Featured, Latest News

GSMA colludes with Mobile Network Operators over NFC mobile wallets

Feature

Posted by

December 20th, 2011 at 3:39 PM Filed Under Featured, Latest News
GSMA colludes with Mobile Network Operators over NFC mobile wallets

GSMA colludes with Mobile Network Operators over NFC mobile wallets, they will lose the battle for control

The GSMA has released a document called the “NFC Handset APIs & Requirements”, which outlines their mandate to member mobile network operators globally on how NFC USIMs or UICC-based NFC services and secure elements should be treated. We were told by a GSMA executive at WIMA that the GSMA are always being accused of being an inside club for the mobile network operator community with little interest in consumer related issues, and this new document does little to dissuade anyone that this isn’t true. We feel aspects of the GSMA are in the interests of consumers and in favor of education, but there are certainly facets and elements that are not.

The new document is very obviously designed to provide mobile network operators with advantages and ways to interfere with competing NFC mobile wallets. NFC Rumors was told at WIMA by Alex Sinclair, Chief Technology and Strategy Officer over at the GSMA, that “we are confident mobile network operators will win the wallet wars.”

We spent around half an hour speaking with Sinclair about the GSMA’s position on NFC and mobile wallets and the impression we received from him was that the war was already over and the GSMA member MNOs had already won. We respectfully disagreed. In fact, after seeing the new document and in particular two elements within it we think the GSMA has pushed the mandate of control too far and will ultimately help in the defeat of MNOs by big electronics and internet firms.

By baking in anti-competitive standardization rules to the GSMA specifications the organization has lined itself up for a battle for control that MNOs ultimately can’t win. Going public with technical documents that contain specifications that strip consumers of choice leads the battle into the hands of consumers. As consumers begin to become more aware of the issues that surround NFC mobile wallets and NFC payments we project revolt from consumer activists, telecom regulators and organizations like the FCC. So, what exactly has our knickers in a twist about the GSMA NFC Handset APIs & Requirements for MNOs? We are glad you asked.

Areas of concern for consumers with regards to GSMA NFC specifications

We read the through the document thoroughly and found two main areas of concern for consumers. The first being the fact that the GSMA mandates that only one secure element should be active at one time and that the default secure element should be the NFC SIM. The second is that NFC mobile devices should ship with NFC SIMs that should also be set as default. If you are a regular here at NFC Rumors, you will know that the MNOs will own the NFC SIM and any transactions that take place using this secure element will be totally controlled by the MNO.

The concern is that MNOs will use these new specifications to block third party NFC mobile wallets, or at least make it very difficult for competitive products to be used on NFC smartphones. By leaving other secure elements as redundant options where the NFC SIM is default mobile network operators gain control of whether other secure elements are used. By owning the NFC SIM, mobile network operators own their subscribers’ ability to use their NFC smartphone as a mobile wallet, and that is wrong and unethical.

This means that consumers could lose the ability to pick services and firms they choose they are most comfortable with for financial transaction. At the end of the day, would you feel comfortable with your mobile network operator controlling your ability to pay for goods and services? We wouldn’t. Over the last year MNOs have shown that they will control and collude with one another to price fix, control services that can work on their networks and develop anti-competitive joint ventures that push out competition. Quite frankly, with a few notable exceptions such as Sprint and Three UK, mobile network operators have blown any credibility they have as being impartial service providers and have instead acted with evident anti-competitive motivations.

“The operation of defaulting the UICC SE directly implies that the transaction events are routed from the CLF (Contactless Frontend) to the UICC.” This one line in the specifications implies that all NFC transactions are required to use the NFC SIM. This provides a secondary level of control for mobile network operators and allows them to disallow certain competitors from the NFC SIM.

Another interesting point the document details is a potential security risk. The GSMA document states “In some markets additional secure elements may coexist, in which case the following requirements apply. When several Secure Elements, (the UICC SE and others) exist within the mobile device, simply providing access is not enough; the OS also needs to provide a way of managing them.”

What makes a secure element secure is the fact that the OS on a mobile device has no direct access to manage the said secure element. Instead secure elements are managed by trusted service managers that allow the secure element to remain separate to the OS and only accessible by pre-provisioned apps that have been managed by a trusted service manager. This does not take away from the choice of services that consumers have and allows for tamper-proof secure elements to stay that way.

However, where the secure element can be accessed in any form by the mobile OS this gives the potential for exploits to be developed. Even if that access is only limited to choosing which secure element is to be used.

We think that the GSMA was trying to add a level of complexity to making a transaction with any secure element that isn’t the NFC SIM controlled by the MNO. However, that could well backfire on the MNO as exploits are developed to leverage this access point to the secure element.

Why the GSMA and member MNOs will fail in their attempt to control NFC mobile wallets, secure elements and NFC payments

The GSMA may be very confident about the wallet wars already being over. However, we have seen something different here in the United States as the Free Press has called for Verizon to be investigated with its handling of the Google Wallet and subsequent lack of support for the wallet on the network, again touting technical reasons that simply do not exist. We have already seen the developer community usurp Verizon and enable Google Wallet over Verizon’s network. This shows there is already a groundswell of unrest with the MNOs in regards to NFC and mobile wallets.

However, this is but one aspect of a larger story that is playing out with different NFC payment technologies that use different requirements and are being brought to market to completely change how NFC smartphones are used for payments. This subject is too large for us to cover in this post and we will now write a follow up post to highlight this aspect of multi-standards further. But phone-to-cloud and peer-to-peer appear to be the loopholes that will ultimately defeat MNOs.

We want to look a little into a concern that has come to light over the last week that affects NFC SIMs being used as secure elements. The SIMalliance has released an “Open API” for the provisioning of data to secure elements. “Long tail applications and applications requiring security can still be under the MNOs’ control,” said Frédéric Vasnier, President of the SIMalliance. This shows that the MNOs will attempt to create their own app ecosystems that they control with a steely grip.

What we have seen so far is that NFC SIMs are limited in memory and that transactional data is then stored on internal memory within mobile OSs. Google found out this last week that this data can be exploited when root privileges are available to the OS, ergo the probable method that MNOs will take to store additional data that is too large for the NFC SIMs is likely to live within a database linked to a secure app.

Quite frankly, if all sensitive data is not stored within the secure element and yet remains on the smartphone it could become a big security problem in NFC mobile wallets. As the embedded secure element market matures, secure elements are expected to grow in size and NFC microSD secure elements already ship with larger storage capacities. Secure elements that are large enough to store all data associated with NFC payments inside will ultimately prove more secure. At the end of the day, embedded and microSD secure elements have a far better chance of achieving this due to limitations on SIMs.

By enforcing the usage of NFC SIMs, MNOs could be opening the floodgates to multiple security breaches outside of SWP, secure elements and NFC ICs. Of course, both NFC SIMs and microSD secure elements can easily be removed from smartphones to be hacked elsewhere, which is yet another concern. It isn’t as if SIMs haven’t been hacked before, and fundamentally the same technology with slightly different encryptions is being used.

What is fore sure is that the GSMA and member MNOs, like the members of Isis and the UK NFC joint venture, for example, are attempting to initialize a system of control over NFC mobile wallets and NFC payments. It is also becoming very clear that this is not in the benefit of the consumer and is expected to be the next meal ticket for an already too powerful group of companies. NFC Rumors still projects the MNOs will end up losing this battle as they did with app stores and now think that regulatory bodies like OFTEL and the FCC should take a closer look into what the GSMA is proposing for the standardization of NFC services on the majority of mobile network operators’ airwaves.

Source: Smart Card Trends
  • Tim Baker

    Excellent article in general, but I think your analysis of
    “collusion” is a little over simplified even if conspiracy plots are
    all the rage.

    NFC has the potential of bringing mobile payment into the
    physical world, where aver 90% of transactions happen and EVERYONE wants a part
    of the pie. The wallets war is far from over, and during the war (as in all
    wars) the civilians (consumers) will suffer from lack of choice. When the war
    is over one main player or joint venture will control the NFC payment
    transaction flow. The business model for this control varies. MNOs are looking
    for revenue though NFC SIM space rental and possibly transaction fee sharing.
    Google is looking for the value of search in all that transaction data. For
    Apple it will probably be another brick in their easy-to-use walled garden.

    If the GSMA and MNOs win and all transactions go through the
    SIM, all banks will have their accounts available through all operators. So
    with legislation enforcing number portability across MNOs and the SIM ensuring portability
    across handsets and services users will ultimately have the choice of bank, mobile
    handset, and MNO. They would probably not have the choice of Google Wallet
    because the business model of not taking a cut in transaction fees for right to
    the use the data for target search and advertising would not hold up.

    If on the other hand Google Wallet wins the war, I can
    possible imagine that all operators will be obliged to allow it onto their
    networks, but how free would a user be to change handset or operator? Would
    they be able to choose to switch from Android to iPhone, Blackberry, Nokia/Windows?

    There are other actors too, Apple (someday I presume), Visa,
    MasterCard and Co. RIM, Nokia, Microsoft.

    As in all wars, partnerships will be made and broken,
    allegiances will shift, and when the dust has settled the control landscape may
    have changed significantly.

    From the consumer’s point of view, it matters less who wins
    rather than how long and bloody the war is.

    As in all wars the protagonists start by declaring that it
    will be short and clean and that victory is already in sight. Inevitably it
    will be long and dirty and some arms dealers will make a fortune.

    This vision is written from France, and the way things turn
    out in Europe may be very different from the way things happen in US for a
    whole host of reasons. So we can still get a ton of articles written about the
    Wallets War in the next few years.

    • http://www.nfcrumors.com Seth Planck

      This reads like a SunTzu assessment of the industry on a macro level. This is probably the best comment we have ever received here at NFC Rumors. Thanks for taking the time Tim. You are correct in pointing out we simplified the total situation. We pick at it little by little because no one wants to read a 4000 word thesis on the subject. W’ed rather attack each piece on relevant areas of concern or achievement. What is clear however is that a closed system is not good for consumers. Tradional banks are having to morph and NFC mobile wallets could change how we think of banking and niche banks into online banks, off line banks and lending institutions. Each may have their place in the new industry and could even stretch over multiple sectors. 

      However that doesn’t mean consumers shouldn’t be the drivers of what services they are offered and use. At the end of the day it is consumers who will push the last dagger in to the loosing party, and that war should be based on “open combat” in an open market.