GSMA colludes with Mobile Network Operators over NFC mobile walletsFeature
Posted by Seth PlanckDecember 20th, 2011 at 3:39 PM Filed Under Featured, Latest News
GSMA colludes with Mobile Network Operators over NFC mobile wallets, they will lose the battle for control
The GSMA has released a document called the “NFC Handset APIs & Requirements”, which outlines their mandate to member mobile network operators globally on how NFC USIMs or UICC-based NFC services and secure elements should be treated. We were told by a GSMA executive at WIMA that the GSMA are always being accused of being an inside club for the mobile network operator community with little interest in consumer related issues, and this new document does little to dissuade anyone that this isn’t true. We feel aspects of the GSMA are in the interests of consumers and in favor of education, but there are certainly facets and elements that are not.
The new document is very obviously designed to provide mobile network operators with advantages and ways to interfere with competing NFC mobile wallets. NFC Rumors was told at WIMA by Alex Sinclair, Chief Technology and Strategy Officer over at the GSMA, that “we are confident mobile network operators will win the wallet wars.”
We spent around half an hour speaking with Sinclair about the GSMA’s position on NFC and mobile wallets and the impression we received from him was that the war was already over and the GSMA member MNOs had already won. We respectfully disagreed. In fact, after seeing the new document and in particular two elements within it we think the GSMA has pushed the mandate of control too far and will ultimately help in the defeat of MNOs by big electronics and internet firms.
By baking in anti-competitive standardization rules to the GSMA specifications the organization has lined itself up for a battle for control that MNOs ultimately can’t win. Going public with technical documents that contain specifications that strip consumers of choice leads the battle into the hands of consumers. As consumers begin to become more aware of the issues that surround NFC mobile wallets and NFC payments we project revolt from consumer activists, telecom regulators and organizations like the FCC. So, what exactly has our knickers in a twist about the GSMA NFC Handset APIs & Requirements for MNOs? We are glad you asked.
Areas of concern for consumers with regards to GSMA NFC specifications
We read the through the document thoroughly and found two main areas of concern for consumers. The first being the fact that the GSMA mandates that only one secure element should be active at one time and that the default secure element should be the NFC SIM. The second is that NFC mobile devices should ship with NFC SIMs that should also be set as default. If you are a regular here at NFC Rumors, you will know that the MNOs will own the NFC SIM and any transactions that take place using this secure element will be totally controlled by the MNO.
The concern is that MNOs will use these new specifications to block third party NFC mobile wallets, or at least make it very difficult for competitive products to be used on NFC smartphones. By leaving other secure elements as redundant options where the NFC SIM is default mobile network operators gain control of whether other secure elements are used. By owning the NFC SIM, mobile network operators own their subscribers’ ability to use their NFC smartphone as a mobile wallet, and that is wrong and unethical.
This means that consumers could lose the ability to pick services and firms they choose they are most comfortable with for financial transaction. At the end of the day, would you feel comfortable with your mobile network operator controlling your ability to pay for goods and services? We wouldn’t. Over the last year MNOs have shown that they will control and collude with one another to price fix, control services that can work on their networks and develop anti-competitive joint ventures that push out competition. Quite frankly, with a few notable exceptions such as Sprint and Three UK, mobile network operators have blown any credibility they have as being impartial service providers and have instead acted with evident anti-competitive motivations.
“The operation of defaulting the UICC SE directly implies that the transaction events are routed from the CLF (Contactless Frontend) to the UICC.” This one line in the specifications implies that all NFC transactions are required to use the NFC SIM. This provides a secondary level of control for mobile network operators and allows them to disallow certain competitors from the NFC SIM.
Another interesting point the document details is a potential security risk. The GSMA document states “In some markets additional secure elements may coexist, in which case the following requirements apply. When several Secure Elements, (the UICC SE and others) exist within the mobile device, simply providing access is not enough; the OS also needs to provide a way of managing them.”
What makes a secure element secure is the fact that the OS on a mobile device has no direct access to manage the said secure element. Instead secure elements are managed by trusted service managers that allow the secure element to remain separate to the OS and only accessible by pre-provisioned apps that have been managed by a trusted service manager. This does not take away from the choice of services that consumers have and allows for tamper-proof secure elements to stay that way.
However, where the secure element can be accessed in any form by the mobile OS this gives the potential for exploits to be developed. Even if that access is only limited to choosing which secure element is to be used.
We think that the GSMA was trying to add a level of complexity to making a transaction with any secure element that isn’t the NFC SIM controlled by the MNO. However, that could well backfire on the MNO as exploits are developed to leverage this access point to the secure element.
Why the GSMA and member MNOs will fail in their attempt to control NFC mobile wallets, secure elements and NFC payments
The GSMA may be very confident about the wallet wars already being over. However, we have seen something different here in the United States as the Free Press has called for Verizon to be investigated with its handling of the Google Wallet and subsequent lack of support for the wallet on the network, again touting technical reasons that simply do not exist. We have already seen the developer community usurp Verizon and enable Google Wallet over Verizon’s network. This shows there is already a groundswell of unrest with the MNOs in regards to NFC and mobile wallets.
However, this is but one aspect of a larger story that is playing out with different NFC payment technologies that use different requirements and are being brought to market to completely change how NFC smartphones are used for payments. This subject is too large for us to cover in this post and we will now write a follow up post to highlight this aspect of multi-standards further. But phone-to-cloud and peer-to-peer appear to be the loopholes that will ultimately defeat MNOs.
We want to look a little into a concern that has come to light over the last week that affects NFC SIMs being used as secure elements. The SIMalliance has released an “Open API” for the provisioning of data to secure elements. “Long tail applications and applications requiring security can still be under the MNOs’ control,” said Frédéric Vasnier, President of the SIMalliance. This shows that the MNOs will attempt to create their own app ecosystems that they control with a steely grip.
What we have seen so far is that NFC SIMs are limited in memory and that transactional data is then stored on internal memory within mobile OSs. Google found out this last week that this data can be exploited when root privileges are available to the OS, ergo the probable method that MNOs will take to store additional data that is too large for the NFC SIMs is likely to live within a database linked to a secure app.
Quite frankly, if all sensitive data is not stored within the secure element and yet remains on the smartphone it could become a big security problem in NFC mobile wallets. As the embedded secure element market matures, secure elements are expected to grow in size and NFC microSD secure elements already ship with larger storage capacities. Secure elements that are large enough to store all data associated with NFC payments inside will ultimately prove more secure. At the end of the day, embedded and microSD secure elements have a far better chance of achieving this due to limitations on SIMs.
By enforcing the usage of NFC SIMs, MNOs could be opening the floodgates to multiple security breaches outside of SWP, secure elements and NFC ICs. Of course, both NFC SIMs and microSD secure elements can easily be removed from smartphones to be hacked elsewhere, which is yet another concern. It isn’t as if SIMs haven’t been hacked before, and fundamentally the same technology with slightly different encryptions is being used.
What is fore sure is that the GSMA and member MNOs, like the members of Isis and the UK NFC joint venture, for example, are attempting to initialize a system of control over NFC mobile wallets and NFC payments. It is also becoming very clear that this is not in the benefit of the consumer and is expected to be the next meal ticket for an already too powerful group of companies. NFC Rumors still projects the MNOs will end up losing this battle as they did with app stores and now think that regulatory bodies like OFTEL and the FCC should take a closer look into what the GSMA is proposing for the standardization of NFC services on the majority of mobile network operators’ airwaves.