European Consumer Summit 2014 On-line and mobile payments Dr Florent Frederix Trust & Security Unit, DG CONNECT, European Commission 1th of April 2014 A. BORSCHETTE CENTRE , Brussels Content • What is mobile payment? • How big are cyber security risks? • What is the European Commission doing about it? • What is mobile payment? • Some examples • • • • • 1. Contactless m-payment with NFC mobile 2. PayPal / Pre-paid card wireless payment 3. M-payments & ATM transactions using QR 4. M-payments using electronic currencies 5. M-payments using Near Sound Data Transfer and other technologies m-payment with NFC mobile • Options: • Mobile + NFC card - Security equal to security of another NFC credit/debit card Blog.tesco.com • Mobile + secure SIM - Security higher than the security of another NFC credit/debit card • Mobile + secure element in the cloud/software - Android 4.4 (kitkat) can drive the NFC hardware on your mobile phone Security data not yet available but probably lower than NFC card PayPal / Pre-paid card payment • Similar to PayPal(1) from a web browser. • Difference is 2 factor identification based on phone number and pin code. No secure element. • Trusted Service Manager is PayPal that ensures link between credentials of mobile phone holder and linked credit/debit accounts. (1)PayPal used as one example. Description not complete (2) Google’s brilliant plan to get millions to adopt its emoney system: Gmail www.qz.com March 27, 2014 Google e-money M-payments & ATM using QR codes • (1) Text emulation • Fake payment requests? • Security measures? • (2) Real mobile QR payments M-payments with e-currencies • Issues: • Legal base • Trusted service manager? (the network?) • (Security?) M-payment with NSDT & and …. • Characteristics: • Side channel attacks? • Interoperability? How big are cyber security risks? Size of the market?(1) Usage of different means of accessing banking services • — Security Concern reason for 69% of non-users. • — Share of m-banking consumers that are unbanked is 11% (1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014 How big are cyber security risks? Age profile(1) Use of mobile banking in the past 12 months by age (%) (1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014 How big are cyber security risks? • How secure?(1) • Survey results (1) Consumers and Mobile Financial Services 2014, Board of Governors of the Federal Reserve, March 2014 What does the EU Commission? • Data Protection directive/legislation • In place since 1995: Directive EC 95/46 • New legislation under discussion with Parliament to revise the directive into a refreshed legislation • Network Information Security directive (NIS) • Initiative presented by EU commission • Directive under discussion in Parliament • The Cyber Security Strategy • Complements the NIS directive • Links to H2020 What does the EU Commission? Proposal for a Directive on NIS Key elements (1/3) Capabilities: Common NIS requirements at national level NIS strategy and cooperation plan NIS competent authority Computer Emergency Response Team (CERT) What does the EU Commission? Proposal for a Directive on NIS Key elements (2/3) Cooperation: NIS competent authorities to cooperate within a network at EU level Early warnings and coordinated response Capacity building NIS exercises at EU level ENISA to assist What does the EU Commission? Proposal for a Directive on NIS Key elements (3/3) • Risk management and incident reporting for: Energy – electricity, gas and oil Credit institutions and stock exchanges Transport – air, maritime, rail Healthcare Internet enablers Public administrations What does the EU Commission? • The Cyber Security Strategy Thanks