A draft version of a whitepaper named Chip and PIN is Broken is out there for those of you who are interested in the technical details. (Much of the paper is in fact quite understandable even if you have little technical knowledge but understand general security concepts like authentication [establishing identity], authorization [establishing whether or not something is allowed by some party], and so on - or if you're reasonably smart and not unwilling to make some effort.)
I invite readers to take in the paper in full, and it will not be my main focus in this post, but as a service to the less technically inclined or just plain too-busy reader (or the lazy ones - there, I said it), I've made a short list of bullet points to summarize the bits I consider particularly informative. If you are familiar with the paper, you may want to skip the next paragraph.
Pertinent points from "Chip and PIN is Broken":
- EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation.
- The flaw allows a stolen "chip card" to be used with any pin code, even in online transactions. What is worse, the merchants records will indicate that the correct pin was entered. The bank records may include information that can reveal this attack was used, but the data intended to show whether PIN was used will indicate that the correct PIN was entered. Therefore, victims of this type of fraud may have difficulty getting their losses covered and may be accused of lying or neglicence. There is at least one case (in the UK in 2009) in which both the bank and the adjudicator relied explicitly on the flawed data to incorrectly asserts that the correct PIN had been entered in refusing to refund the customer.
- The attack, while difficult to discover, is quite easy to carry out and does not require expert-level engineering skills to perpetrate.
- Technical stuff: The protocol has a serious flaw which means that the "verify PIN" operation is not authenticated. A merchant terminal cannot establish "who is answering" when the terminal (having asked the user for the PIN) asks the card if "0000" is really the correct PIN. This opens the door for a "middleman" attack where the "verify PIN" request is never sent to the real card, and a fake card simply responds "yes" (0x9000 if you must know) no matter what PIN code it is asked for. There is a subsequent - and authenticated - step in the protocol where the card gives final authorization, but it will do so despite never having been asked for a PIN code as what the card has seen is the same it normally sees in a transaction that is authorized by a pen-and-paper signature.
There are lots more interesting points raised in the paper, in particular with regard to the history of the protocol and how the banking industry has chosen to do precisely the opposite of what every leading security expert on the planet has been loudly advicing for at least a couple of decades. Rather than openly discuss the protocol and subject it to scrutiny from any security expert (or wannabe) who'd like the challenge, the industry has tried to keep things as secret as possible. I actually laughed out loud at the authors' dry remark "nothing implemented by 20,000 banks could have been kept secret", but perhaps I should have been crying. To be fair: This was not quite a case of "security by obscurity" - the protocol was supposed to withstand any murky intentions of anyone who knew all it's details, but it is still startling to see that the industry is so arrogant as to ignore advice that is almost universally accepted as "best practice" by security experts.
Yeah yeah, but get to the point. What does this have to do with electronic cash?
In a way, nothing at all. But then again, maybe a lot. As I tried to ask myself what sort of changes one ought to make in order to make electronic transactions more secure it occured to me that one limitation very likely stems from the capabilities of the chip itself. More specifically, from it's computing power. I am not an expert on encryption algorithms, but I do have a reasonable understanding of the principles upon which a few of them work. Especially relevant to this discussion is public-key encryption, such as RSA, and how it is used in certificates, authentication, and establishing a secure communication channel that cannot be tampered with.
I speculate that an important reason why EMV cards do not use industry-standard protocols like TLS at least as a wrapper providing a secure channel for their own protocol(s) is that the limited computing power of the chip would either make transactions slow or force the use of short keys that might more easily be compromised. Another possible reason is that with the EMV protocol (or more precisely "protocol framework", but it's an unwanted digression here, so if you must know just read the whitepaper) there are situations where the message is known, which is helpful to an attacker attempting to crack the encryption.
Whatever the correctness of my speculation, it ought to be obvious that having vastly more computing power available would enable solutions that simply aren't possible with cheap chip cards. So what could replace a card and provide this computing power? It must be cheap, so it probably needs to be something that needs the computing power for other purposes anyway. And it must be something you can always carry with you - or at least as often as you'd carry your credit card (or wallet, if you're as old-fashioned as I am). If you can't think of anything that fits, go read someone else - I have standards, too: It's the PC of course! You should now be ripping your hair out and screaming "what a blatant idiot this guy is!" since it is obviously the mobile phone. It just so happens that I think the mobile phone just became the PC - there's something a bit silly about calling the device we're talking about a "phone" when the phone is but an application among thousands on it, nevermind GPS receivers and accellerometers. (Of course not everyone has a phone that fits this description today, but everyone will soon and that's what matters since it is the future I'm talking about here.)
Here's a rough outline of what I imagine would be a far superior solution to the current credit card system: Add a slot to accomodate a chip much like the one on those "chip cards" to the PC, uh... I mean phone. Just like you can pop in a SIM card from a network provider this allows you to pop in a credit card from your "electronic payment solutions provider". This card will store the certificate issued by your bank, and software on the phone, itself digitally signed and equipped with a certificate, is the only client it will speak to beyond "hello, who are you? Please authenticate yourself." and a polite "sorry, I don't seem to know you" if anyone but this software should be asking.
The devil is in the details and I'm not the one to hammer them out anyway. So let's pretend this can be done securely and examine what then happens. I'm sure (if anyone reads this!) comments will point out the flaws in my described solution, but I also believe that although I may not have gotten the details quite right, something like it is viable - i.e. something that would enable the software on the phone to take over the responsibility for talking to a terminal, while letting the bank issue your certficate only after whatever authentication scheme they would like (such as checking your passport and birth attest and public address registers and whatever it is banks do to establish the identity of their accountholders).
And that is where it becomes interesting. The technology for electronic cash has already been built. Having your e-wallet in your phone only makes sense, and having actual cash (that is, anonymous money that can be transferred between two parties without any third-party involvement, at least not in real time) offers great advantages to anyone (such as me) who worry that the trail of personally identifiable data our financial transactions create today carries huge potential for abuse of many kinds, whether from governments or corporations. There are forms of digital cash that are recoverable too, so that losing your e-wallet doesn't mean losing your e-cash. And e-cash makes it possible to protect cash payments too with a PIN code or some other authentication mechanism, but with the important difference that it is anonymous. In other words, the authentication here only establishes identity in the sense that it makes the assertion "the payment is authorized by the legitimate owner of the cash".
What else could we do if we moved our credit cards into our phones? Well, a million things of course, but again it gets most interesting with cash. Since cash is transferrable between two parties without involving the bank or anyone else, it's suitable for offline use. I think it's time we add an RFID interface to the phone.
This would enable scenarios like these:
- You walk up to the cashier with your groceries. To pay, you briefly place your phone on (or just over) a sort of pad (the terminal), and the phone displays the transaction details and some UI to let you provide the evidence used to authenticate you - whether that's a PIN code, a passphrase, some multi-touch gesture you've been practicing, or voice recognizion + retina scan (with a cellphone camera? That makes me laugh!) for those who watch too much Star Trek. Obviously for PIN it'd be nice to be able to lift the phone off the pad and enter the PIN holding the device whatever way we want to conceal entry from probing eyes nearby, but this shouldn't cause any trouble.
- You're entering the bus on one of your many trips to Paris. You place your phone on the RFID reader that subscribers to the bus service already use with their Navigo (bus pass, another card to make your wallet unweildy), and the reader makes the OK noise and shows the green light so the driver knows you've validated.
But wait, I hear you saying. It would be clumsy at best to use the phone and have to go through the PIN (or whatever) process when getting on the bus. If you've used the bus in Paris you'll know this is true - you'd be holding up the always-present (at every stop) line of people trying to get on board. But if the "card application" in the payment process runs on a powerful device like the phone, it can easily be made configurable. We can therefore set policies as to how we want to handle transactions, giving us fine-grained control over how we want to trade off risk versus convenience. For example, I could allow "my card" to pay RATP (the bus company) without authorization for amounts not exceeding €2. I could limit this to no more than twice per day. I could let this permission expire monthly. This should limit my worst-case financial loss if my phone was stolen to €60, and that is if we assume the phone's stolen just after I authorized this for a month and I don't notice I've lost my phone during the next 30 days. With such control possible and even the ability of e-cash to be rendered invalid and replaced by newly issued and valid cash, the possibilities are interesting to say the least.
Another immediately clear advantage is that although my bank would no longer have a detailed record of how I spend my money, I could easily collect that same information myself to feed into my personal finance software (if I used any). All the transaction details must necessarily be presented to me if I am to say whether or not to go ahead and pay, so clearly the phone could keep that data for me to crunch whatever way I want later on.
Obviously, Visa and the bank and the merchants who now collect a ton of data about us aren't going to be very keen on going back to cash, no matter how secure or otherwise handy it would be for us consumers. But surely if companies like Microsoft and PayPal cooperated and managed to sell the idea to us consumers some merchants could be swayed. And my bank can't do much to stop me transferring some funds to PayPal now and then.
Now I know this is a bit unstructured and a mishmash of ideas, all of which may be flawed. But I would love to get some feedback. What do you think? Is it high time for electronic payment - cash or debit - to migrate to our cellphones? Or are there good reasons to stick with bits of plastic and a cheap chip in our pockets?
Please comment, and a good day to all.
The Polymorphist
Can someone at least leave a comment to give me a hint as to why nobody's commenting?
ReplyDeletePerhaps it is the obvious: Nobody's reading it. Oh well.
Now following myself as well as providing my own comments.
ReplyDeleteA true one-man-show this... :)