Thales Blog

Mobile Wallet Security

August 15, 2011

Over last few months various groups have launched their mobile wallet offerings.

In the U.S., Isis, the mobile payment initiative that AT&T, T-Mobile and Verizon started last November, recently announced plans to launch a pilot project in 2012. This project will create a payment network that enables customers to pay, redeem coupons and store merchant loyalty cards, all with the tap of their phone.

More recently, a joint venture between Vodafone, Everything Everywhere and O2 announced that it is set to ‘deliver the technology required for the speedy adoption of mobile wallet and payments’. Back in May we of course saw Google launch its platform, which turns Android smartphones into digital wallets.

The Vodafone, Everything Everywhere and O2 offering, if not the other wallets announced, will take the form of a SIM based wallet, meaning it can be used regardless of which NFC enabled mobile device, or mobile network customers are using.

But what does that mean in terms of security? How exactly do you get the wallet onto the SIM in a secure way? As mentioned in previous blogs about security challenges in the age of mobile payments, usually the provisioning of wallets or applications is done ‘Over The Air’ (OTA).

The standards for putting payments on phones are shaping up now, but building the data needed to issue a payment application and to create the secure messages required to personalize the mobile phone OTA can be a lengthy and inefficient process requiring multiple core cryptographic functions which may expose sensitive data.

The activity around mobile wallets has only really just begun and it will be interesting to see which players prove the most successful, but the fact remains that the security of mobile payments is one of the customer’s main concerns. The availability of a more efficient and secure means to enable issuers to provision wallets over the air to mobiles will undoubtedly pay dividends in the long run.