Unresolved Issues Swirl Around Securing Mobile Payments

CowboyRobot writes "While many mobile payments startups are using both traditional and nontraditional authentication methods, regulatory uncertainty still exists around liability for fraud attacks on customers using mobile payments. Although there haven't been any public attacks from fraudsters on alternative mobile payments providers such as Square, LevelUp or Dwolla, anecdotal stories are already circulating among security experts and regulators of such attacks. One thing that still has to be worked out in this area is regulatory oversight. 'The regulators are not yet clear who owns the regulatory oversight for these environments. These technologies tend to fall through the cracks even in terms of card-present or card-not-present.'"

Nothing Funny Here Yet?

[Jeremiah+Cornelius]

I await Frist PS0t crunchiness - especially with a gimmee, like "Swirl", in the post title!

2 degrees compared to what? And over how long?

[ksandom]

For anyone else that was curious about this, I found this two links deep:

That means it’s becoming increasingly difficult for the world to meet its professed goal of limiting global warming to 2C (3.6F) above pre-industrial levels.

Re:2 degrees compared to what? And over how long?

[girlintraining]

Dude, wrong article. Next time, check the title in the tab before you click submit. :/

Re:2 degrees compared to what? And over how long?

[Synerg1y]

Epic fail!

Re:2 degrees compared to what? And over how long?

[ksandom]

Yup. Apparently I are too much awesumz cereal that morning. My bad.

Phones

[girlintraining]

Phones aren't secure because most people don't put a password on them, and any app you run for mobile payments on top of that can be hacked, since once you have physical access to the phone, you're pretty well doomed.

Just stick with the damn cards. If you lose it, your bank will send you a free replacement, and it's instantly disabled. The same cannot be said for access to your accounts with your phone, for which you will not receive a free replacement, and you may have to close your account since unlike a card, your login, password, social security number, date of birth, access to e-mail account, oh... and probably the phone number the bank would call you back at to verify your identity... are now all in the hands of the criminal.

Re:Phones

[mlts]

The ironic thing is that this can be easily addressed.

All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.

On a more general level, it would allow a device to have one partition for work stuff, one for home.

Re:Phones

[Roogna]

Heck, I would LOVE to see 3 security settings. I keep my phone locked with a reasonable length password, but there's a definite tradeoff between security and convenience. I've wondered for ages why I can't actually have 3 settings:

Apps that are accessible no matter what with no password or anything. I mean honestly, I don't even care if someone uses the calculator on my phone. There's a number of apps I'd drop in here for use at any time.

Apps that require a simple pin. I for instance would put apps that require data usage in this, but don't actually have personal data. But don't need anyone who potentially gets ahold of my phone wasting my battery on burning through costly minutes/data without at least some effort (A pin would slow them down enough that if it was actually stolen I could very likely have already noticed and erased the phone), Turning the phone off and on should also require this at a minimum.

Apps that require a strong password. Banking apps, the web browser, anything that I feel contains personal data. Most of these apps probably also contain their own strong password requirements, and I don't mind having to enter a password to get to the app, to enter a password to verify the service.

While there'd be something to be said for more levels than this, I'd say 3 is something that pretty much anyone could wrap their heads around with a minimal amount of instruction if needed.

Re:Phones

> having it use two forms of authentication on that app (face, fingerprint, and/or PIN.)

Face / fingerprint scanners dont work.

Google around. Fake fingerprints can be made by laser printers. Face recognizers are defeated by photos of the person.

Re:Phones

[jbmartin6]

I would love to see this as well. It is ridiculous that I can't make an outbound call while driving without having to risk death by unlocking the phone first. Yes, I know iPhone allows this. Anyway, this shouldn't be too far off the map there are apps already that provide a sandbox for corporate environments. Seems like what you describe isn't too far off that path.

Re:Phones

[Synerg1y]

You mean like Linux's SU system? lol On Android the backbone exists, but it hasn't been implemented for this, IOS too I believe. Of course, if payment isolation were to be taken seriously on the android, all the little unlockers / root apps would have to reconsider how they unlock the phone, or at least give a choice to the user.

Re:Phones

Ummm... My phone is already a target for thieves, yes access to my accounts can be instantly disabled remotely, and my phone is encrypted and locked to buy me time to do this.

My credit card, on the other hand, is more easily lost, less likely to be noticed when it's gone and has secure information printed in plaintext on the front. Then we can get into the prevalence of card skimmers vs. somehow hacking a secure app on a trusted appstore.

Mobile payment systems change the attack surface, but the existing system is so horribly broken you need to do a lot of drugs to think plastic is somehow more secure.

Re:Phones

[stephanruby]

Just stick with the damn cards. If you lose it, your bank will send you a free replacement, and it's instantly disabled.

So this won't affect Square at all. Square is for accepting payments, by sliding a card through it.

The same goes for LevelUP, LevelUP is the equivalent of keeping a photocopy of your credit card (both front and back) in your wallet. You lose your wallet, you've obviously lost your card.

The only example where things get dicy is this Dwolla payment solution. Dwolla is for account to account transactions (without going through Visa or Mastercard). It's a lot cheaper because of this, but then, you don't have any of the traditional protections for fraud (unless they're spelled out separately specifically in their terms of use, which honestly, I haven't even bothered to read).

Re:Phones

It is ridiculous that I can't make an outbound call while driving without having to risk death by unlocking the phone first.

Don't make calls while driving. Please.

Re:Phones

[Shoten]

The ironic thing is that this can be easily addressed.

All modern ARM chips have the ability to run multiple "worlds", one secure, one insecure. It would be nice to have the ability to have a secure world just for credit card payments, having it use two forms of authentication on that app (face, fingerprint, and/or PIN.) Then, the other world would have the usual phone apps. This way, even if a thief gets the phone and it is unlocked, the critical banking stuff is protected at a low level, and too many guesses at the PIN will result in the partition with the Square or PayPal app getting erased.

On a more general level, it would allow a device to have one partition for work stuff, one for home.

This isn't actually so easy, it turns out. You're describing what's called MLS, or Multi-Level Security. The NSA has tried this on servers, on workstations, and most recently on phones. It's incredibly hard and the underlying system ends up either having security flaws or major usability issues, and either situation costs a fortune. They've ended up giving up on doing it for mobile devices; what they ended up with weighed over a pound and cost thousands of dollars per device. There are some features it has that wouldn't apply here...but the MLS challenge still has yet to be solved in a way that satisfies, on any platform. This "partition" you talk about has to be done in the OS, not the chip.

Separating things in the chip isn't even half the battle. What, do you run two instances of the OS? Have two separate storage areas? IOS has sandboxing of applications built in, but half the point of solutions like Square is that they can run on multiple types of devices...what if it's Android? It's not just a matter of telling the chip, "oh, this is that OTHER reality..." and walking away proud. If there's not a sandbox around access...in storage, transmission (remember, devices like Square use the audio jack) or in temporary processing in memory, then you don't have separation.

Re:Phones

Why do you need to unlock your phone? Why do you even need to handle your phone. Press the button on your handsfree kit or earpiece, say "call [whoever]" and job done.

Are you the same guy that wanted to use his laptop when driving from that other thread?

Re:Phones

[mlts]

Seconded (thirded).

First, I'd like the OS to prompt for a full password on bootup. This ensures that someone expecting they can reset the device ends up not just dealing with a 4 digit PIN, but a much longer passphrase before they can use the device.

Second, app functionality that can be run from the lock screen. This way, I can tinker with the playlist, read from the Cracked app, or look at a calendar. The apps would work in a restricted context there. If I wanted to add an entry, then I'd have to unlock and run the app.

Third, have extended password protection be part of the OS. One can sort of do this with iOS and locking out restrictions, but that then has to be turned off when the app needs to be used, then back on.

Offer options where the protection can be a common PW across all "enhanced security" apps, or each app can have its own separate PIN/password/passphrase. Then, if it is guessed wrong too many times, the app is deleted, and its data overwritten. The OS could even use a volume key similar to TrueCrypt and create loopback mounts with the passphrase unlocking that, and on erase, ensuring the volume key is unrecoverable.

Another feature of selective protection is the ability to remotely just zap those applications with the high security data, but keep everything else. Someone's progress in Angry Birds is less of an issue than the stuff stored in an Exchange mail client or a banking app. It also allows the user to still be able to track the phone via GPS while making sure sensitive data is rendered permanently inaccessible to the would-be thief.

Re:Phones

No, it can't be "easily addressed" because you still have people needing to inconveniently enter whatever-the-hell credentials in order to get into the "secure" world. If people were ok with doing the necessary data entry, then you wouldn't even think of using the partition/vm/sandbox/whatever_you_call_it merely for paying for things; you'd run every single application in a different one.

No matter how you slice this, you're going to have a user interface problem. People want to just pick up their computer and start using it, and be magically authenticated. And they want other people who pick it up, to magically not be authenticated.

Solve the UI issue and then people will use that particular ARM feature or something else (any of the other solutions that have come out over the last 40 years; an 80386 or 68020 from the year 1985 has pretty much everything you need).

Re:Phones

It is ridiculous that I can't make an outbound call while driving without having to risk death by unlocking the phone first.

Same here, when I'm piloting an F16 on a bombing mission, it sucks to have to reach to unlock my phone just as I'm shooting missiles at a military target surrounded by civilian structures.

Re:Phones

Sticking with the damn cards could be interesting. Since the banking SmartCards are based on the exact same specifications as SIM cards, imagine a phone with multiple SIM slots. The extra cards could handle all the security the financial entities want, and the phone OS never sees that data. This also has the advantage that your device tells you how much you're being charged, preventing thieves from doing skimming, since you see the amount being charged on a device you control. As a bonus, another card you control could be used to encrypt the data on the phone's flash memory, so everything disappears if it leaves your possession.

Re:Phones

[davecb]

MLS isn't hard to build the infrastructure for, or hard to use, but to understand it well enough to sysadmin takes a week course with tons of exercises, and really makes your head ache. Been there, did that, ran Trusted Solaris at home. That eventually got repackaged into zones, to simplify it into reasoning about separate virtual machines.

I run zones and SE Linux these days, which is a Trusted system with the levels and categories left out for a simple single-level system with pretty reasonable results.

Alas, to get the security I'd want for fairly basic banking services, you're back into writing proof schemas to figure out if you have your MAC access rules right. That's harder than just sysadmining the darned things. Unless your name is Ron Rivest, don't go there (:-))

--dave

Re:Phones

[Jane+Q.+Public]

There are far more severe issues.

NFC, for example, was barely off the shelf before a "security researcher" managed to pull usernames and passwords from them, from several feet away, when they weren't even being used.

Using active radio transmission to make payments is just plain a bad idea. Even if it's "near field". Because it's only "near" when the person next door doesn't have a huge antenna pointed at the place of transaction. (Which the researchers did not have or need, by the way. Just an example.)

I agree with you; just use cards. They are perfectly adequate for the job and far more secure.

Re:Phones

Put a simple password on them, gives you access to a limit, say $100. Excellent for some quick shopping. You used up half that limit, at midnight it resets, no need to do anything.
You want to buy something that costs above that limit? Then input another code, longer, but much more secure.

If anyone steals your phone, worse case scenario, they steal up to that limit, giving you plenty of time to do something about it.

It's something that would seem designed for children, but it's the adults that would benefit the most.

Re:Money is overrated

[Attila+Dimedici]

That is an interesting definition of freedom: a society where the organization that replaces government will tell you what you must do and give you what you are allowed to have.

Who's liable for bitcoin fraud?

Who's liable for bitcoin fraud? Oh, right, nobody. Legal problem solved.

if it's digital

it can be hacked.

cash is probably safer carry these days than your iphone, ipad or ipod....

Re:You don't know what communism is.

[Attila+Dimedici]

You apparently don't know human nature.

Securing IMMOBILE payments is brutally hard!

[davecb]

A recent article in the Communications of the ACM pointed out that the banks have massive expenses securing and paying for failed security in ATM payments, so expect it to be much worse with mobile.

See Simons and Jones, "Internet Voting in the U.S.", CACM October 2012, p 68, "However, banks routinely and quickly replenish funds lost to online fraud in order to maintain public confidence". This was part of a discussion of why voting is claimed to be safe, based on the fallacious assertion that online banking is safe.

--dave

Re:Securing IMMOBILE payments is brutally hard!

Working for a POS vendor that is adding mobile payments, I can tell you that mobile payments will benefit from two things:

1) Vendors have had to radically improve security to pass PCI. PCI is surprisingly strict in some areas. Medium and small vendors can't weasel their way out of doing at least some good security work for PCI. It's PCI or you're out of business. A lot of PCI is a joke, but it gets you thinking about your architecture and you improve things that were never part of the requirements (in addition to all mandatory improvements).

2) Credit card processors are moving to a one-time token. The credit card is immediately thrown out and securely overwritten once authorized. I can tell you that at least one mobile payment vendor is switching to a one-time token. I don't know what the ETA is. With both you have the same type of architecture and methodology where there is no way to reuse payment credentials for fraud. And with the token, the door is completely shut at the close of business, when you can't even add a tip.

Re:Securing IMMOBILE payments is brutally hard!

I would think that mobile payments have the ability to be even more secure than traditional payments. The main reason for this is that tablets and phones all have cameras. Why not, instead of a signature, require vendors to take a picture of the person using the credit card.

Absent collusion from the vendor, you've either got a photo of the cardholder, which should convince the cardholder that they were responsible for the transaction, or you've got a photo of the person illegally using the card which should aid police in tracking them down. On top of that, you could use facial recognition to flag certain people as perpetrators of fraud and prevent them from using any credit cards, including their own.

Re:Securing IMMOBILE payments is brutally hard!

[davecb]

That assumes that PCI isn't the standard the banks are using now, and would be capable of cutting their losses (:-))

Re:Money is overrated

Communism doesn't define any organization replacing government... in fact, what you're thinking of is a totalitarian government (not an organization replacing government at all...), which could just as easily be happening with capitalism as communism. There's even anarchist communism, which is actually a very interesting way to live (I got to experience it for a couple of years, personally, until life took me out of that community and I went to living on my own).

Summary wrong

[Firehed]

From TFS:

These technologies tend to fall through the cracks even in terms of card-present or card-not-present

The only way to perform a card-present transaction and get the better discount rates and lower fraud liability is to provide the magnetic strip data. Anything typed in is considered card-not-present, even when you type it in when the card is in your hand (otherwise merchants would just lie and get the better rates).

What this brings about is the question of how merchants are verified as the line between consumer and merchant is blurred... there's no significant change in how things are actually processed behind the scenes, no matter how pretty the UI. It's a bunch of cryptic nonsense based on IBM mainframes from the '70s. Ever seen the integration spec on one of those bad boys? It's nasty - to the point where going truly direct requires a PCI-certified dial-up modem or dedicated leased line installed in your locked cage in your datacenter. Thought using a SOAP API sucks? Try translating your ASCII to EBCDIC before sending it over protocols that predate TCP/IP.

Re:Summary wrong

Meh, Try using ISO 20022.

Re:Money is overrated

[scared+masked+man]

Money is not itself contradictory with a communist system: indeed, if you have any luxury or freedom of choice you need money to ensure fairness. Let's imagine you'd like to play the violin, and I'd like to go golfing. How do we decide what golf clubs are equivalent to your violin? Clearly, it is a question of how much work went into making them, and what raw materials were required. As soon as we allocate a relationship between an hour of work and a lump of iron ore or bauxite or wood, we have money. Now imagine I like running instead: all I need are some shoes and time. Does that mean I can work less, since I am using less of other people's work? If you want lessons, do you need to work more to compensate society for the productivity you are consuming?
Even when it comes to essentials like food and housing, unless we all have the same thing or are fed out of common canteens, we run into the barter problem, so money makes it easier to get a fair distribution.

Of course, if there were no freeloaders and everyone were competent and attentive, everyone could work out the value of their consumption and self-regulate to make sure they didn't exceed their fair share, but in practice having fixed tokens or their electronic equivalent is rather simpler and more difficult to cheat.

(You also need money to mediate external trade.)

Phones need professional system administration

[gweihir]

Just like every networked computer, really. The interesting thing is that for phones that could actually have been done, as they are closed system and can be remotely administrated. Turns out, a) the providers are not that competent themselves, b) things like "app stores" are far more important that mere security of a device many people store their whole life on. I also have observed that app developers are typically clueless about security and development environment makes it even harder to secure things properly. (The latter from an evaluation we did that was implemented by developers that really understood what they were doing. Even they had huge security gaps, but at least they knew and understood them.) And no, iOS is not better than Android either.

We're trying to figure it out too, believe me.

I'm posting anonymously due to the potential implications of my comments, but the government is trying to figure it out too. Things are springing up so quickly that it's not altogether clear what regulations apply and where. Regulation takes a long time to craft, so the government is sometimes YEARS behind the curve when it comes to applicable regulation and guidance. The most pertinent issue for consumers is clarity on who is liable in event of a dispute, which is a fairly murky area right now. The saving grace in many cases is that these transactions are being completed by credit card, which means that the protections offered by the credit card regulations apply in many cases.

The biggest regulations that currently apply to these types of transactions are Federal Reserve Regulation E (http://www.federalreserve.gov/bankinforeg/regecg.htm) and Regulation Z (http://www.federalreserve.gov/bankinforeg/regzcg.htm).

Square's reader has no security

Exploring the security of the Square reader unearths interesting results. Using their reader (and presumably PayPal's, BoA's) as a basis for a credit card skimmer isn't easy, but it sure is straightforward. That leads to an interesting set of "plays", like playing the audio of the credit card read back into Square. Technical details here: https://theotigerblog.wordpress.com/2012/04/07/squareskimmer/
Theo

security through insurance

[mcelrath]

So payment security comes down to insurance and legal liability? Fuck that. Truly secure transactions are well within or means, and have been for decades. I want neither to lose my money, nor to funnel billions to criminals through insurance premiums.

Try again, you jokers.

hint: chip and pin, two factor authentication, and private keys for cardholders are good starting points.

Re:security through insurance

Hey , you're completely right about chip and pin, and clearly I do not understand why chips are not used in US. In Europe, most cards have chips. Forging a magnetic stripe is incredibly simple.
Last Friday we had fraud attempts originating from US ( New York) about VPay cards(chip only cards): the frauder attempted to send magnetic stripe data built from guessed card numbers but , of course without any pin encrypted block ,,, the attempts were rejected by Visa , and Visa sent us advices though the Visa network.

Now if the cards numbers were valid and matching chipless cards , the real cardholders would have been charged.

So, while pin and chip method has some vulnerabilities I won't discuss here, it is fare more secure than magnetic stripe only.

For internet based payment, there is now 3D secure which adds some security, but it's not perfect. A better alternative is using a one time password method.

( I work in an issuer/acquirer institution )

Cheers