In general, mobile terminals, such as, for example, smartphones, personal computers, digital tablets, or the like, or any other connected device including devices belonging to the Internet of Things (IoT) may execute transactions, such as e-commerce transaction or fund transfer. These transactions, however, raise security problems, notably because “malicious software” or “malware” may be executed by a processor (e.g., CPU) of the terminal. The malware may be able to access all or a part of the memories accessible by the processor, and thus may be maliciously configured to spy on any transactions executed by the terminal and obtain any data manipulated during these transactions over a network.
To ensure the security of such transactions, one method is to entrust cryptographic computations to a dedicated secure element, such as a processor of, for example, a UICC (“Universal Integrated Circuit Card”) card, and a SIM (subscriber identification module) card, in which cell phones are generally equipped. Further, in order to be able to execute one or more payment applications, the secure processor must be able to store as many secret cryptographic keys as there are payment applications. However, loading an application into the memory of the above-mentioned secure processor is a complex operation that needs to be highly secure. Specifically, it involves external parties such as Trusted Service Managers. For instance, since SIM cards are issued by cell phone operators, the latter may refuse to have such applications installed in the card. Furthermore, in the event of theft, or during maintenance of the telephone, the processor of the SIM card may be hacked by a hacker seeking to discover the secret keys stored in its memory.
In addition, accessing the secure functions installed in the processor of a SIM card generally entails inputting a secret code (PIN code) by means of a keypad or a touch-sensitive surface connected to the main processor of the terminal. In a typical configuration, the secret code input by the user necessarily passes through the main processor. Malware executed by the main processor can therefore access this secret code.
Further, to secure transactions performed using a terminal connected to a web site, one method may be to use a single-use secret code which is transmitted to the user each time a transaction needs to be validated. One solution is to transmit the single-use secret code to the user via a distinct communication channel, e.g., via a phone link or SMS (Short Message Service). The user may be required to input the received secret code on the terminal to validate the transaction. Another solution is to provide an additional hardware device to each of the users. This device may generate a single-use secret code after an authentication of the user by means of credentials, such as a password or biometric data. However, the above-mentioned solutions are burdensome for the users who do not always have nearby a phone or mobile or wireless network coverage (or the additional hardware device), when validating a transaction. Further, the solution requiring the additional hardware device is costly for organizations (e.g., banking). In addition, the solution using a secret code transmitted by SMS does not provide sufficient high security level since it has already been subjected to successful attacks.