Wednesday, November 21, 2007

Open design of contactless payment systems

A year ago my research group showed that many contactless credit cards revealed personal information such as the credit card number, the card holder name, and the expiration date. We demonstrated how to wirelessly and undetectably read this information through wallets and clothing. If the credit cards did have security mechanisms in place, the mechanisms did not stop our attacks.

Now the credit card industry is "taking the same core functionality that's in the cards and embedding that in a mobile handset." While such systems hold great promise, I'm concerned because of the choral refrain of absolute claims, such as "if someone was to hack the transaction, it could never be duplicated." I would like to believe this. But where's the proof? Absence of proof is not proof of absence. If our systems relied on openly studied protocols, we could establish such proof.

Wireless communication does not have the luxury of physical security enjoyed by a closed network for payment processing. By definition, wireless communication is open and cannot be physically secured. Fortunately, engineers learn about the open design principle in introductory Computer Science and Electrical Engineering courses. The Information Assurance community already learned that openness of a sound design leads to stronger security. For instance, consumers rely on SSL to protect Web surfing at online banks. Thank goodness that the design of SSL is completely open and has been scrutinized publicly for over a decade. Quoting the undergraduate text of Saltzer and Kaashoek: "Violation of the open design principle has historically proven to almost always lead to flawed designs." The authors end with a warning that, "It is simply not realistic to maintain secrecy of any system that receives wide distribution." Let's hope that contactless mobile payments follow the open path for admiration rather than become yet another case study in computer security textbooks. In the meantime, look for wide-scale distribution of contactless payments in mobile phones.

Sunday, March 18, 2007

Time zone travel, annoying but not life-threatening



I had the pleasure of flying on a redeye from the USA to Europe on the night of the new US daylight savings system went into effect. On the return trip from Europe, the 767 provided a fun video map of the flight status, including remaining flight time and local time zones. The software did not take into account the new daylight savings plan, so I asked a flight attendant whether the software would be updated. The attendant then made a public announcement that the in-flight entertainment used the wrong time zone, and that passengers should "set the clock back one hour." Passengers are now two hours off actual time. At the left are images. My watch is set to the proper time in Washington, DC. The airline is not.