Sunday, January 25, 2009

Disappointment in BITS public comments on contactless payments privacy and security

The FTC had solicited public comments on contactless payment systems:  The Federal Trade Commission and the Technology Law and Public Policy Clinic at the University of Washington Will Host a Town Hall Meeting on July 24, 2008, to Explore the Growth of Contactless Payment Systems and Their Implications for Consumer Protection  If I had known this was happening in Seattle I would have definitely attended.

They have published various letters received on the website above.

BITS Financial Services Roundtable Comments were a bit underwhelming.
"Thank you for inviting me to participate in the Town Hall on “Pay on the Go: Consumers and Contactless Payment.” Attached are four key summary conclusions."
So, what were the four key summary conclusions BITS provided?
  1. First, contactless payments that have been utilized by financial institutions do not pose a significant security or privacy protection risk to consumers.

  2. Say what? No positive evidence is provided for their safety other than "there are lots deployed and we haven't seen much risk so far". That's not a good argument. How about descriptions of the security and privacy technologies that provide the assurance? We know there have been some really bad deployments so either they don't read the RISKS digest or perhaps even the news?

    How to hack RFID-enabled credit cards for $8 - Boing Boing TV
    Schneier on Security: Skimming RFID Credit Cards
    Black Hat reveals credit data via RFID insecurity
    RFID deployment moving forward despite security flaws

  3. Second, it is vital that the government permit financial institutions and technology
    providers to innovate using new technologies so long as it is done in a safe and sound
    manner and meets the needs of consumers.

  4. Okay, that's an industry-apologist position. And nobody would disagree with the premise but the way that things get done in the industry tends to put the supposed "needs of consumers" ahead of the security and privacy since the mental threat models only look at the bottom line fraud risk and ignore the customer privacy concern.  It would have been better to state, "Financial institutions will commit to developing these capabilities in an open, full-disclosure manner and include security and privacy concerns of customers and security researchers into the design discussion"

  5. Third, it is important for government agencies to work together to address issues that span their jurisdictions.

  6. Basically, "we need big government regulators to tell us how to do security; in the absence of something telling us we're doing something wrong, we'll assume there's nothing wrong with what we're doing"  I've seen this all too often that financial institutions try to do security by committee or in the absence of that, do only what the regulators ask about.  They need to commit to a proactive stance that is based on sound threat models and openly address these issues in any new technology.

  7. Fourth, it is important for government to encourage the private sector to collaborate...[on standards for mobile payments]

  8. Again, security by committee is not the way to go about these things.  And the standards are irrelevant to the design and the principles.  They also did not mention anything about ensuring the standards ensure _minimum security_ and _privacy_ are included -- just that they need "standards".  Look no further than the magstripe PIN block standards for typical "good enough" design that is not necessarily based on the most optimal security.  Same thing happened with WEP...

    Hey, how about also committing to public publishing of the standards?  I can't tell you how difficult it is to even get official documents for ANSI / ISO financial industry standards.  They should be available to anyone with google.
What is most disappointing is that they do not offer any positive claims for why we should not care. This site offers five good tips that perhaps BITS should have recommended each participating company to publish information about. Can Contactless Credit Cards Be Hacked? 5 Tips to Stay Secure  I've added my own to the mix.
  • Publish the security design principles, such as "no customer identifiable information stored on the card or transmitted in the clear", "no reliance on the wireless signal being short-range as a security mechanism", "employing strong encryption and well-known and tested authentication and key exchange protocols", etc.

  • Full disclosure of the data stored on the card and the security protections employed. What information does the card transmit in the clear over the air? What prevents an adversary from querying the card from within your pocket?

  • Which RFID/contactless standards are employed and, if so, how are they exceeded?

  • Full disclosure of the encryption strength employed

  • Ways that the customer can take preventive action (such as providing protective sleeves to block RFID when you are not using your card)

  • Clearly publish the fraud liability information, if it differs from traditional mag-stripe cards

  • Give customers the option of having a non-contactless card
    and even more importantly, ensure that your call centers know how to route those requests and handle them appropriately.

  • Take a leadership role in providing for the government regulators the kinds of controls that they should look for that could impact fraud, identity theft, or personal privacy. I've seen that financial institutions tend to focus on the fraud aspect and often ignore the privacy aspect until someone complains...

  • Adhere to some basic consumer protection standards that would underlie any of the design considerations. Such as the proactive ones listed above. Adhere to open, full-disclosure. Commit that you will not stifle security researchers publishing work in these areas and that you think it is valuable to help improve the technology and keep innovating.

1 comment: