Embed Size (px)
Citation preview
Welcome to Mobey Forum’s Snapshot of Mobile Payments
The Webinar Recording is available on the Members’ Area at http://www.mobeyforum.org/posts/announcements/for-members/?future=
Please share this information only within your organisation – not publically. 1
Presenters
Zaf Kazmi, Head of Mobile Payments & Commerce, CaixaBank.
Chair of Mobey Forum’s HCE workgroup
and
Kristian T. Sorensen, Senior Manager for Corporate Strategy, Nets.
Vice-Chair of Mobey Forum’s HCE workgroup
2
What’s going on?
The Google HCE dilemma
The current SOA of Mobile Payments
Latest explosion of different Mobile Payment solutions
A real headache for Financial Institution
One stop guide to assist FI’s?
This slide set includes some speculations and guesses – but highlights the core issues within any Financial Insititution in the jungle of payments
3
SIM-based solution
ApplePay(USA-only
for the moment)
SamsungPayin Europe (not launched yet)
SamsungPayin USA
Host Card Emulation
Google Wallet(USA-only
for the moment)
*Speculation only*
Type Physical SE: UICCPhysical SE: Embedded
Physical SE: Embedded
Magnetic Stripe transmitter
SoftwareEmbedded SE or
software
OwnershipMobile Network
Operator Apple Samsung Samsung Bank Google
Control MNO Schemes / Apple TSMs / Samsung LoopPay / Samsung
--Bank--Delegated control on solution provider
Google / Android
Multiple applets from multiple issuers on the same SE
Yes Yes:Visa, MC, Amex...
Yes:Visa, MC, Amex...
Yes, LoopPay wallet supports IDs, loyalty, and
membership cards.
N/A No
Tokenization Used
No YesMost likely-
encrypted full PAN sent to the eSE
In the future, yesmost likely
Optional --physical SE
--own solution--tokenization
Yes (wallet identifier).
Once again: Secure Element
© Mobey Forum
Is there a Third Party Role?SIM-based
solution
ApplePay(USA-only
for the moment)
SamsungPayin Europe
SamsungPayin USA
Host Card Emulation
Google Wallet(USA-only
for the moment)
*Speculation only*
Trusted Service ManagerTSM
MNO TSM / SP (Bank) TSM integration
needed
Apple and payment
schemes provide TSM provisioning
services and aggregation
Almost any TSM can join Samsung
Key Management
Service
Schemes provide services, in addition to
LoopPay
N/A
First Data *was* the TSM for
Softcard. This is likely to change
in the new power
equilibrium with Google taking
over.
Tokenization ProviderTSP
N/A Theoretically
possible to use tokenization
(storing purposes)
Payment Schemes provide
tokenization service between Apple SE and SP
Payment Schemes provide
tokenization services?
Payment Schemes
Anyone who provides TSP
services: Payment schemes,
processors. Banks can do also in-house.
Unknown
© Mobey Forum
Acceptance StatusSIM-based
solution
ApplePay(USA-only
for the moment)
SamsungPayin Europe
SamsungPayin USA
Host Card Emulation
Google Wallet(USA-only
for the moment)
*Speculation only*
How widely the solution is used at the moment
Each bank needs an agreement with
each MNO
Over 700 banks in the
US
No official date as yet
Announced at the MWC 2015
As soon as the bank can
implement the solution
Exact data unavailable
POS type requirement
On all activated contactless terminals
on all activated
contactless terminals
on all activated contactless terminals
on all non-EMV terminals (>90%
of all POS terminals in US)
on all activated contactless terminals
on all activated contactless terminals
© Mobey Forum
Devices SupportedSIM-based
solution
ApplePay(USA-only
for the moment)
SamsungPayin Europe
SamsungPayin USA
Host Card Emulation
Google Wallet(USA-only
for the moment)
*Speculation only*
* depends on MNOs offering
SIM based solution and
commercial & technical
implementation model
* customers with suitable devices
* customers need to change SIM
Customers with iPhone 6 & newer
Customers with Samsung Galaxy S6
& newerCustomers with
Samsung Galaxy S6 & newer
Customers using Android 4.4 or
newer orBlackberry 10 &
newer
Most Android devices running 2.3 or higher
© Mobey Forum 7
Analysing the Business ModelsSIM-based
solution
ApplePay(USA-only
for the moment)
SamsungPayin Europe
*Speculation only*
SamsungPayin USA
Host Card Emulation
Google Wallet(USA-only
for the moment)
Relationship to SE owner
MNOs issue new UICCs
Bank signs up for ApplePay
Banks Signs up for SamsungPay
N/A N/A None
Business model
Bank pays for TSM and MNO.
Negotiable. Depends on the
market.
Bank pays part of the interchange
and other fees to Apple.
Rates adjusted by Apple per market.
Bank pays for TSM. TSM pays for
Samsung.
Not known.
Expected to follow the
business model of ApplePay
Bank pays for solution provider. In in-house model only investment
costs.
No fees nor role for bank.
Data monetization based business model.
Transactions completed through a MasterCard /Discover Virtual Debit Credential provisioned for every active Google
Wallet. Customer is charged 2.9% to top it
up.
Customer experience
Dependent on MNO. If bank-
owned wallet, bank controls UI.
Bank has no control on UI.
Unknown Unknown
Bank controls customer
experience. There might be
some interaction/ collaboration
needed in case of several banks'
wallets in the same handset.
Bank has no control on UI.
© Mobey Forum
9
”MNO-Pay”
• UICC as SE
• NFC Payments
• MNO(s) as a trusted partner(s)
”OEM-Pay”
• ApplePay (Only in US) NFC
• SamsungPay with MST (Only in US)
• SamsungPay with SE’s (maybe coming to Europe in 2016??)
”Bank-Pay”
• On any chosen technologies, such as HCE
• Branded as Bank, designed by Bank
• Combined with mobile banking app / PFM / P2P...
3 Groups – Which horse to ride on?
© Mobey Forum
SOME KNOWN VULNERABILITIES...Fraud in ApplePay.....
10
“The criminals are trying new techniques to compromise the Apple security chain. While the Apple devices and software are relatively secure and difficult to compromise, the crooks are orienting their efforts to hit what is considered the weakest link in the security chain,
the humans.”
So the weak link is not
the ApplePay itself, but
the processes to activate it /
authorize the payment.
11
Revealed by Cherian Abraham...
Sources: http://securityaffairs.co/wordpress/34359/cyber-crime/apple-pay-fraud.htmlhttp://www.droplabs.co/?p=1231
Phase 1: Consumers can take an image of their card, allowing the app to scan their credentials. OR they can also manually enter the details = crucial for the implementation of the fraud scheme.
The information (such as iTunes account with device name, current location, transaction history) is sent to the bank service that can authorize the card for Apple Pay, or require additional information.
Phase 2: The cards could be automatically approved or declined, as per listed in the green or red path. Apple also introduced a third mandatory path, the yellow path, that is used to request further checks to banks and card issuers.
• The implementation of the yellow path depends on the specific card issuer, each of them can perform a different number of checks, including a direct contact with personnel of the call center. The use of call centers for additional verification is the elements exploited by criminals for their illegal activities.
• In the Apple Pay fraud schema, cyber criminals call the call center to convince the operators to add an Apple device to an account, and ask to activate the Apple Pay. In this way the crooks avoid the checks requested by Apple to the Bank by exploiting the human factor.
12
...continues
Source: http://securityaffairs.co/wordpress/34359/cyber-crime/apple-pay-fraud.html
30% of cross channel fraud are conducted through social engineering attacks against call center. (John Zurawski, VP at Authentify)
“The call center is typically there to resolve an issue – not do any banking. In the Apple Pay fraud discussed, the fraudsters must be calling the call center, convincing someone to add an Apple iPhone 6 or better to an account, and
asking to activate Apple Pay. The actual Apple Pay activation is initiated between Apple and the Bank. Apple passes to the Bank a person’s stolen credit
card info, including the details backing their iTunes account,” he said.
Source: http://www.csoonline.com/article/2891673/loss-prevention/crooks-targeting-call-centers-to-further-apple-pay-fraud.html#tk.rss_all
13
Human is the weakest link
Is NFC finally here – yes indeed
Wasted a lot of time, now finally we have options, BUT: none is a clear winner.
Banks need to enter the game. And compete for customer attention and loyalty.
From payment to commerce and further to value added services specific for financial instititutions.
No right or wrong solution for a bank.
Lessons learned from existing payment solutions.
14
Conclusions
© Mobey Forum
Special Thanks to
Neil Smith Proxama Bastien Latge InsideSecure
Ciara Myers Allied Irish Bank Douglas Kinloch InsideSecure
Ben Smith American Express Evgeny Bondarenko Intervale
Philippe Roy DanskeBank Yuri Grin Intervale
Michael Hoffman DanskeBank Bhaskar Chaudhary Mahindra Comviva
Bent Bentsen DNB Bank Rajasekaran Soruban Mahindra Comviva
Ville Sointu Ericsson Nitin Jain Mahindra Comviva
Henrik Karlsson Ericsson Sverker Akselsson Nordea
Thor Ragnar Klevstuen Evry Julien Traisnel Oberthur
Hans Ilstad Evry Andre Zoelch PostFinance
Jukka Yliuntinen Giesecke-Devrient Tom Pawelkiewicz Scotiabank
Tapio Vailahti Giesecke-Devrient Eduardo Galvao SIBS
Neal Michie Helixion Philippe Stahel UBS
15
© Mobey Forum
Please use the chat function to submit your questionOrRaise your hand, and we unmute you.
Any Questions?
16
THANK YOU FOR ATTENDING THE WEBINAR
For further information on Mobey Forum please visit us at www.mobeyforum.org
Please share this information only within your organisation – not publically.
17
