PIN on Mobile

PCI: Software-Based PIN Entry on COTS (a.k.a. PIN-on-Mobile)

Almost four YEARS ago I wrote Software PIN, the Rosetta Stone of Future Payments, then just over a year later I wrote; Mobile Authentication: Exceeding Card Present Security?

Just this month the SSC finally came out with their Software-Based PIN Entry on COTS Security Requirements v1.0.

[Ed. While I don’t have to wonder why PIN was my primary focus, I can see how pointless it was …almost. It just makes the delay on this standard that much more inexcusable.]

On with the story… Software PIN is more commonly referred to as PIN-on-Mobile (or the catchier PIN-on-Glass), and is the ‘game-changing’ technology that will; “enable merchants to accept PIN-based payments with the PIN entered on a commercial off-the-shelf device, such as a consumer-grade mobile phone or tablet.”

What has taken them so long to make what – from my jaded perspective – is the only move that will delay their inevitable demise? It’s not like there was some miraculous innovation in mobile or encryption technology in the last couple of years! Every requirement in the standard was available/achievable long before I even wrote my blogs. As were viable solutions for that matter.

I suspect there’s lots of reasons of why they were so slow, but chief amongst these has to be their complete inability to adapt to the fast-paced innovation rampant in the FinTech industry. Especially given their hopelessly antiquated technology. It’s only their global adoption and sheer ubiquity that keeps them where they are. I blame the banks too, change for them means acceptance of liability.

Come to think of it, what an amazing coincidence that PSD2 – the biggest nail in the payment card’s coffin since …well ever, came out this month as well. Weird huh?

As far as I am concerned, PIN-on-Mobile was the card brand’s last hold-out, now they’re done. Hopefully between the XYZ-Pays (ApplePay, SamsungPay etc.) and now the entry of cardholder PIN on [almost] any CoTS device, big merchants / retail associations will finally have the balls to stand up for themselves.

How many millions have they spent in the US on EMV terminals just to find out a few years later that it was not only entirely unnecessary, but they’re now tied into an investment that will leave them lagging behind their competition who were slower of the EMV block?

I know that’s harsh, and we really have no right to judge. Have any of the following questions ever occurred to you?:

  1. If I can use my phone to pay for something, why do I have to tie that payment to a branded card?;
  2. With all of the security requirements required for the entry of a software PIN, why the Hell do I still have to use one? In other words, if it’s that bloody difficult to secure it, why not use something else?; and
  3. Isn’t there a better way!?

If you’re like the majority of the population, these questions are more like:

  1. Why doesn’t MY bank support this?! (looking at YOU Barclay Business!), or more commonly; why would I use this service when I have a piece of plastic?;
  2. What’s wrong with PIN?; and
  3. [nothing]

The fact is that the lion’s share of the cashless transactions globally are performed by those who have never known a time before payment cards. We simply can’t imagine anything else and we don’t even notice their inconvenience. We also don’t see the costs imposed by the middlemen.

But let me ask you this; Would you ever go back to using a feature phone? I’ll [almost] guarantee that you had no idea what features you wanted in a phone until you used a smartphone for the first time. And now you can’t live without it. Hell, most of us can’t even put the damned things down!

The same thing WILL happen to payments, but not until consumer indifference is overcome by something shiny and new.

Frankly this blog is boring even to me, and I really have nothing more to say about payment innovation that I have not already said a hundred times. But I simply can’t let anything so patently meaningless as PIN on Mobile to go unanswered.

Innovation my arse.

[If you liked this article, please share! Want more like it, subscribe!]

Future Payments

Software PIN, the Rosetta Stone of Future Payments

For those who don’t know what the Rosetta Stone is, it’s a tablet found in 1799 that greatly assisted the translation of ancient Egyptian Hieroglyphs [subsequently] to every modern language.

So why do I use this as an analogy for non-cash payments?

Hieroglyphs​ had puzzled scholars for centuries until the Rosetta Stone unlocked them enough for the translation to move forward to completion. Having a software PIN will effect the exact same unlocking of the transition of non-cash payments from plastic to mobile. We have had payment cards for 60+ years, with nothing in that time anywhere near ubiquitous enough to disrupt them​, now ​we do. And while mobile devices are in no way perfect, and in many ways even less secure than payment card, ​they ​​are​ already far more prevalent​. ​Despite all ​of mobiles’s flaws, they ​are being used ​today as a payment medium​, a trend that will continue until plastic is replaced completely (at least in its current form).​

Th​ere are too many reasons​ for the continuity​ to go into​ here​ (sheer functionality being the top one), but it has been slow because until now every mobile payment innovation was just a little too much for people to accept, just a smidge too radical to gain the necessary momentum.

This is probably because none of those innovations kept the most widely used of the authentication mechanisms in the world; the PIN. The enormously complex and expensive chip & PIN (EMV) used for credit cards is accepted globally (if they can afford it), but up till now there has been no way to effect an acceptable level of security on a device that is never going to be as secure as a system built for purpose.

But ‘as secure’ is not the point, ‘secure enough’ is. You’re not fighting for perfection and zero loss through theft, you’re fighting for making it too difficult for thieves to bother. This can only be effected by layers of security, the so-called defence-in-depth. EMV put all of its security controls into a single factor (they had no choice), but mobile devices have access to numerous – and ever expanding – options:

  1. Geolocation/Geofencing: Whatever you want to call it, and whatever buzz phrases vendors will come up with next, they all mean the same thing; are you where you should be? Should you be paying for something in Glasgow if you live in London? Maybe, but when you set the areas from which payments can be made, you are removing the majority of the bad guys’ ability to process a fraudulent transaction.
    Yes, there can be privacy issues, but most vendors have dealt with that now.
    o
  2. Device Authentication: Every mobile phone has a serial number, IMEI number, and other built in identifiers. If your device is registered it’s very difficult to use another device to get in the middle. Not impossible, just difficult.
    o
  3. Application Signing and Authentication: Minimal security in and of itself, but is another security layer which ensures as much as possible that only known good apps are used. Apple and Google have their own ways of doing this for downloads, neither of which is adequate. Ongoing application verification can be relatively useful though.
    o
  4. App Blacklisting / Malware Detection: Very early days yet for mobile devices, but in the same way that operating systems anti-virus vendors have made untold fortunes regurgitating known bad things into signatures, mobile devices will have the ability to blacklist apps that should never be running on devices secure enough to authenticate payments. OS hardening guides (SELinux for example) and version control (Android must be at v4.2 and above for example) are fundamental baselines.
    o
  5. PIN Image ‘Watermarking’: Most internet banking sites now have a facility whereby you can upload a personal image to ensure that your open communication is actually with your bank and not redirected to a bad guy. Mobile devices make this factor possible and can even be configured into the PIN pad image.
    o
  6. Encryption (Packet and Transport Layer): Obvious stuff, and relatively trivial to circumvent when you have access to the base operating system kernel (where all jailbreaks take place), but still a very valid concept, especially when you consider the very clever technology surrounding things like Secure Remote Password protocol (SRP).

​Even today there are more options than this, and even implementing all of them at once is seamless to the end user once they have registered their device​. Any one of these by itself is clearly inadequate, but can you really see a bad guy sitting in Starbucks cracking ALL of these in the few moment it takes you to pay for your coffee?

By their nature, mobile devices will always be insecure and limited (bloated OSs, battery life, delicacy, theft and so on) and cannot be seen as a long term solution in payments the way the credit cards were, but I don’t think anyone can deny that they will replace plastic. Mobile devices will take payments to places credit cards can never reach, and the functionality and distribution of payment innovation through mobile devices will grow exponentially over the next 5 – 10 years, it just needs something to help everyone make that transition;

The software PIN.

[If you liked this article, please share! Want more like it, subscribe!]