SIMalliance issues HCE security warning

“Host card emulation is good for the NFC ecosystem as a whole, but remains immature, unstandardised and, relative to secure element based deployments, vulnerable to malicious attack,” says SIM card manufacturer association SIMalliance, which has published an HCE discussion paper called Secure Element Deployment & Host Card Emulation.

SIMalliance chairman Frederic Vasnier
VASNIER: “HCE is a force for good in NFC, but it’s no silver bullet”

The cloud-based NFC technology, introduced by Google with the release of Android 4.4 Kitkat in October 2013 and backed by Visa and by MasterCard, “is most appropriately utilised in services where the emulated NFC application is not based on direct implementation of a current, pre-existing card application,” the alliance advises.

“HCE is a force for good in NFC, but it’s no silver bullet,” says Frédéric Vasnier, chairman of SIMalliance. “It will make NFC more accessible and versatile to developers and help to speed more services to market which, as a result, will drive consumer familiarity and encourage adoption.

“However, service providers evaluating HCE for payment and other high-value NFC services should proceed with caution; HCE presents a new raft of challenges and has the potential to diminish both the transaction security and the end user’s NFC service experience.

“SIMalliance considers HCE to be best suited to lower value applications where stringent security requirements, optimal transaction speeds and always-available functionality are not mandatory,” Vasnier adds. “SE-based deployments delivered via mobile network operators remain the sensible choice for high value, secure NFC services.”

Next: Visit the NFCW Expo to find new suppliers and solutions

3 comments on this article

  1. I agree with some part of what SIMAlliance are saying, except – of course – this: “SE-based deployments delivered via mobile network operators remain the sensible choice for high value, secure NFC services”

    Why does it have to be delivered via MNOs? Why not via neutral TSMs supporting BOTH eSE and SIM SE (as well as cloud SE..)?

Comments are closed.