A. Technical Field
The present invention relates generally to an embedded secure element in an electronic mobile terminal, and more particularly, to systems, devices and methods of incorporating the embedded secure element into the mobile terminal for authentication, storage and processing in trusted transactions.
B. Background of the Invention
Not until recently, financial transaction has been implemented by a limited number of methods, including face-to-face cash exchange at bank or sale counters, automatic teller machine (ATM) transaction, credit card payment via a specialized reader, and internet transaction by inputting credit or debit card information. Although face-to-face transaction has been the most conventional business method for many centuries, the ATM machine, credit card reader and internet emerged and dominated as secure point-of-sale (POS) terminal devices during the last few decades. These secure POS terminal devices are normally hardwired to the telephone network or internet, and can read account information, contact the bank and transfer approved monetary amount. They may also have the capability to authenticate the cardholder through its PIN code or through biometric means. These POS terminals have been widely applied in retail and hospitality industries.
Regardless of the POS terminals, customers have to carry a debit or credit card which is embedded with a magnetic strip or carries an integrated circuit. The magnetic strip is used to store the customer's personal account information. In most debit or credit cards, authentication of a cardholder is limited to the cardholder's signature and/or a password, such that minimum efforts are required from the cardholder and the technical barrier may be significantly reduced for average people. Despite its convenience for use, credit cards are always faced with security threats. Once a thief steals a card, he or she may conveniently fake the signature, or decipher the password that sometimes includes only four digits.
A variety of technologies are used in the POS terminals to maintain security of the sensitive account and transaction information. The ATM machine adapts anti-tamper circuitry and physical security mesh to prevent tamper attacks by thieves. Financial transaction via the internet may involve additional authentication and encryption for data exchange between local computers and remote servers that are owned by the banks, credit card companies or retailers. Although these anti-tamper technologies have made significant progress, security of POS terminals is always a concern as the tamper attempts are more and more sophisticated.
Mobile phones were initially introduced as communication terminals to receive and make phone calls via a radio link, but they have recently been used in financial transaction. Application of mobile phones has dramatically changed our traditional perspectives on the POS terminals by allowing each individual customer to own his or her own financial terminal. Unprecedented flexibility and mobility is promised by this new trend. In particular, a term, “mobile banking,” is developed concerning financial activities via a mobile device, including balance checking, bank transfer, and credit card payments.
In mobile banking, the conventional mobile phone may be conveniently configured to a mobile POS terminal by a software application. The software application is installed on the mobile phone upon a request by the user, and normally each retailer or bank may support its own application that has a unique interface. User name and password for each bank or retailer may be conveniently remembered by the application. The mobile POS terminal optionally includes an accessory card reader to read the account information from the credit or debit card; however, the information may also be directly input by the user through the keyboard or touch screen of the mobile phone. Therefore, the mobile POS terminal has been configured as a combination of a card reader and the internet except its capability of wireless communication.
Near Field Communication (NFC) technology has introduced another mobile payment scheme. More specifically, NFC-enabled mobile phones are equipped with an integrated circuit connected to an antenna allowing it to communicate through radio with other objects in a short range, typically 0 to 10 cm. As per the NFC ISO standard 18092, an NFC reader can establish a contactless radio communication with an NFC enabled handset in so called card emulation mode and run a transaction. In this situation, the mobile device behaves like a contactless smartcard. The NFC enabled handset enables an electronic financial transaction as a card with magnetic stripe or traditional smartcard does, except that NFC communication exempts a requirement for physical contact between the card and the reader.
Although the mobile phone itself provides one more layer of password protection, security features for mobile banking are limited and cannot compare to the existing security levels in the conventional POS terminals. When the user name and password are remembered by the software applications, anyone that hackled the mobile phone can get access to the account. Authentication and encryption techniques are similar to those applied in conventional financial transaction via the internet. Therefore, although the existing mobile banking has fundamentally changed the format of financial transaction, security in a Secure Digital (SD) memory card or as a smart card, such as a subscriber identity issues are never addressed, and to certain extent, are even compromised to gain the benefits of flexibility and mobility.
In some state-of-the-art mobile terminals, the main processor may have a trusted mode of operation, and removable secure elements might be integrated module (SIM) card or a universal integrated circuit card (UICC), to create secure environments for trusted transactions. Logical separation of software execution is created in a trusted mode of operation for sensitive applications in addition to a normal mode for non-sensitive applications. However, physical security for tamper resistance is not available for this trusted mode of operation or any of these cards that are converted from the conventional cell phone hardware.