Linked by Thom Holwerda on Mon 22nd May 2017 11:42 UTC
In the News

Like many other countries, The Netherlands uses a chip card for paying and using public transport, and while there's been a number of issues regarding its security, privacy, and stability, it won't be going anywhere any time soon. Just today, the various companies announced a new initiative where Android users can use their smartphones instead of their chip cards to pay for and use public transport.

The new initiative, jointly developed by the various companies operating our public transport system and our carriers, is Android-only, because Apple "does not allow it to work, on a technical level", and even then, it's only available on two of our three major carriers for now.

This got me thinking about something we rarely talk about: the increasing reliance on external platforms for vital societal infrastructure. While this is a test for now, it's easy to see how the eventual phasing out of the chip cards - already labelled as "outdated" by the companies involved - will mean we have to rely on platforms beyond society's control for vital societal infrastructure. Chip cards for public transport or banks or whatever are a major expense, and there's a clear economic incentive to eliminate them and rely on e.g. smartphones instead.

As we increasingly outsource access to vital societal infrastructure to foreign, external corporations, we have to start asking ourselves what this actually means. Things like public transport, payments, taxes, and so on, are absolutely critical to the functioning of our society, and to me, it seems like a terrible idea to restrict access to them to platforms beyond our own control.

Can you imagine what happens if an update to an application required to access public transport gets denied by Apple? What if the tool for paying your taxes gets banned from the Play Store days before the tax deadline? What if a crucial payment application is removed from the App Store? Imagine the immense, irreparable damage this could do to a society in mere hours.

If these systems - for whatever reason - break down today, we can hold our politicians accountable, because they bear the responsibility for these systems. During the introduction of our current public transport chip card and its early growing pains, our parliament demanded swift action from the responsible minister (secretary in American parlance). Since the private companies responsible for the chip card system took part in a tender process with strict demands, guidelines, rules, and possible consequences for failure to deliver, said companies could and can be held accountable by the government. This covers the entire technological stack, from the cards themselves up to the control systems that run everything.

If we move to a world where applications for iOS and Android are the only way to access crucial government-provided services, this system of accountability breaks down, because while the application itself would be part of the tender process, meaning its creator would be accountable, the platforms it runs on would not - i.e., only a part of the stack is covered. In other words, if Google or Apple decides to reject an update or remove an application - they are not accountable for the consequences in the same way a party to a government tender would be. The system of accountability breaks down.

Of course, even today this system of accountability isn't perfect, but it is a vital path for recourse in case private companies fail to deliver. I'm sure not every one of you even agrees the above is a problem at all - especially Americans have a more positive view of corporate services compared to government services (not entirely unreasonable if you look at the state of US government services today). In countries like The Netherlands, though, despite our constant whining about every one of these services, they actually rank among the very best in the world.

I am genuinely worried about the increasing reliance on - especially - technology companies without them actually being part of the system of accountability. The fact that we might, one day, be required to rely on black boxes like iOS devices, Microsoft computers, or Google Play Services-enabled Android phones to access vital government services is a threat to our society and the functioning of our democracy. With access to things like public transport, money, and all that come with those, locked to closed-source platforms, we, the people, will have zero control over the pillars of our own societies.

What can we do to address this? I believe we need to take aggressive steps - at the EU-level - to demand full public access to the source code that underpins the platforms that are vital to the functioning of our society. We, the people, have the right to know how these systems work, what they do, and how secure they really are. As computers and phones become the only way to access and use crucial government services, they must be fully 100% open source.

We as The Netherlands are irrelevant and would never be able to make such demands stick, but the EU is one of the most powerful economic blocks in the world. If you want access to the wealthy 450 million customers in the European Union (figure excludes the UK), your software must be open source so that we can ensure the security and stability of our infrastructure. If you do not comply, you will be denied access to this huge economic block. Most of you will probably balk at this suggestion, but I truly believe it is the only way to guarantee the security and stability of vital government services we rely on every single day.

We should not rely on closed-source, foreign code for our government services. It's time the European Union starts thinking about how to address this threat.

Thread beginning with comment 644617
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: FDROID?
by Alfman on Mon 22nd May 2017 21:22 UTC in reply to "RE[4]: FDROID? "
Alfman
Member since:
2011-01-28

Bill Shooter of Bul,

Well, ok. Do you really want any/all websites to be used to process payments? Even if they aren't fraud, are they themselves protected against attacks by fraudsters? Should every commuter have to choose a provider in a list of thousands? Which ones have good security and privacy practices?


I was really referring to a ways to solve the problems you brought up in the original post. In particular, solving fraud in app distribution. Cryptographic signatures solve this problem very nicely.

What you're asking here seems to be a bit different: how do you trust a website to process payments and how do you choose good providers from a list of thousands? I'm not really able to answer that, but regardless of how people choose their services, cryptography can be used to eliminates fraud.


Cryptographic technology is way ahead of the industry, and personally I blame visa/mastercard for not doing more to embrace 1990's era crypto for payment processing.

With PKI:
1) Each individual transaction could be signed.

2) the merchant couldn't just claim the customer authorized a payment, it would have to be cryptographically signed by the customer.

3) even if the merchant account was 100% breached, no one would be able to issue new fraudulent transactions using the information since the merchant never sees the private signing key.

4) we could even require the banks themselves to use PKI such that even employees of the bank couldn't transfer your funds without your cryptographic signature.

Reply Parent Score: 2

RE[6]: FDROID?
by acobar on Mon 22nd May 2017 23:12 in reply to "RE[5]: FDROID? "
acobar Member since:
2005-11-15

Alfman,

I totally agree with you about security of operations using cryptography being stronger, though, it does not dispel the worries about security and who is going to bear the consequences of breaches.

When I think about security I imagine an elder citizen using her/his smart phone on every interaction she/he may need. Now, suppose her/his phone is hacked and his/her cryptography signature stolen.

Now, who is going the bear the consequences? The elder citizen, the OS seller, the producer of the software that was unlucky to have its software used on fraudulent transactions?

I think banks and credit card companies will be more than happy to share the burden with the OS sellers and the other software vendors on the stack, but till now all we have is an offensive indemnity on EULAs and agreements over use.

You probably know that if you want a bigger slice of the pie you must take more responsibility on failures. I have said here many times that my main customers are small business. Some of them would like to lower the cost of credit card operations. It is possible to have a contract so that an internal system pre process the payment and as so lower the cost of the operation, it does, though, shift part of the responsibilities of fraudulent operations to who is pre processing them. Big business can afford the costs because they can spread the risk between a large base of customers and it has an (almost) fixed cost to develop and secure the system. It does not work well on small scale. When I explain this to them, the many point-of-failure in the chain, they usually, let me know that they want to keep what is "working".

Now, I know that my business is not to cast fear on my friends, and that is what all they are, hearts, but I don't want them to incur on costs that can hurt their source of income. If we really want a better system, guarantees and accountability must be very well established.

Reply Parent Score: 2

RE[7]: FDROID?
by Alfman on Tue 23rd May 2017 01:15 in reply to "RE[6]: FDROID? "
Alfman Member since:
2011-01-28

acobar,

I totally agree with you about security of operations using cryptography being stronger, though, it does not dispel the worries about security and who is going to bear the consequences of breaches.

When I think about security I imagine an elder citizen using her/his smart phone on every interaction she/he may need. Now, suppose her/his phone is hacked and his/her cryptography signature stolen.

Now, who is going the bear the consequences? The elder citizen, the OS seller, the producer of the software that was unlucky to have its software used on fraudulent transactions?



Consider what happens with credit cards today:

https://www.merchant-accounts.ca/how_to_fight_fraud_reduce_chargebac...
Fraudulent use of a credit card is another reason chargebacks occur. Unfortunately, it is not altogether uncommon for credit card numbers to be stolen and used to purchase products and services online. Although most assume that the person whose credit card number was stolen and used to make online purchases is the victim, in actuality the merchants are the real victims. Why? Because the card issuers will protect cardholders by charging back the cost of any products or services that were purchased without the cardholder's authorization.

When credit cards are used fraudulently in this manner, typically the cardholder does not realize the fraud has occurred until days or weeks after the transactions took place, when their monthly credit card statement is received. The customer will notice one or (usually) more suspicious transactions on their credit card statement and will call their card-issuing bank to report them. The bank will dispute all of the unauthorized transactions with the merchants that processed them. As a merchant, if you cannot prove that you delivered the product or service to the card holder then you will likely lose the dispute and the chargeback will be processed.


The link goes on to discuss other facets of this problem.



https://en.wikipedia.org/wiki/Credit_card_fraud
United_States Merchants

The merchants and the financial institutions bear the loss. The merchant loses the value of any goods or services sold, and any associated fees. If the financial institution does not have a charge-back right then the financial institution bears the loss and the merchant does not suffer at all. These losses incline merchants to be cautious and often they ban legitimate transactions and lose potential revenues. Online merchants can choose to apply for additional services that credit card companies offer, such as Verified by Visa and MasterCard SecureCode. However, these are complicated and awkward to do or use for consumers so there is a trade-off of making a sale easy and making it secure.

The liability for the fraud is determined by the details of the transaction. If the merchant retrieved all the necessary pieces of information and followed all of the rules and regulations the financial institution would bear the liability for the fraud. If the merchant did not get all of the necessary information they would be required to return the funds to the financial institution. This is all determined through the credit card processory.

United Kingdom
Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer.

Merchants
The merchant loses the payment, the fees for processing the payment, any currency conversion commissions, and the amount of the chargeback penalty. For obvious reasons, many merchants take steps to avoid chargebacks—such as not accepting suspicious transactions. This may spawn collateral damage, where the merchant additionally loses legitimate sales by incorrectly blocking legitimate transactions. Mail Order/Telephone Order (MOTO) merchants are implementing Agent-assisted automation which allows the call center agent to collect the credit card number and other personally identifiable information without ever seeing or hearing it. This greatly reduces the probability of chargebacks and increases the likelihood that fraudulent chargebacks will be successfully overturned.



To be clear, you bring up legitimate concerns, but these are not being addressed by visa/mastercard today anyways. The responsibility today lies between the merchant and banks.


You probably know that if you want a bigger slice of the pie you must take more responsibility on failures.



Isn't that part of the problem with visa/mastercard? They don't bring much of value including responsibility for fraud. I don't think anything would be worse than today if we could eliminate the middle men. If anything, by allowing more secure alternatives to become viable fraud would actually go down, which would be better for merchants, banks, and consumers! The credit card companies are the only participants in this circle that that actually make money when fraud is committed because they still get their fees even when the entire purchase is reversed via chargeback:


https://www.wepay.com/api/payments-101/payments-fraud-and-loss
While cardholders may not be liable for unauthorized transactions, merchants have no such protection. When the real cardholder inevitably reverses the payment, the merchant is out the cost of fulfilling the order, the revenue of the sale, and the fees associated with receiving the chargeback.

Reply Parent Score: 2