) Visa paywave (introduced in 2007) Discover Zip

Standards for Contactless Smartcards ISO/IEC 14443 - Identification cards -- Contactless integrated circuit cards -- Proximity cards ISO/IEC 14443-1:2008 Part 1: Physical characteristics ISO/IEC 14443-2:2010 Part 2: Radio frequency power and signal interface ISO/IEC 14443-3:2011 Part 3: Initialization and anticollision ISO/IEC 14443-4:2008 Part 4: Transmission protocol

Technology

Wi-Fi Wi-Fi: Already dominated for internet usage, Wi-fi s responsibilities are now beginning to include mobile payments over the internet. Information that would be be communicated would include any information that may be stored for convenience. Passwords Credit/Debit Cards Locations

Wi-Fi Wi-Fi Encryption/Authentication has been in place for years. In this case, Over Wi-Fi, the passed data can include: Location Information Financial Information Billing Address Credit Card Information Transaction Information (What was purchased, How Much? Etc.) What was purchased? Item Prices as well as purchase methods (Cards/Gift Cards)

Near Field Technology NFC enables devices to share information at a distance less than 4 centimeters with a maximum communication speed of 424kbps. Users can share business cards, make transactions, access information from smart posters or provide credentials for access control systems with a simple touch. NFC s bidirectional communication ability can establish connections with other technologies. NFC is prominent in newer Android Phones and is used because of the ease of use and battery performance compared to Bluetooth.

NFC Vulnerabilities NFC itself is not encrypted in any way. Eavesdropping is a possibility, as the transmission occurs over regular RF waves. With the appropriate knowledge and equipment one could eavesdrop on the information being transmitted. NFC signals can also be modified through Man-in-the-Middle attacks in which a nearby device can potentially intercept and change values of the transmission to which the recipient unknowingly accepts the modified information.

NFC Players (Hardware) Feature Phones: Samsung Galaxy S3/S4 Samsung Galaxy Note 1/2 Motorola Razr Maxx HD Nexus 4 Windows Phone LG Optimus G Smartphones: Acer, Blackberry, HTC, LG, Motorola, Nexus, Nokia, Samsung, Sony

NFC Players (Operating Systems) Android Blackberry OS Windows Phone/8 Symbian Bada(Samsung s Native OS) Nokia OS

NFC Players (Customer-side Wallet Applications) Square Wallet (Square, Inc.) Google Wallet (Google, Inc.) ISIS Mobile Wallet (Mobile Carriers)

The Secure Element Payment card or other information is encrypted and stored on the Secure Element, which is a dedicated hardware component that operates independently from the rest of the phone and limits access to certain apps. There are three types of Secure Elements, described below.

The Secure Element Embedded Secure Elements (Universal Integrated Circuit Card) This type of element is built into the phone at the time of manufacture. Pros: Provides a common architecture for application developers More tamper resistant Less costly Cons: Not portable between phones

The Secure Element Secure Element Within the SIM Pros: Relatively secure, can link SIM serial numbers to individuals or devices Portable between phones Can be managed over the air to wipe if the device is lost/stolen Cons: Carriers own the SIM, and can control which third party they grant access to (Verizon is currently not allowing Google access, so Google Wallet is not available to Verizon customers)

The Secure Element Secure Element Within a MicroSD Card Pros: The microsd can be issued by a financial institution or mobile network operator as a credit, debit, prepaid or a multiple account digital wallet or for secure access and entry. Simple implementation Portable Cons: Portable Physical characteristics of the device can be limiting; physical location, antenna size, casing material, protective covers MicroSD can only support a single application or payment account Lack of standardizations between MicroSD and NFC Controller may be an issue

Current Applications

Square Wallet Square Wallet works with merchants that use Square Register Uses NFC for enabled phones, and QR codes for the register to scan for non-nfc enabled phones. Compatible with Apple devices running ios 5 and up, and Android devices running Android 2.2 and up. Users must check-in through the app, their photos appear on the merchant side application. The merchant clicks on the matching photo, scans the QR code or swipes the NFC phone, and payment is made.

Square Wallet Security Features Card processing applications adhere to PCI Data Security Standard (PCI-DSS) Level 1. Square prohibits the storage of card numbers, magnetic stripe data and security codes on client devices. Square requires sensitive data to be encrypted using industry-standard methods when stored on disk or transmitted over public networks.

Square Wallet In this instance, Square Wallet, a mobile Wallet alternative from Square uses Wi-Fi to to record the transactions being made. In this case, some of the data transfers can show up within monitoring programs In this case however, Square has ensured that this information is encrypted.

Google Wallet Requires NFC for in-store purchases When setting up credit or debit cards in the Google Wallet mobile app, a virtual prepaid MasterCard card will be issued by Bancorp. When paying in-store by tapping the phone, Google Wallet passes the virtual card to the merchant for payment, and charges the selected credit or debit card for the purchase. Credit or debit cards are linked to the Google Wallet account, which in turn is connected to your virtual prepaid MasterCard card. The virtual prepaid MasterCard information is stored on the phones Secure Element, no actual card information is on the device. Verizon is currently not licensing secure element space to Google, so this app is not available to Verizon users.

Google Wallet

Google Wallet Security Features Google Wallet PIN (in addition to the phone s lock screen) Remote control disables the device from being used Credit card numbers are stored on Google encrypted servers, only the virtual account information is stored on the device Does not share actual credit card number with merchants, only passes the virtual MasterCard number Google Wallet does not work on rooted phones

ISIS Mobile Wallet Developed as a joint venture between AT&T, Verizon, and T-Mobile, currently in testing in Texas and Utah. Requires NFC SIM (different than regular SIM), available from the mobile carriers in the test cities. Uses the four big credit card contactless systems (MC PayPass, Visa Paywave, AmEx ExpressPay, Discover Zip). Currently only supports Capitol One, Chase and AmEx, and the credit card company has to approve the request.

ISIS Mobile Wallet Security Features Payment card credentials are stored in the secure element. The Wallet is accessed by a user-selected PIN, adding another layer of protection. A single call to your wireless carrier or visit to our website can freeze the wallet, disabling payment cards within the Wallet.

Security

Access Barriers In most cases applications and even phones have their usual safeguards against theft however, additional security includes: Forcing users to enter CCV values for every transaction in which a card is used. Once Credit Cards have been entered, information is then hidden. Many e-wallet applications such as Square and Passbook can store login sessions, this allows the application to be accessed again, without a secure login.

Access Barriers Two-Factor Authentication can be provided in which a password, as well as randomly generated code from another source must be provided in succession in order to log into some systems. In some applications, all transactions and accounts are monitored and audited in order to prevent stolen information. With obvious theft in which mobile wallet applications without access barriers can be used to make purchases just like a regular credit card/ cash.

Who is Storing What Where? For both ios and Android, applications share these qualities: All application information is stored within a relevant folder containing the application itself as well as relevant information regarding the application. This includes all stored variables such as user names, passcodes. Additionally, on certain poorly written applications credit cards, magnetic strip info, pins, and security codes can be saved onto the device. Additionally, potential business transactions can be saved onto the device, including detail transactions as well as businesses

Security - Apple Devices In this case, most all applications rely upon the hardware encryption provided by the device. Since ios 3, the iphone has implemented hardware encryption Apple s Hardware Encryption is currently 256-bit AES encryption. Apple Devices do not allow installation of 3 rd party applications onto the device. Apple prohibits the use of File Browsers and user root access. Only through jail breaking is this possible.

Security - Android Devices In this case, most all applications rely upon the hardware encryption provided by the device. Due to the multitude of hardware, Android devices have varying encryption. Android versions up until Version 3 did not include encryption. Android key s are not stored into the hardware of the device, therefor they can be extracted. Android key s are not stored into the hardware of the device, therefor they can be extracted. Android does posses the ability to have a full-disk encryption, if required. Malware-ridden 3 rd -Party applications can exist on various Application Markets

Encryption - Transmission For most Wallet and Payment Apps there are various transmission protocols that are used for transmission. Protocols include: (Minimum) 128 bit SSL PGP (Pretty Good Privacy) Encryption From this, Wi-Fi Security comes into play, which depends on the security of your network. NFC transmissions contain no encryption and as a result can immediately be monitored by outside clients Physical Card Readers often perform data encryption the moment the card has been read.

Jailbreak/Root Vulnerabilities As of February 6 th, 2013 the recent Evasi0n jailbreak, at has jailbroken at least 9,838,098 devices on the latest ios for iphone (6.1.2). When a device is jailbroken, this brings additional causes for concern. When a device is jailbroken/rooted, a device can access the file system, as well as valuable information over Wi-Fi. In most cases an attacker can simply SSH into the iphone as the credentials are rarely changed. Source - http://www.pod2g.org/2013/02/evasi0n-country-statistics.html

Jailbreak/Root Vulnerabilities Once a device is jailbroken/ Rooted, additional access to files is allowed. In this case, we can see the location of Payment Histories, as well as the application itself.

Jailbreak/Root Vulnerabilities Additionally, applications can be decrypted and show the code used to create the application. In this case, tools were used to decrypt and gather Objective-C and arm code of Square Wallet. This technique however can work with any ios application.

Jailbreak/Root Vulnerabilities Here is the same process, however this time, the program has been extracted into ARM Code

About PaRaBaL PaRaBaL, Inc. founded in 2009 is located in the University of Maryland, Baltimore County (UMBC) Research Park in Catonsville, MD. In early 2011 PaRaBaL was awarded a contract from a US Government Agency to develop and teach an ios security specialist training course, making PaRaBaL the first company to be awarded a US Government ios security training contract. PaRaBaL has gone on to expand its expertise in the field of mobile security to cover Android security training, mobile application development and mobile device management. With this pedigree, PaRaBaL is uniquely suited to take on tough research tasks in computer related cyber activities.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information