Software has the last word for PIN entry
According to Eurosmart, over 8 billion secure elements will be shipped this year, growing 9% in 2015 and possibly reaching 12 billion units in 2020. Secure elements mostly come in the shape of SIM cards for telecom applications, representing over half of the total shipments, followed by secure chips for banking (actual smart cards, authentication dongles and payment terminals) at less than a quarter of the global volume.
Interestingly, among all secure elements, NFC-enabled SIM cards are the fastest growing, set to nearly double from 350 million units shipped in 2014 to 600 million for 2015. This is probably what made Oyvind Rastad, chairman of Eurosmart, say for the third year in a row that “Next year will be the year of NFC”, and NFC-based Apple Pay and Google Wallet touch-and-pay solutions will certainly boost consumer awareness and drive the demand for more NFC-based applications.
Until recently, PIN entry was only certified secure through hardware entry solutions including a bulky physical keypad. So far, PCI-compliance restrictions have prevented the design of sleek touch-screen only point-of-sale terminals, something that would better reflect today’s modern smartphone designs.
At Cartes, Danish exhibitor Cryptera A/S (recently acquired by Diebold Inc. for its expertise in the manufacture of secure PIN entry pads) announced CryptoTouch, claimed to be the first encrypting PIN touch screen application to comply with Payment Card Industry (PCI) security requirements.
The CryptoTouch application encrypts all PIN entries users make on touch screen interfaces, from automated teller machines (ATMs) to point of sale (POS) devices and other unattended payment terminals.
Here is an opportunity for terminal manufacturers to move away from the traditional mechanical keypad to a more versatile and adaptive touch screen interface. The solution relies on a purpose-built secure module, the ETS 6200, combining logical and physical security measures. The polymer-enclosed unit includes a PCI-approved encrypted touch sensor for standard screen sizes from 12” to 24”, it also supports 3DES and remote key loading. The company also claims that the use of touch screens also mitigates the risk of fraudsters replacing or tampering with mechanical encrypting PIN pads.
But what about camera skimming and shoulder surfing on such touch screen PIN interfaces?
This is an area that German startup siOPTICA GmbH is addressing with a switchable privacy optical filter. As Dr. Markus Klippstein, CEO of siOPTICA GmbH told us, siOSwitcha combines a passive polymer display overlay designed with proprietary patterns that affect the optical path in such a way (a bit like the simpler parallax barriers used on cheap animated postcards) that dedicated display software can be used to scramble the side views only both from specific horizontal and vertical viewable angles.
The overlay is 90% transparent, maintaining a bright crisp image, yet it completely blocks unauthorized side views and the privacy effect is switchable by software and on-demand for either the full screen or part of it. This has to be compared with existing privacy filters that typically darken the whole screen (about 40% of brightness loss) but still fail to completely block side-views as a faint image can still be seen under the restricted angles.
For battery-operated devices, this is a clear winner as it allows the reduction of the display illumination. The software solution can even take eye tracking into the equation to implement a sweet privacy spot (scrambling the display just outside the first user’s direct view angle). What’s more, the PIN pad can easily be moved around the screen or scaled to increase anti-skimming protection.
One of the finalists for this year’s Sesames Awards both in the Identification/ID cards/health/e-government and the Banking/payment/e-transactions categories, Norwegian startup Zwipe AS was exhibiting a mockup of its biometric payment card.
Mid-October, the company announced a partnership with MasterCard for the launch of the world’s first contactless payment card featuring an integrated fingerprint sensor. To eliminate privacy issues, cardholder fingerprint data is stored directly on the card’s secure element, not in an external database. The card is activated by pressing your thumb (or any other previously enrolled finger) during the swipe over an NFC card reader. Here the biometric authentication replaces the PIN entry, securing payments of any amount, wirelessly.
The card is built from commercially available components but the real breakthrough came from software, told us Gildas Chabot, lead technical developer at Zwipe.
“By developing proprietary biometric algorithms and by pushing NFC-based energy-harvesting beyond what is commercially available, we were able to design a contactless card that is also battery-less”, explained Chabot, “something that a lot of other companies have tried to do before without success”.
Naturally, the card has no battery lifetime limitations either and is more reliable than battery-enabled alternatives.
“It took us five years of development to optimize our fingerprint processing algorithms in such a way they would be power efficient enough to run from RF-energy harvesting”, added Chabot. The company is ready to licence the IP on both its software and RF-energy harvesting solutions. It could also deliver embedded modules for medium volume orders.
Visit Cryptera at www.cryptera.com
Visit siOPTICA at www.sioptica.com
Visit Zwipe at www.zwipe.com
Related articles:
Consumers have a say at Cartes
Will e-payment become Smartphone-centric?
Smart card payment terminals go mobile
Is NFC there to stick? A report from CARTES