Wednesday, November 21, 2007

Open design of contactless payment systems

A year ago my research group showed that many contactless credit cards revealed personal information such as the credit card number, the card holder name, and the expiration date. We demonstrated how to wirelessly and undetectably read this information through wallets and clothing. If the credit cards did have security mechanisms in place, the mechanisms did not stop our attacks.

Now the credit card industry is "taking the same core functionality that's in the cards and embedding that in a mobile handset." While such systems hold great promise, I'm concerned because of the choral refrain of absolute claims, such as "if someone was to hack the transaction, it could never be duplicated." I would like to believe this. But where's the proof? Absence of proof is not proof of absence. If our systems relied on openly studied protocols, we could establish such proof.

Wireless communication does not have the luxury of physical security enjoyed by a closed network for payment processing. By definition, wireless communication is open and cannot be physically secured. Fortunately, engineers learn about the open design principle in introductory Computer Science and Electrical Engineering courses. The Information Assurance community already learned that openness of a sound design leads to stronger security. For instance, consumers rely on SSL to protect Web surfing at online banks. Thank goodness that the design of SSL is completely open and has been scrutinized publicly for over a decade. Quoting the undergraduate text of Saltzer and Kaashoek: "Violation of the open design principle has historically proven to almost always lead to flawed designs." The authors end with a warning that, "It is simply not realistic to maintain secrecy of any system that receives wide distribution." Let's hope that contactless mobile payments follow the open path for admiration rather than become yet another case study in computer security textbooks. In the meantime, look for wide-scale distribution of contactless payments in mobile phones.

No comments: