TCG and its work groups recently have spent much time examining the growing insecurity of payments via mobile/IoT devices and how core concepts of trusted computing can be applied to reduce fraud and better protect payments, which are quickly becoming a norm for many users and businesses.
To help the industry understand this issue and the role of trusted computing, TCG has published a new architects guide. As context, the new guide notes that “…IoT devices are slowly emerging as new payment instruments.
Smart watches, in particular, are currently used for NFC tap and pay payments. The majority of these devices rely on a paired mobile device such as a smart phone for some functionality, which may include provisioning and authentication.”
TCG members, which include chipmakers, mobile device companies and financial services providers, believe that “…In the foreseeable future, it’s expected that these IoT payment instruments will no longer need a companion-assisting device. Backend fraud and risk engines currently rely on payment parameters to reach an authorize or reject decision on incoming transaction requests. To reduce fraud risk, the backend needs to collect some signals, authenticate the user, and identify the device as well as the POS (point-of-sale system).
Currently, as the guide notes, IoT devices, such as smart watches, are currently used in the payment industry for NFC tap and pay. Some devices rely on a secure element and others rely on TrustZoneTM / SGX or a separation kernel.
Additionally, the back end of the payment process needs to identify the device and authenticate the user. TCG has noted that “…there are currently some weakness and challenges in payment instruments not using hardware security, which includes various POS, or point-of-sale, systems.
Trusted computing mechanisms make the act of payment easier for users, by allowing devices to provide a range of levels of protection depending on the type of payment. Backends can use trusted computing mechanisms to determine the level of protection during the current payment.
Details about the application and use of trusted computing, including several TCG specifications, can be found in the complete guide, https://trustedcomputinggroup.org/wp-content/uploads/2018_TCG_FinSvcGuide_SmWeb_DR02.pdf. TCG welcomes input and participation; for more info on membership, go to https://trustedcomputinggroup.org/membership/.
*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: https://trustedcomputinggroup.org/new-tcg-architects-guide-demonstrates-fraud-reduction-in-payment-industry-with-trusted-computing/