Bank card emulation on the phone
HCE (Host-based Card Emulation) is a technology that makes it possible to write software that does not require a dedicated crypto processor to execute in order to provide a communication session with a payment terminal. The application runs on the main processor of the mobile device, surrounded by the phone’s operating system.
HCE for NFC has an open architecture, which allows you to emulate not only bank cards, but also cards of loyalty programs, transport cards, passes and so on. The technology allows you to significantly accelerate the implementation of NFC payment services, because you do not need to coordinate and coordinate actions with phone manufacturers, in addition, many compatibility problems are solved.
We made such an HC emulator in our application.Before the advent of HCE technology, information for NFC transactions in mobile devices could be stored in three ways: either on a SIM card (SIM centric NFC principle), or in a special element on the phone (Embeded Secure Elements, eSE), or on a special MicroSD.
How were things before?
Classical methods prior to HCE have significant drawbacks. With the SIM centric approach, special SIM cards are required, which are much more expensive than standard cards, the procedure of visiting the point of sale by the user is mandatory to replace the SIM card, etc.
With the eSE approach, there are even more difficulties and limitations - there are very few phone models that have a special unit for storing card information on the market, the cost of personalizing an item in the phone is very high, and there is a dependence on the phone manufacturer and the personalization service provider “over the air” (Over -The-Air Service Provider). Until recently, these restrictions, hardware and organizational barriers did not make it possible to make the contactless payment service using mobile devices massive.
Previously, in order to start the NFC payment service, its provider had to agree with the vendor on receiving keys for writing payment data to the phone. Some phone manufacturers provided their own cloud service, with which the payment service provider needed to integrate, transfer payment data to it for further uploading this data to the phone. Apple has also taken the path of “closed” technology - a cryptoprocessor is used to operate the payment application, only the device’s manufacturer has the keys, and only he can download payment data.
For users, the main disadvantage of these hard approaches is the binding of the security system to the hardware and, therefore, the inevitable need to change the SIM card or even the phone to connect the NFC payment service.
Google: we will go the other way
Another approach was taken by Google, judging that dependence on vendors (phone manufacturers and Secure Elements) drastically reduces the adaptability of the technology and prevents the mass replication of payment services. Having reasoned this way, Google implemented an approach in which the NFC controller is directly connected to the main processor, which directly ensures the operation of the payment application, data storage, transaction signing, etc. And information security is provided by software.
In December 2013, Google released Android 4.4 KitKat, which implemented the ability of the NFC controller to interact not only with SE, but also with the regular application in the phone. Simply put, the need for industrial loading of information into special devices has disappeared, it has become quite simple to install a payment application using HCE technology on a smartphone.
How it works?
We have a Beeline card - an ordinary debit MasterCard, which can be obtained for free at any Beeline salon. There is no annual subscription fee for servicing our card. The card works like an ordinary MC around the world, only when making purchases it returns from 1.5% of the amount spent to the account in the form of bonuses. The accumulated bonuses can be used to pay for mobile services, our wired Internet, various products in our and affiliate stores.
The card is emulated on the phone.
In fact, HCE technology makes it possible to emulate contactless smart cards in the phone. In our case, the virtual card is an additional function of the physical medium - the Beeline plastic card. The owner of such a card, who is also the owner of an Android KitKat phone equipped with an NFC module, installs the Beeline card mobile application on it. When you enter the mobile application to activate the contactless payment function, it is enough to enter the EAN card and your password. The application checks the availability / availability of HCE on the device, and if everything is ok, the user is prompted to connect the functionality.
If the user confirms his consent to activate the service by responding to the received SMS by entering a one-time password, then a virtual card is issued - the data necessary for making NFC payments is downloaded from the processing center to the mobile application. Actually, that’s all - the phone has become a contactless payment tool.
On the phone, HCE functions as a background service, which allows you to use HCE without launching the application for this interaction. When interacting with the Android terminal, you need to select the application to which to send data for processing. Such a choice is made on the basis of Application ID (AID), which contains up to 16 bytes of information, and is known for popular payment systems such as Visa or MasterCard. An application can handle several different AIDs that are grouped together. Each group can be associated with a specific category. Two categories are currently defined: CATEGORY_PAYMENT (for payment applications) and CATEGORY_OTHER (for the rest). Several applications can be installed on the phone for the same AID, different application selection policies can be applied for different categories,
To implement HCE, we needed to expand the HostApduService service and implement methods: processCommandApdu () - called when the application interacts with the terminal and onDeactivated () - if the connection to the terminal is lost, or another NFC reader tries to establish a connection. This service is declared in the application manifest and should contain a intent filter for SERVICE_INTERFACE, android.permission.BIND_NFC_SERVICE access and metadata that determine which AIDs our service processes. Also here we can determine if the device needs to be unlocked to make a payment using it. The BIND_NFC_SERVICE permission ensures that all interactions with the NFC module will be carried out through the Android operating system. And the security of the stored data is based on the standard sandbox system for the application.
Scheme of interaction of elements in the process of contactless payment using HCE technology
Elements of the system are:
NFC-controller - sends commands from the terminal to the payment application.
Mobile platform - the server part of the mobile bank, including payment application management functions.
The issuer's host is the processing center of the issuer, which is able to interact with the mobile platform to service the mobile application.
Acquire Host - Acquirer Processing Center.
When making contactless payment, the terminal interacts with the NFC-controller of the phone using the ISO 14443 protocol (APDU T = CL).
NFC-controller interacts with the Payment application via the internal protocolspecified in Android 4.4 and higher.
The payment application receives from the terminal key transaction data (amount, currency, transaction time, terminal properties, etc.), checks the possibility of the transaction and, if successful, generates a unique cryptogram (ARQC) on the unique secret key of the Payment application. The data on which the cryptogram is calculated includes a random number.
Depending on the amount and properties of the terminal, the client may be asked for a pin code that is entered by the client on the terminal (or pin pad).
The terminal on the acquirer host generates an authorization request, which includes ARQC and the encrypted pin code, if it was entered by the client.
Further, from the host of the acquirer, an authorization request through the payment system is routed to the issuer's host, where a decision is made on the approval or refusal of authorization.
Checks on the issuer's host include:
1. Cryptogram Verification (ARQC).
2. Checking the pin code (if it was entered by the client).
3. Checking card service rules.
4. Checking card and account limits.
5. Checking anti-fraud rules, including specific rules for contactless payment by phone.
As a result of authorization processing, a response is generated on the issuer's host, which is delivered through the reverse chain to the terminal.
What you need to use the service in Russia
In order to use the contactless payment service, you need to get a Beeline prepaid card at any Beeline office for free. Next - download the Beeline mobile application on Google Play and activate the contactless payment function. Hardware and software limitations: Android operating system, version no lower than 4.4, availability of an NFC module in the phone.
What other features are there?
For example, if a user has more than one Android 4.4 phone, then the contactless payment service tied to his main card can be installed on all devices of this card holder. This is convenient, for example, for using the service as a family. At the same time, only one virtual card can exist on one phone.
When paying, when the phone is brought to the terminal, the screen displays the amount of the purchase and information about the success of the payment.
Payment is made only with the unlocked screen, so it is important that the phone is password protected. In this case, the application itself may be closed. When you uninstall the application from the phone, the virtual card is blocked. When the application is restored, the card is emulated again, so you will have to go through the process of setting up contactless payment from scratch. Re-activation of the service will also be required if the contactless payment service is disabled in the application. However, uninstalling the application or disabling the service is not necessary at all - you can use the “Pause contactless payment” function for temporary blocking.
The activity of the contactless payment service is confirmed by the orange color of the corresponding icon
What is the profit?
So, what does the contactless payment service using a mobile phone give us? You can forget your wallet at home, leave your passport or even a driver’s license in the apartment, but with almost 100% probability the cell phone will be with you. And if the contactless payment application is installed on this phone, then you are always “with the money”.
Further. NFC transaction is an instant payment. Even in order to pay with a plastic card, you first need to remove it from the wallet, and before that - the wallet from the pocket or bag. When calculating cash, the moment of recounting, transferring money, receiving and checking change, etc. is added. Transactions up to 1000 rubles, made using NFC and HCE, do not even require entering a PIN code, and the calculation, without any exaggeration, takes place at one moment and with one touch.
After the transaction is completed, an SMS message about the past operation and the account balance, i.e. You are always aware of the status of your electronic wallet.
By the way, an interesting detail is that the Beeline card application implements a single PIN technology for several cards, in this case, for the Beeline main card and a card emulated by a mobile application. That is, when calculating with a plastic card, and using the contactless payment service, you enter the same password.
The service is free, no commissions for NFC transactions are charged.
Where can I pay?
Of course, the development of the contactless payment acceptance infrastructure depends on the specific region, however today about 5% of payment terminals are already equipped with the NFC function. On a national scale, this is, according to expert estimates, about 30 thousand devices. The market leaders in the production of POS-terminals - VenFone and Ingenico - have been equipping their devices with NFC support as a basic standard function for several years.
When paying, you should be guided by the presence on the POS terminal of an icon indicating that the device is equipped with contactless functionality.
If we talk about specific points, these are chains, large stores, fast foods, gas stations. McDonald's, Starbucks, Subway, Auchan, O'KEY, Magnit, Aeroexpress hypermarkets, large cellular retail chains, stores of global cosmetics and perfume manufacturers, trendy leisure venues.
The most obvious thin point of HCE technology today is security. The data necessary and sufficient for making NFC payments is stored directly in the smartphone’s memory. However, for the Beeline card mobile application, a set of measures is used that minimize the chance of hacking. We did an internal competition for hacking the system, with a very good reward, code analysis.
Let's analyze some aspects of information security of HCE technology implemented for the Beeline card mobile application.
Operations on a locked phone are not possible. In this sense, the HCE solution is better protected than a regular plastic card with a contactless interface - in order to complete a payment transaction, an attacker must unlock the phone. In the case of a regular card - just get the card itself. When using the Beeline card mobile application, for example, a scenario is not possible when in the subway, in a dense stream of people, money is imperceptibly deducted from a virtual card by putting a reader in your pocket.
The product is protected from hacking and cloning both at the level of the application itself and at the processing level. All data is encrypted, the application itself monitors hacking attempts and, upon detection of such an attempt, clears all critical data. At the same time, the application periodically informs the processor of its status, during all operations the host checks the expected state and compares it with the actually received one. If there is a mismatch, which may be caused by an attempt to clone, the card is blocked. In addition, the processing center has set up special rules for issuing fraud monitoring, which control the number of non-spin transactions and block the card when it detects suspicious activity.
Transactions worth more than 1000 rubles are protected by an online pin code that is entered into the terminal's pinpad. Intercepting a pin code through hacking an application is impossible - simply because the pin code on the phone is never entered.
If the phone is lost, the procedure is practically no different from the standard actions performed when the usual bank card is lost: a call to the contact center, a Beeline card is blocked by EAN, and a new card is received in the communication salon. All cash balances, bonuses and so on will be transferred to the new card. In this case, of course, the card number will change, and the attacker will have a phone in his hands, in which the old card will be emulated, operations on which it is no longer possible to perform, since it is blocked.
By the way, you should pay attention to one more nuance related to the safety of NFC technology in general. There is an idea that the data transfer session from the smartphone to the POS terminal is vulnerable. In fact, each transaction is protected by a unique cryptogram, without which authorization is impossible. From the data that is transmitted over the air, it is practically impossible to extract any information that would help attackers steal funds from the account by signing other transactions.
Will this service work on the iOS platform?
Apple followed the phone-based path and use the built-in Secure Element, where no one except Apple can download card keys. Therefore, the only realistic option at present is integration with the new Visa Token Service technology (generation of temporary keys for payment), on the basis of which Apple Pay actually works.
It can be predicted that the NFC-payments market in Russia is moving from the stage of formation to the phase of active growth. The number of phones supporting NFC technology is growing, and integration projects are being implemented jointly by vendors, payment systems and retailers.
In the first half of 2014, 1.2 million smartphones supporting NFC technology were sold in Russia. This is 21% more than in the same period last year. NFC smartphones accounted for 14% of all smartphone sales in the country. It is clear that rapid growth can be caused only by the convenience of using contactless technologies, and a powerful driver can give mass service. Such, for example, as contactless payment for travel in public transport, especially in the subway.
If we talk about the capacity of the NFC-payments market in Russia, then experts call the figure about 15 billion rubles (estimated by J'son & Partners).