Bank card emulation on the phone

HCE (Host-based Card Emulation) is a technology that makes it possible to write software that does not require a dedicated crypto processor to execute in order to provide a communication session with a payment terminal. The application is executed on the main processor of the mobile device, surrounded by the operating system of the phone.

HCE for NFC has an open architecture, which allows you to emulate not only bank cards, but also loyalty program cards, transportation cards, passes and so on. The technology makes it possible to significantly speed up the process of introducing NFC payment services, because there is no need to coordinate and coordinate actions with phone manufacturers, in addition, many compatibility issues are resolved.
')
We made such an HC-emulator in our application. Before HCE technology, information for NFC transactions in mobile devices could be stored in three ways: either on the SIM card (SIM centric NFC principle), or in a special element on the phone (Embeded Secure Elements, eSE), or on a special MicroSD.

How did things go before?

The classical methods before HCE have significant drawbacks. With the SIM centric approach, special SIM cards are required, which are much more expensive than standard cards, the user must visit the point of sale to replace the SIM card, etc.
With the eSE approach, there are still more difficulties and limitations - there are very few phone models that have a special block for storing information about the card; the cost of personalizing an item in the phone is very high; -The-Air Service Provider). Until recently, these restrictions, hardware and organizational barriers did not make it possible to make the service of contactless payments using mobile devices massive.
Previously, to start the NFC payment service, its provider needed to negotiate with the vendor about obtaining the keys for recording billing information on the phone. Some phone manufacturers provided their own cloud service, with which the payment service provider needed to integrate, transfer payment data to it in order to further fill this data into the phone. Along the way of the "closed" technology, Apple has now gone, and a crypto processor is used to operate the payment application, only the device manufacturer has the keys, and only he can download payment information.

For users, the main disadvantage of these hard approaches is the binding of the security system to the hardware and, therefore, the inevitable need to change the SIM card or even the phone to connect the NFC payment service.

Google: we will go the other way

Another approach was chosen by Google, judging that the dependence on vendors (phone manufacturers and Secure Elements) drastically reduces the adaptability of the technology and prevents mass replication of payment services. By reasoning this way, Google implemented an approach in which the NFC controller is directly connected to the main processor, which directly ensures the operation of the payment application, data storage, transaction signatures, etc. And information security is provided by software.

In December 2013, Google released a version of Android 4.4 KitKat, in which the NFC controller was able to interact not only with SE, but also with a regular phone application. Simply put, there was no need for the industrial loading of information into special devices, it became quite simple to install a payment application using HCE technology on a smartphone.

How it works?

We have a Beeline card - a regular MasterCard debit card, which can be obtained free of charge at any Beeline store. The annual maintenance fee for our card is not charged. The card works like a normal MC worldwide, only when making purchases returns from 1.5% of the amount spent to the account in the form of bonuses. Accumulated bonuses can be used when paying for mobile services, our wired Internet, various goods in our and partner stores.

The card is emulated on the phone.

In fact, HCE technology makes it possible to emulate contactless smart cards in the phone. In our case, the virtual card is an additional function of the physical carrier - a plastic Beeline card. The owner of such a card, who is also the owner of the phone on the Android KitKat platform equipped with an NFC module, installs the Beeline card mobile application on it. When entering the mobile application, to activate the function of contactless payments, it is enough to enter the N card and your password. The application checks the availability / availability of HCE on the device, and if everything is ok, the user is prompted to connect the functionality.
If the user confirms his consent to connect the service by responding to the received sms by entering a one-time password, the virtual card is issued - the data necessary for making NFC payments is loaded into the mobile application from the processing center. Actually, that's all - the phone has become a tool for contactless payment.





On the phone, HCE functions as a background service, which allows you to use HCE without running the application for this interaction. When interacting with the Android terminal, you need to select the application to which to send data for processing. This choice is made on the basis of the Application ID (AID), which contains up to 16 bytes of information, and is known for popular payment systems such as Visa or MasterCard. An application can handle several different AIDs that are grouped together. Each group can be associated with a specific category. Currently, two categories are defined: CATEGORY_PAYMENT (for payment applications) and CATEGORY_OTHER (for the rest). Several applications can be installed in the phone for the same AID, different application policy can be applied for different categories, one active application is defined by default for payment applications.

To implement HCE, we needed to extend the HostApduService service and implement the methods: processCommandApdu () - called when the application interacts with the terminal and onDeactivated () - if the connection with the terminal is lost, or another NFC reader tries to establish a connection. This service is declared in the application manifest and must contain an intent filter for SERVICE_INTERFACE, access android.permission.BIND_NFC_SERVICE, and metadata defining which AIDs process our service. Also here we can determine if the device needs to be unlocked for making a payment with it. Resolution BIND_NFC_SERVICE ensures that all interactions with the NFC-module will be carried out through the Android operating system. And the safety of stored data is based on the standard sandbox system for the application.

The scheme of interaction of elements in the process of contactless payment using HCE technology

Elements of the system are:
NFC-controller - transmits commands from the terminal to the payment application.
Mobile platform is the server part of a mobile bank, including payment application management functions.
The issuer's host is the issuer 's processing center, which is able to interact with the mobile platform to serve the mobile application.
The acquirer's host is the acquirer 's processing center.
When making contactless payment, the terminal communicates with the phone's NFC controller using the ISO 14443 protocol (APDU T = CL).
The NFC controller communicates with the Payment Application using an internal protocol specified in Android 4.4 and higher.

The Payment Application receives key transaction data from the terminal (amount, currency, operation time, terminal properties, etc.), checks the possibility of making a transaction and, if successful, generates a unique cryptogram (ARQC) on the unique secret key of the Payment Application. The data on which the cryptogram is calculated include a random number.

Depending on the amount and properties of the terminal, the client may be asked for a pin code that is entered by the client at the terminal (or pin-pad).

The terminal on the acquirer’s host generates an authorization request that includes the ARQC and the encrypted pin code if it was entered by the client.

Then, from the acquirer’s host, the authorization request is routed through the payment system to the issuer’s host, where it is decided to approve or refuse authorization.

Checks on the issuer's host include:
1. Cryptogram verification (ARQC).
2. Checking the PIN code (if it was entered by the client).
3. Check card service rules.
4. Check card limits and accounts.
5. Checking anti-fraud rules, including specific rules for contactless payment by phone.

As a result of processing the authorization on the issuer's host, a response is generated, which is delivered back to the terminal via a return chain.

What you need to use the service in Russia

In order to use the contactless payment service, you need to get a prepaid Beeline card at any Beeline office for free. Next, download the mobile application of the Beeline card on Google Play and activate the contactless payment function. Hardware and software limitations: Android operating system, version 4.4 or higher, NFC-module in the phone.

What other features are there?

For example, if a user has not one, but several phones on Android 4.4, then the contactless payment service, tied to his main card, can be installed on all devices of the owner of this card. This is convenient, for example, to use the service family. At the same time, there can be only one virtual card on one phone.

When paying, when the phone is brought to the terminal, the amount of the purchase and information about the success of the payment is displayed on the screen.
Payment is made only when the screen is unlocked, so it is important that the phone is password protected. In this case, the application itself may be closed. When you delete an application from your phone, the virtual card is blocked. When the application is restored, the card is emulated again, so you have to go through the process of setting up contactless payment from scratch. Reactivation of the service will also be required if you disable contactless payment service in the application. However, it is not necessary to remove the application or disable the service - you can use the function “Pause contactless payment” for temporary blocking.


Contactless payment service activity is confirmed by the orange color of the corresponding icon.

What is the profit?

So, what gives us contactless payment service using a mobile phone? You can forget your wallet at home, leave your passport in the apartment, or even your driver's license, but with almost 100% probability your cell phone will be with you. And if an application for contactless payment is installed on this phone, it means that you are always “at the money”.

Further. NFC transaction is an instant payment. Even in order to pay with a plastic card, you first need to remove it from the wallet, and before that - the wallet from your pocket or bag. When calculating cash, the moment of recalculation, transfer of money, receipt and check of change, etc. is added. Transactions up to 1000 rubles, made with the help of NFC and HCE, do not even require entering a PIN code, and the calculation without any exaggeration occurs at one moment and with one touch.

After completing the transaction, an SMS message about the past operation and the account balance comes to the phone, i.e. You are always aware of the state of your e-wallet.

By the way, an interesting detail - in the Beeline card application, a single PIN technology is implemented for several cards, in this case for the Beeline main card and a card emulated by a mobile application. That is, when calculating with a plastic card, and using the contactless payment service, you enter the same password.

The service is free, no fees are charged for NFC transactions.

Where can I pay?

Of course, the development of the infrastructure for receiving contactless payments depends on a specific region, but today already about 5% of payment terminals are already equipped with the NFC function. On the scale of all of Russia, according to expert estimates, about 30 thousand devices. The market leaders in the production of POS terminals, VenFone and Ingenico, have been equipping their devices with NFC support as a basic standard feature for years.

When paying, you should be guided by the presence of a badge on the POS-terminal, indicating that the device is equipped with contactless functionality.

If we talk about specific points, then these are chains, large stores, fast foods, gas stations. McDonald's, Starbucks, Subway, Auchan, O'KEY, Magnit, Aeroexpress hypermarkets, major cellular retail chains, global cosmetics and perfume manufacturers, fashionable leisure venues.

Security

The most obvious thin spot of HCE technology today is security. The data necessary and sufficient for making NFC payments are stored directly in the smartphone's memory. However, for the mobile application of the Beeline card, a set of measures is used that minimize the likelihood of hacking. We did an internal contest for hacking the system, with a very good reward, code analysis.

Let us examine some aspects of the information security technology HCE, implemented for the mobile application of the Beeline card.

Blocked phone operations are not possible. In this sense, the HCE solution is better protected than a regular plastic card with a contactless interface - to perform a payment operation, the attacker must unlock the phone. In the case of a regular card, it’s enough to get the card itself. When using the mobile application of the Beeline card, for example, a scenario is impossible when the subway in a dense stream of people with a virtual card quietly write off money by putting a reader into the pocket.

The product is protected from hacking and cloning both at the level of the application itself and at the processing level. All data is encrypted, the application itself keeps track of hacking attempts and, upon detecting such an attempt, clears all critical data. At the same time, the application periodically informs the processing of its state, with all operations the host checks the expected state and compares it with the actually received one. If there is a mismatch that may be caused by an attempted cloning, the card is blocked. In addition, special processing rules for issuing fraud monitoring are set up in the processing center, which control the number of non-zero operations and block the card when suspicious activity is detected.

Transactions worth more than 1000 rubles are protected by online pin-code, which is entered into the pinpad terminal. Interception of a pin-code through hacking an application is impossible - simply because the pin-code on the phone is never entered.

If the phone is lost, the procedure is practically the same as the standard actions performed when a conventional bank card is lost: a call to the contact center, blocking the Beeline card by EAN, receiving a new card in the communication lounge. All balances, bonuses, and so on will be transferred to the new card. At the same time, of course, the card number will change, and the attacker will have a phone in his hands, in which the old card will be emulated, the operation on which you can no longer make, because it is blocked.
By the way, you should pay another nuance related to the security of NFC technology in general. There is a perception that the data session from the smartphone to the POS terminal is vulnerable. In fact, each transaction is protected by a unique cryptogram, without which authorization is impossible. From the data that is transmitted over the air, it is almost impossible to extract any information that would help attackers to steal money from the account by signing other transactions.

Will this service work on the iOS platform?

Apple has taken the phone-based path and is using the built-in Secure Element, where no one but Apple can download card keys. Therefore, the only realistic option at present is the integration with the new Visa Token Service technology (generation of temporary keys for payment), on the basis of which Apple Pay actually works.

Forecasts

It can be predicted that the market for NFC payments in Russia is moving from a stage of formation into a phase of active growth. The number of phones supporting NFC technology is growing, integration projects are emerging, being jointly implemented by vendors, payment systems and retailers.

In the first half of 2014, 1.2 million smartphones supporting NFC technology were sold in Russia. This is 21% more than the same period last year. NFC smartphones accounted for 14% of all smartphone sales in the country. It is clear that rapid growth can only be caused by the convenience of using contactless technologies, and a powerful driver can give mass service. Such, for example, as contactless fare in public transport, especially in the subway.

If we talk about the capacity of the market for NFC payments in Russia, the experts refer to a figure of about 15 billion rubles (J'son & Partners agency estimate).