Host Card Emulation - the ability to emulate payment card on a mobile device without dependency on special Secure Element hardware - opens a whole new chapter for mobile payment applications, which are recently springing out like mushrooms after the rain of HCE. But will these "mushrooms" turn out to be delicious, barely edible, or maybe rather poisonous? Does the security assured by vendor always reflect actual implementation? What could possibly go wrong? How these applications could be attacked? Based on several assessments, we will answer these questions, and leave the audience with best practices on how to mitigate the risks.
Understand what Host Card Emulation is, how the technology works and what the limitations are
Determine what security features are ensured by OS level, and what is left for the mobile application developers
Identify possibilities to attack mobile payment applications, attack conditions and risks
Analyse implementation shortcomings captured during assessments
Identify security mechanisms possible to implement in order to mitigate the risk, guidelines and best practice