Secure Element — securing contactless payments in smartphones

May 21, 2018

Modern smartphones have successfully combined the functionality of a phone, camera, music player, public transit pass, and even a wallet for many years now. Naturally, this makes you wonder about the security of the data they store. Let’s figure out how well smartphones protect users’ most valuable information and how their main security mechanism — a tiny chip called Secure Element — works.

Meet Secure Element

A special chip for storing secure payment information has migrated to smartphones from contactless credit cards. You may have heard of the EMV (Europay, MasterCard, Visa) standard, the most reliable standard today. With it, your payment information is stored on a protected microchip that is virtually impossible to hack. That’s why cards that use the EMV standard are called, simply, “chip cards.”

The Secure Element in your phone is essentially the same chip as the one used in credit cards. It has a separate operating system (yes, credit cards also have their own OS to run their programs). All of your information is stored on this chip, impossible to read or copy even by the phone’s or tablet’s OS, much less any apps installed on these devices. Secure Element will work only with special, trusted apps, such as select virtual wallets.

The chip communicates directly with payment terminals, so even if a smartphone is infected by malware, hackers can’t intercept this information, because the data is not transferred to the main OS but rather always remains in Secure Element’s specialized system.

The phone wallet: How it all began

The idea of combining a phone with a credit card goes back further than you might think. The first models with a Secure Element installed were feature phones, though they never became very popular. One company even invented a method of mimicking a magnetic stripe with a gadget; however, phones became real competition for plastic cards only recently, in 2014, with the launch of Apple Pay.

Apple Pay’s success piqued the interest of its competitors, and in 2015, Samsung began offering a similar service. Both systems require Secure Element (that’s why old iPhones and inexpensive Samsung models do not support contactless payments).

In an attempt to improve the functionality of its devices, the Korean company even purchased LoopPay, the same company that developed the magnetic stripe imitation technology. Several months later, Google introduced Android Pay (renamed Google Pay in early 2018).

Secure Element — built-in, external, or cloud-based

In fact, Secure Element does not have to be built into a smartphone. It can be removable — for example, in memory card format. Some mobile operators even produce SIM cards that can store your credit card or public transportation pass information. But these options never became popular.

Google, as opposed to Apple or Samsung, primarily produces software for mobile devices and not the devices themselves. This is why their payment system encountered so many difficulties at the outset. Initially, most Android phones did not have Secure Element chips. The company could not force independent manufacturers to install the secure chip, or make users buy some new card. And it also couldn’t implement contactless payments without Secure Element.

At first, Google tried to find a way out of the situation and install its wallet app on SIM cards with Secure Element; however, leading American mobile phone operators — namely Verizon, AT&T, and T-Mobile — refused to cooperate with the company, instead promoting their own app, which was initially called Isis Wallet but was later renamed Softcard because of political considerations. Remarkably, the result of all of this was Google acquiring the system for its patents.

However, before that occurred, the company came up with an even more elegant solution to the problem. Though Android phones did not have physical secure chips installed, virtual ones were created in the cloud. The technology was called Host Card Emulation (HCE).

This cloud-based system was different from wallets with built-in Secure Element chips in one important way. HCE requires the payment terminal to communicate with the gadget’s OS. The OS must also make contact with a cloud Secure Element where payment information is stored, as well as with a trusted app.

Experts state that using HCE is technically less secure than using a real Secure Element: the more the data crosses the Internet, the easier it is to intercept. Nevertheless, HCE includes additional protection mechanisms that make up for this vulnerability — for example, it uses not permanent payment keys but temporary ones that can be used only once.

To be continued

Now you know about the “black box” used to store payment data on your phone. In the next article, we’ll discuss how Android and iOS devices use contactless payment systems based on Secure Element. We’ll also talk about why one does not simply store a bank card on a smartphone without Apple Pay, Google Pay, or Samsung Pay being involved.