Media giant Rogers recently teamed up with CIBC to create the country's first mobile wallet payment system. The company approached The Huffington Post Canada last month, asking us to challenge them with the toughest questions we could come up with about the security of mobile wallets. We decided to take them up on their offer.
To answer the questions, Rogers turned to Paul Bradley, the North America technical director of Gemalto, the company that secures the SIM cards used in Rogers' mobile wallet. Here's what Paul had to say.
HuffPost Canada: What happens if a phone is lost or stolen? What can you do to ensure I’m not cleaned out the first time I leave my phone on the bus?
Paul: All implementations are different, and obviously the individual mobile wallet application developer will have their own vision. Traditionally speaking, most mobile wallet implementations come with a security passcode which will protect access to the customers’ cards. The current payment network rules (Visa/MasterCard) are such that there is no PIN required to conduct a payment of up to $50. Essentially, mobile payments work the same way as a plastic card does today with one important plus — you also have the option to lock your phone (on top of locking your wallet), so no one can access your credit or debit cards or your phone service without entering your phone’s passcode in the first instance and your wallet passcode in the second instance. This means that it’s not possible to sign for a transaction where it’s permitted to by-pass PIN entry like you can do with a plastic card today!
We have also seen different mobile payment solutions emerging with an inactivity timer whereby if there’s no activity for a period of time or your wallet is running in the background for that period, you’ll be prompted to re-enter your wallet passcode to access your payment cards. So the bottom line when it comes to mobile wallet security is that a thief would potentially have two passcodes to crack to be able to clean out your accounts whereas today with a plastic card there’s only one.
If you lose your phone or if it’s stolen, then Rogers will be your first point of contact. Rogers will then let your bank(s) know what has happened and they will act accordingly. Rogers will not be able to cancel payment cards on your device, only your bank will have ability to do so. Banks can lock the application in their back ends, just like they would do for a lost plastic card, and Rogers will block your mobile phone subscription. The risk is identical to the loss of a plastic card. Don’t write your PIN down, keep it with the device or use a common PIN number for your wallet passcode and your device PIN (see: http://mashable.com/2012/09/24/pin-number-top-20/).
The procedure to have your cards re-provisioned on a new device with a new SIM card is seamless, as a new set can be downloaded easily once you receive your new device.
You’d be surprised (or perhaps not at all!), but people will typically realize that they are without their mobile phone quicker than noticing the loss of a card or their physical wallet which is an additional security measure in itself.
HuffPost Canada: Smartphones have apps that often send data back to their companies of origin. How can you guard against apps taking my banking and shopping records off my phone?
Paul: Gemalto and Rogers have put security at the heart of what has been implemented. There’s two parts to the solution: one part is the on-device application which manages the user interface, and the second is its counterpart on the SIM card which manages to securely store your payment credentials and any other application data necessitating secure storage. A system called “access control” has been put in place to ensure that only valid user interface applications on the device are allowed to access their counterparts in the secure element (in this case the SIM card).
HuffPost Canada: If I pay for my groceries with my cellphone, will you ensure that the supermarket doesn’t take any more data off my phone than I want it to — including keeping my phone number hidden?
Paul: First, mobile payment solutions running on NFC-enabled devices use radio-frequency wave technology to power mobile transactions. This is the same technology used today with “tap-and-go” credit cards and it means that no wireless data is used with NFC-enabled smartphones making mobile payments.
When you present your mobile device to a contactless point-of-sale terminal in a supermarket, the terminal will only have access to an emulated version of your MasterCard or Visa credit card that you have installed on your device. In fact, point of sale terminals will now not know the difference between a contactless credit card and a mobile device emulating the same credit card on its secure SIM card.
Also, the point-of-sale terminal will only be able to interact with the payment card selected by the user. The details for this payment card are securely stored on the SIM card.
HuffPost Canada: They’ve cracked Google Wallet, exposing users’ wallet passcodes. What will Rogers & Gemalto do better than Google?
Paul: Saying that Google has been “cracked” is perhaps not the right terminology. Google experienced challenges from some clever users using rooted devices as they rolled out their service, but the resulting lessons learned will only make the solution better. Now to answer the question, as mentioned before each implementation will be different, however mobile wallet passcodes on the Rogers network will be stored in a secure domain on the SIM, which holds the same level of security as the place in which you store the Visa or MasterCard applications on the SIM. This certainly differs from other solutions, including the first release of Google Wallet referenced that cached the passcode information, albeit in a hashed form, in an application on the mobile device itself.
This Q&A also appeared at Rogers' RedBoard blog.