Friday, March 23, 2012

Study Group: Integrated Payment Environments

Today's study group was on the recent European Commission Green Paper: "Towards an integrated European market for card, Internet and mobile payments" [link], presented by Stefan and Phil.

The paper highlights the increasing movement towards e-Commerce and the mobile operation of EU citizens and business outside of their country of origin. Already, the Single Euro Payments Area (SEPA) initiative is working to remove the distinction between cross-border and domestic retail payments in Euro across the EU. At the same time, much effort is being made towards innovative payment methods for use online and via smart phones; examples include e-wallets and virtual public transport tickets. There is a pressing need -- and opportunity -- to reach a useful, practical and integrated notion of "making a payment" which will consistently serve the interests of consumers and business alike in the European-wide economy.

The particular drivers behind such an integrated payment environment are:
  • Increased competition, stimulating more cost-effective payment solutions and mitigating market dominance by "the two existing international card schemes" (i.e. Visa and MasterCard).
  • Increased choice and transparency for consumers: currently, costs are indirectly passed down to payment users, and they do not have the requisite information to chose the most efficient instruments.
  • Stimulus for innovation through market forces (economies of scale, etc).
  • Improved security and consumer trust.

The stated objective of the Green Paper is to "...launch a broad-scale consultation process with stakeholders to validate or contribute to the Commission’s analysis and to help identify the right way to improve market integration". With that in mind they set out some of the particular challenges identified in current payment solutions.
  • The market is extremely fragmented, because local, custom solutions have been developed to order before integration was identified as a priority.
  • The costs of different payment methods are hard to understand, both for merchants and customers; they are often bundled together in a way which is not transparent. Consumers are not currently being steered towards preferred (i.e. more cost-effective) payment services.
  • Merchants (e.g. Amazon) need to use different banks (with different procedures) to process payments from different geographical areas.
  • New providers are prevented from entering the market by the difficulty of communicating with existing providers and the costs of certification -- which must be done separately for each country because of localised standardisation. (Centralised certification would make it much cheaper and quicker to roll out new payment solutions).
  • Banks have commercial incentives not to communicate. This leads to multiple solutions to the same problems, which confuse customers and compromise security (consequently deterring use).

From a slightly different perspective, the proliferation of illegal websites and stores is another problem which could be tackled via an integrated payment environment, as refusing access would cut off money supply. This could be a useful mechanism for bringing down such operations, although the Commission also recognise the potential for such powers to be abused.

We then looked at a particular card-not-present authentication scheme (widely used for online transactions) which has already received criticism in a 2010 paper by Murdoch and Anderson, entitled "Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication" [pdf]. Some of the identified weaknesses of the 3-D Secure protocol are:
  1. It confuses the user by initiating a sensitive dialogue in an i-frame where the https assurances (which we are all well-trained to look out for) are not communicated. Some banks even request a PIN for authentication -- which a security-conscious user should be very wary of typing into a website.
  2. It creates a point-of-sale inconvenience, particularly on activation (which happens the first time you use your card online -- rather than by prior notification from your bank, as would be preferable). By interrupting the transaction, it incentivises poor password choice.
  3. It shifts liability onto the customer -- and by presenting terms and conditions at point-of-sale it rather steers the customer towards accepting this liability without due consideration.
  4. It offers little authentication from the bank to the customer, besides a 'memorable phrase' entered by the user during set-up (which, similarly to point 2, may have been poorly chosen in an impatience to return to the transaction). This phrase, moreover, is found to be vulnerable to a man-in-the-middle attack.
The authors' assessment is that 3-D Secure was chosen for economic reasons, precisely because of the liability shift. They propose that the technical solution to a secure way forward should involve transaction authentication (rather than single sign-on), either via SMS messaging or by issuing personal hardware devices similar to CAP readers.

In the discussion which followed, we focused on the question of how to foster the development of sound security mechanisms, and what role should or could academia play. We identified, as a particular problem, the mis-aligned incentives between banks and customers, with the former tending to prefer solutions which shift liability on to the latter -- a primary driver for the adoption of the 3D-Secure protocol for online payments.

If banks can reduce liability they have less incentive to prioritise security. Competition between payment system providers is a further obstruction: current best-practice seems very much to favour open development of cryptographic schemes, so that candidates for standardisation are thoroughly and publicly scrutinised (for example, the open NIST competitions towards standards for block ciphers and hash functions). Where cryptography is developed secretly/proprietorially it does not benefit from the combined wisdom of the research community as a whole, and is often found to be weak as a consequence (take MIFARE, for an infamous example).

As such, the feedback from bodies like the Card Stakeholders Group should be carefully scrutinised by those with security expertise. We discussed the possible usefulness of a European-wide standardisation body (or maybe just a limited-time initiative), inspired by NIST but with a focus on protocols and not just primitives.

We also considered the user-side problem -- inherent with any security measure -- of the incentive to by-pass good practice in order to make life simpler, for example by choosing weak passwords, or 'switching off' secure settings which complicate or slow down a system. Designers need to take more responsibility for ensuring that security aligns with user needs and understanding as far as possible, and not just shift blame for user-introduced weaknesses by default. Hence, technical expertise needs to be accompanied by sociological and psychological insight so that human factors are taken seriously in the design of new payment processes, otherwise the types of flaws observed in 3D-Secure will persist in future proposals.

No comments:

Post a Comment