Yesterday, I attended the Mobile Barcamp on Security at ETSI. Even though attendance was rather low, the exchanges were interesting, and the unconference format made them even more interesting. It was my first Barcamp, and I really enjoyed it.
Among the news and messages spread during the meeting, one struck me, even though it is not all that new. OMTP has issued the OMTP TR1 set of recommendations for an Advanced Trusted Environment. These recommendations are quite significant, and include a full Trusted Execution Environment (TEE) that is able to run trusted code on the device.
The interesting news comes from the UK Home Office. Back in May 2009, when the latest version of OMTP TR1 was issued, the Home Secretary issued a congratulation note, encouraging the use of TR1, with numerous quotes from various crime fighting units, as well as executives from Vodafone and Motorola. So far, nothing really big.
Things have gotten better in October, when the Crime Reduction unit from Home Office issued the Contactless mobile phone payments – Best practice guidelines document. The document is interesting, proposing a few classical security guidelines, like mandating PIN code for transactions over £10 or requiring a single number to report the theft or loss of a mobile, and of course to disable any payment app related to the mobile, together with the mobile subscription.
But the interesting point is here that this document somehow assumes that the mobile device follows the OMTP TR1 requirements, and therefore include a trusted environment. Here is the paragraph:
It is expected that user verification (for example a passcode) for contactless mobile transactions above the prevailing payment industry agreed maximum contactless value (currently £10) will be required so as to add an additional level of security to that already provided in the mobile device. (1)
Of course, the (1) is a reference to OMTP TR1, through the previously cited endorsement by the Home Office. Having TR1 “already provided in the mobile device” would be really interesting, and a step in the right direction for security. Now, let’s just wait for and hope that this actually happens in the mobile payment deployments in the UK and elsewhere.