Media giant Rogers recently teamed up with CIBC to create the country's first mobile wallet payment system. The company approached The Huffington Post Canada last month, asking us to challenge them with the toughest questions we could come up with about the security of mobile wallets. We decided to take them up on their offer.
To answer the questions, Rogers turned to Paul Bradley, the North America technical director of Gemalto, the company that secures the SIM cards used in Rogers' mobile wallet. Here's what Paul had to say.
HuffPost Canada: What happens if a phone is lost or stolen? What can you do to ensure I’m not cleaned out the first time I leave my phone on the bus?
Paul: All implementations are different, and obviously the individual mobile wallet application developer will have their own vision. Traditionally speaking, most mobile wallet implementations come with a security passcode which will protect access to the customers’ cards. The current payment network rules (Visa/MasterCard) are such that there is no PIN required to conduct a payment of up to $50. Essentially, mobile payments work the same way as a plastic card does today with one important plus — you also have the option to lock your phone (on top of locking your wallet), so no one can access your credit or debit cards or your phone service without entering your phone’s passcode in the first instance and your wallet passcode in the second instance. This means that it’s not possible to sign for a transaction where it’s permitted to by-pass PIN entry like you can do with a plastic card today!
We have also seen different mobile payment solutions emerging with an inactivity timer whereby if there’s no activity for a period of time or your wallet is running in the background for that period, you’ll be prompted to re-enter your wallet passcode to access your payment cards. So the bottom line when it comes to mobile wallet security is that a thief would potentially have two passcodes to crack to be able to clean out your accounts whereas today with a plastic card there’s only one.
If you lose your phone or if it’s stolen, then Rogers will be your first point of contact. Rogers will then let your bank(s) know what has happened and they will act accordingly. Rogers will not be able to cancel payment cards on your device, only your bank will have ability to do so. Banks can lock the application in their back ends, just like they would do for a lost plastic card, and Rogers will block your mobile phone subscription. The risk is identical to the loss of a plastic card. Don’t write your PIN down, keep it with the device or use a common PIN number for your wallet passcode and your device PIN (see: http://mashable.com/2012/09/24/pin-number-top-20/).
The procedure to have your cards re-provisioned on a new device with a new SIM card is seamless, as a new set can be downloaded easily once you receive your new device.
You’d be surprised (or perhaps not at all!), but people will typically realize that they are without their mobile phone quicker than noticing the loss of a card or their physical wallet which is an additional security measure in itself.
HuffPost Canada: Smartphones have apps that often send data back to their companies of origin. How can you guard against apps taking my banking and shopping records off my phone?
Paul: Gemalto and Rogers have put security at the heart of what has been implemented. There’s two parts to the solution: one part is the on-device application which manages the user interface, and the second is its counterpart on the SIM card which manages to securely store your payment credentials and any other application data necessitating secure storage. A system called “access control” has been put in place to ensure that only valid user interface applications on the device are allowed to access their counterparts in the secure element (in this case the SIM card).
HuffPost Canada: If I pay for my groceries with my cellphone, will you ensure that the supermarket doesn’t take any more data off my phone than I want it to — including keeping my phone number hidden?
Paul: First, mobile payment solutions running on NFC-enabled devices use radio-frequency wave technology to power mobile transactions. This is the same technology used today with “tap-and-go” credit cards and it means that no wireless data is used with NFC-enabled smartphones making mobile payments.
When you present your mobile device to a contactless point-of-sale terminal in a supermarket, the terminal will only have access to an emulated version of your MasterCard or Visa credit card that you have installed on your device. In fact, point of sale terminals will now not know the difference between a contactless credit card and a mobile device emulating the same credit card on its secure SIM card.
Also, the point-of-sale terminal will only be able to interact with the payment card selected by the user. The details for this payment card are securely stored on the SIM card.
HuffPost Canada: They’ve cracked Google Wallet, exposing users’ wallet passcodes. What will Rogers & Gemalto do better than Google?
Paul: Saying that Google has been “cracked” is perhaps not the right terminology. Google experienced challenges from some clever users using rooted devices as they rolled out their service, but the resulting lessons learned will only make the solution better. Now to answer the question, as mentioned before each implementation will be different, however mobile wallet passcodes on the Rogers network will be stored in a secure domain on the SIM, which holds the same level of security as the place in which you store the Visa or MasterCard applications on the SIM. This certainly differs from other solutions, including the first release of Google Wallet referenced that cached the passcode information, albeit in a hashed form, in an application on the mobile device itself.
This Q&A also appeared at Rogers' RedBoard blog.
7. Canada is tops for paying by card
Nowhere do people pay with plastic more than in Canada. An <a href="http://gbm.rbs.com/docs/gbm/insight/gts/perspectives/WPR_2011.pdf" target="_hplink">RBS report from 2011</a> found that paying by plastic -- credit, debit and bank cards -- amounts to 40 per cent of transactions, on average, across world economies. But the rate in Canada was 68 per cent, making the country the world leader in plastic payment.
6. We're getting rid of the penny
Observers in the U.S. and elsewhere <a href="http://www.huffingtonpost.ca/2012/03/30/canadian-penny-killed-us-penny-opponents_n_1391831.html" target="_hplink">declared Canada a trailblazer</a> when the Harper government announced in its budget this year that it's <a href="http://www.huffingtonpost.ca/2012/03/29/canadian-penny-killed_n_1389458.html" target="_hplink">eliminating the penny</a>. Canada isn't the first to do this -- Australia got rid of its penny decades ago, for instance, and various currencies around the world often eliminate their lowest denominations due to inflation. But the decision to kill the copper coin is nonetheless a sign that physical currency is less important to the economy than it used to be -- and central banks are beginning to notice the costs involved with it. Photo: Jeff Golby wears an oversized model of a pennyas he collects donations of pennies for local charities during Canada Day festivities in Vancouver, B.C., on Sunday July 1, 2012. (THE CANADIAN PRESS/Darryl Dyck)
5. Our dollar bills are going high-tech
Even our paper money is turning plastic. The Bank of Canada <a href="http://www.huffingtonpost.ca/2011/11/14/new-canadian-100-bill_n_1091884.html" target="_hplink">unveiled Canada's first plastic bill -- a new $100 -- last fall</a>. The $50 bill <a href="http://www.huffingtonpost.ca/2012/03/26/canada-new-50-bill-plastic-money_n_1380695.html" target="_hplink">went plastic this past March</a>, and the $20 <a href="http://www.huffingtonpost.ca/2012/05/02/new-20-bill-plastic_n_1471122.html" target="_hplink">followed quickly in May</a>. The plastic bills are meant to be more durable and include a variety of new security features, including a translucent strip. But they've already been through a few controversies: One involved the discovery that <a href="http://www.huffingtonpost.ca/2012/07/11/new-polymer-bills-heat_n_1666742.html" target="_hplink">the new plastic bills may melt in heat</a>; another involved a controversial decision by the BoC to <a href="http://www.huffingtonpost.ca/2012/08/20/asian-100-bill-carney_n_1810925.html" target="_hplink">eliminate an "Asian-looking" person from the original design of the $100 bill</a>. Photo: Minister of Finance Jim Flaherty and Bank of Canada Governor Mark Carney show off the new $20 bank bill during a ceremony in Ottawa, ON Wednesday May 2, 2012. (THE CANADIAN PRESS/Adrian Wyld)
4. The Mint is going digital
Perhaps the elimination of the penny made the Royal Canadian Mint realize that the age of physical coins may be coming to an end. The agency responsible for Canada's coins <a href="http://www.huffingtonpost.ca/2012/04/12/mintchip-digital-penny-royal-canadian-min_n_1419813.html" target="_hplink">launched a new project this spring</a>, called "MintChip," in which it's researching the creation of a "digital coin" shoppers could use for transactions under $10. On its face, the idea is similar to BitCoin, the virtual currency, but when a national mint develops something like this, it's a clear sign we're into a new era when it comes to money. Photo: The Canadian Press
3. Canadians are ready to go cashless (apparently)
A study carried out by Leger Marketing for PayPal earlier this year found that <a href="http://www.newswire.ca/en/story/991907/more-than-70-per-cent-of-canadians-ready-to-go-cashless" target="_hplink">71 per cent of Canadians are comfortable with never having to use cash to make purchases</a>, up a stunning 44 percentage points from 2011, when only 27 per cent of Canadians said the same. We're going to go out on a limb and suggest this survey could be somewhat unreliable, but another survey, carried out by RBC this spring, found that <a href="http://www.rbc.com/newsroom/2012/0313-poll-cashless.html" target="_hplink">three-quarters of women and two-thirds of men typically carry less than $50 in their wallet</a> and rely on electronic transactions for purchases. Photo: The Canadian Press
As <em>Wired</em> <a href="http://www.wired.com/business/2012/08/canada-will-beat-us-to-cashless-economy/" target="_hplink">points out in this gushing article</a>, Canada's Interac system is a world-leading digital currency system. Nothing like it exists in the U.S., where you can pay by debit card at the cash register or pay user fees at a bank machine. While other countries have proprietary trading systems owned by banks, forcing withdrawal fees on customers and costs on retailers, the not-for-profit Interac costs so little it overtook cash as the preferred method of payment for Canadians all the way back in 2000. Photo: The Canadian Press
1. Interac for the mobile era
The Canadian Bankers association is <a href="http://www.huffingtonpost.ca/2012/05/14/mobile-payment-canada-banks_n_1515720.html" target="_hplink">working on a unified, standardized system for smartphone payments in Canada</a> -- something that could well evolve into an "Interac for the smartphone age." Experts say that before smartphone payment can become standard, the phones themselves have to be equipped with Near Field Communication which allows phones to be swiped near readers to complete a transaction. Analysts say that technology is only a few years off. Photo: The Canadian Press
10. Open Text Corp.
Brand value: $624 million Photo: Tom Jenkins, CEO of Open Text Corporation (The Canadian Press) Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $790 million Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
8. Bell Aliant
Brand value: $1.015 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
7. CGI Group
Brand value: $1.301 billion Photo: CGI Group founder and chairman Serge Godin, left, and chief executive Michael Roach (The Canadian Press) Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $1.753 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $3.019 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $3.191 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
3. BlackBerry (RIM)
Brand value: $3.293 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $4.087 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>
Brand value: $5.258 billion Source: <a href="http://www.brandfinance.com/offices/canada" target="_hplink">Brand Finance Canada</a>